General Installation
Configuring Worker Settings
If you are using an FortiSIEM clustered deployment that includes both Workers and Collectors, you must define the Address of your Worker nodes before you register any Collectors. When you register your Collectors, the Worker information will be retrieved and saved locally to the Collector. The Collector will then upload event and configuration change information to the Worker.
Worker Address in a Non-Clustered Environment
If you are not using an FortiSIEM clustered deployment, you will not have any Worker nodes. In that case, enter the IP address of the Supervisor for the Worker Address, and your Collectors will upload their information directly to the Supervisor.
- Log in to your Supervisor node.
- Go to Admin > General Settings > System.
- For Worker Address, enter a comma-separated list of IP addresses or host names for the Workers.
The Collector will attempt to upload information to the the listed Workers, starting with the first Worker address and proceeding until it finds an available Worker.
Registering the Supervisor
- In a Web browser, navigate to the Supervisor’s IP address: https://<Supervisor IP> 2. Enter the login credentials associated with your FortiSIEM license, and then click Register.
- When the System is ready message appears, click the Here link to log in to FortiSIEM.
- Enter the default login credentials.
| User ID | admin |
| Password | admin*1 |
| Cust/Org ID | super |
- Go to Admin > Cloud Health and check that the Supervisor Health is Normal.
Registering the Worker
- Go to Admin > License Management > VA Information.
- Click Add, enter the new Worker’s IP address, and then click OK.
- When the new Worker is successfully added, click OK.
You will see the new Worker in the list of Virtual Appliances.
- Go to Admin > Cloud Health and check that the Worker Health is Normal.
Registering the Collector to the Supervisor
The process for registering a Collector node with your Supervisor node depends on whether you are setting up the Collector as part of an enterprise or multi-tenant deployment. For a multi-tenant deployment,you must first create an organization and add Collectors to it before you register it with the Supervisor. For an enterprise deployment, you install the Collector within your IT infrastructure and then register it with the Supervisor.
Create an Organization and Associate Collectors with it for Multi-Tenant Deployments
Register the Collector with the Supervisor for Enterprise Deployments
Create an Organization and Associate Collectors with it for Multi-Tenant Deployments
- Log in to the Supervisor.
- Go to Admin > Setup Wizard > Organizations.
- Click Add.
- Enter Organization Name, Admin User, Admin Password, and Admin Email.
- Under Collectors, click New.
- Enter the Collector Name, Guaranteed EPS, Start Time, and End Time.
- Click Save.
The newly added organization and Collector should be listed on the Organizations tab.
- In a Web browser, navigate to https://<Collector-IP>:5480.
- Enter the Collector setup information.
| Name | Collector Name |
| User ID | Organization Admin User |
| Password | Organization Admin Password |
| Cust/Org ID | Organization Name |
| Cloud URL | Supervisor URL |
- Click
The Collector will restart automatically after registration succeeds.
- In the Supervisor interface, go to Admin > Collector Health and check that the Collector Health is Normal.
Register the Collector with the Supervisor for Enterprise Deployments
- Log in to the Supervisor.
- Go to Admin > License Management. and check that Collectors are allowed by the license.
- Go to Setup Wizard > General Settings and add at least the Supervisor’s IP address.
This should contain a list of the Supervisor and Worker accessible IP addresses or FQDNs.
- Go to Setup Wizard > Event Collector and add the Collector information.
| Setting | Description |
| Name | Will be used in step 6 |
| Guaranteed EPS | This is the number of Events per Second (EPS) that this Collector will be provisioned for |
| Start Time | Select Unlimited |
| End Time | Select Unlimited |
- Connect to the Collector at https://:<IP Address of the Collector>:5480.
- Enter the Name from step 4.
- Userid and Password are the same as the admin userid/password for the Supervisor.
- The IP address is the IP address of the Supervisor.
- For Organization, enter Super.
- The Collector will reboot during the registration, and you will be able to see its status on the Collector Health page.
