FortiSIEM General Installation

General Installation

Configuring Worker Settings

If you are using an FortiSIEM clustered deployment that includes both Workers and Collectors, you must define the Address of your Worker nodes before you register any Collectors. When you register your Collectors, the Worker information will be retrieved and saved locally to the Collector. The Collector will then upload event and configuration change information to the Worker.

Worker Address in a Non-Clustered Environment

If you are not using an FortiSIEM clustered deployment, you will not have any Worker nodes. In that case, enter the IP address of the Supervisor for the Worker Address, and your Collectors will upload their information directly to the Supervisor.

  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > System.
  3. For Worker Address, enter a comma-separated list of IP addresses or host names for the Workers.

The Collector will attempt to upload information to the the listed Workers, starting with the first Worker address and proceeding until it finds an available Worker.


Registering the Supervisor
  1. In a Web browser, navigate to the Supervisor’s IP address: https://<Supervisor IP> 2. Enter the login credentials associated with your FortiSIEM license, and then click Register.
  2. When the System is ready message appears, click the Here link to log in to FortiSIEM.
  3. Enter the default login credentials.
User ID admin
Password admin*1
Cust/Org ID super
  1. Go to Admin > Cloud Health and check that the Supervisor Health is Normal.
Registering the Worker
  1. Go to Admin > License Management > VA Information.
  2. Click Add, enter the new Worker’s IP address, and then click OK.
  3. When the new Worker is successfully added, click OK.

You will see the new Worker in the list of Virtual Appliances.

  1. Go to Admin > Cloud Health and check that the Worker Health is Normal.
Registering the Collector to the Supervisor

The process for registering a Collector node with your Supervisor node depends on whether you are setting up the Collector as part of an enterprise or multi-tenant deployment. For a multi-tenant deployment,you must first create an organization and add Collectors to it before you register it with the Supervisor. For an enterprise deployment, you install the Collector within your IT infrastructure and then register it with the Supervisor.

Create an Organization and Associate Collectors with it for Multi-Tenant Deployments

Register the Collector with the Supervisor for Enterprise Deployments

Create an Organization and Associate Collectors with it for Multi-Tenant Deployments
  1. Log in to the Supervisor.
  2. Go to Admin > Setup Wizard > Organizations.
  3. Click Add.
  4. Enter Organization Name, Admin User, Admin Password, and Admin Email.
  5. Under Collectors, click New.
  6. Enter the Collector Name, Guaranteed EPS, Start Time, and End Time.
  7. Click Save.

The newly added organization and Collector should be listed on the Organizations tab.

  1. In a Web browser, navigate to https://<Collector-IP>:5480.
  2. Enter the Collector setup information.
Name Collector Name
User ID Organization Admin User
Password Organization Admin Password
Cust/Org ID Organization Name
Cloud URL Supervisor URL


  1. Click

The Collector will restart automatically after registration succeeds.

  1. In the Supervisor interface, go to Admin > Collector Health and check that the Collector Health is Normal.
Register the Collector with the Supervisor for Enterprise Deployments
  1. Log in to the Supervisor.
  2. Go to Admin > License Management. and check that Collectors are allowed by the license.
  3. Go to Setup Wizard > General Settings and add at least the Supervisor’s IP address.

This should contain a list of the Supervisor and Worker accessible IP addresses or FQDNs.

  1. Go to Setup Wizard > Event Collector and add the Collector information.
Setting Description
Name Will be used in step 6
Guaranteed EPS This is the number of Events per Second (EPS) that this Collector will be provisioned for
Start Time Select Unlimited
End Time Select Unlimited
  1. Connect to the Collector at https://:<IP Address of the Collector>:5480.
  2. Enter the Name from step 4.
  3. Userid and Password are the same as the admin userid/password for the Supervisor.
  4. The IP address is the IP address of the Supervisor.
  5. For Organization, enter Super.
  6. The Collector will reboot during the registration, and you will be able to see its status on the Collector Health page.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “FortiSIEM General Installation

  1. Borja


    we have a FortiSIEM3500F (Service Provider License) and we are trying to register a collector against it. We want to register it like an enterprise deployment, not multi-tenant, but the system doesn´t show the Event Collector menu in Set Up wizard. Instead of it, system shows the Organizations menu.

    So, how can we register the collector in the FortiSIEM?

    Thanks in advance!

  2. hugh

    We recently started having an issue with our FortiSIEM instance. After reboot, there are a few services that won’t restart on the back end. I can get all but these three started manually: phParser, phDiscover, phPerfMonitor. When doing a phstatus they show as DOWN. Any thoughts on how to get them going again or where to look for trouble? I’ve looked, and have a ticket open with FortiNET, and are struggling with the issue. The GUI can not be accessed. Any help or direction is appreciated.



      1. hugh

        Hi Mike- there haven’t been any changes that we know of, and in the environment we have one Super (accelOps redhat based box, runs the backend and GUI), no workers, and use a single FSWAM (FOriSIEM windows agent manager), and have between 12-15 servers reporting to the SIEM.

        When first rebooting the SIEM, the backend processes are mostly down. After 18 hours with no additional commands to kill or restart the processes look like:

        Every