Hi,
we have a FortiSIEM3500F (Service Provider License) and we are trying to register a collector against it. We want to register it like an enterprise deployment, not multi-tenant, but the system doesn´t show the Event Collector menu in Set Up wizard. Instead of it, system shows the Organizations menu.
So, how can we register the collector in the FortiSIEM?
Thanks in advance!
We recently started having an issue with our FortiSIEM instance. After reboot, there are a few services that won’t restart on the back end. I can get all but these three started manually: phParser, phDiscover, phPerfMonitor. When doing a phstatus they show as DOWN. Any thoughts on how to get them going again or where to look for trouble? I’ve looked, and have a ticket open with FortiNET, and are struggling with the issue. The GUI can not be accessed. Any help or direction is appreciated.
Regards,
Hugh
Can you provide some details about the environment etc? Has anything changed recently?
Hi Mike- there haven’t been any changes that we know of, and in the environment we have one Super (accelOps redhat based box, runs the backend and GUI), no workers, and use a single FSWAM (FOriSIEM windows agent manager), and have between 12-15 servers reporting to the SIEM.
When first rebooting the SIEM, the backend processes are mostly down. After 18 hours with no additional commands to kill or restart the processes look like:
Every 1.0s: /opt/phoenix/bin/phstatus.py Wed Apr 18 12:22:45 2018
System uptime: 12:22:46 up 18:42, 1 user, load average: 0.06, 0.02, 0.00
Tasks: 22 total, 0 running, 5 sleeping, 17 stopped, 0 zombie
Cpu(s): 8 cores, 0.1%us, 0.2%sy, 0.0%ni, 99.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 32877320k total, 5484164k used, 27393156k free, 232808k buffers
Swap: 25165820k total, 0k used, 25165820k free, 1856612k cached
PROCESS UPTIME CPU% VIRT_MEM RES_MEM
phParser DOWN
phQueryMaster DOWN
phRuleMaster DOWN
phRuleWorker DOWN
phQueryWorker DOWN
phDataManager DOWN
phDiscover DOWN
phReportWorker DOWN
phReportMaster DOWN
phIpIdentityWorker DOWN
phIpIdentityMaster DOWN
phAgentManager DOWN
phCheckpoint DOWN
phPerfMonitor DOWN
phReportLoader DOWN
phBeaconEventPackager DOWN
phDataPurger DOWN
phMonitor 17:34:08 0 965m 27m
Apache 17:33:52 0 243m 13m
Node.js 18:40:35 0 655m 35m
AppSvr 18:42:12 0 10943m 2592m
DBSvr 18:42:28 0 453m 21m
Usually I can restart apache, then if phMonitor is up and restart the PH services with ./phRestartBackend, and all but three return. There are 3 processes that don’t seem to want to restart AT ALL: phParser, phDiscover, phPerfMonitor
After a ph Services restart: 3 services still down. can not access GUI.
PROCESS UPTIME CPU% VIRT_MEM RES_MEM
phParser DOWN
phQueryMaster 01:23 0 885m 67m
phRuleMaster 01:23 0 553m 50m
phRuleWorker 01:23 0 1300m 299m
phQueryWorker 01:23 0 1331m 299m
phDataManager 01:23 0 1066m 44m
phDiscover DOWN
phReportWorker 01:23 0 1390m 297m
phReportMaster 01:23 0 422m 43m
phIpIdentityWorker 01:23 0 914m 40m
phIpIdentityMaster 01:23 0 377m 25m
phAgentManager 01:23 0 1135m 194m
phCheckpoint 01:23 0 88m 17m
phPerfMonitor DOWN
phReportLoader 01:23 0 698m 296m
phBeaconEventPackager 01:23 0 1006m 42m
phDataPurger 01:23 0 434m 52m
phMonitor 17:41:46 0 1163m 76m
Apache 17:41:30 0 243m 13m
Node.js 18:48:13 0 655m 35m
AppSvr 18:49:50 0 10943m 2592m
DBSvr 18:50:06 0 453m 21m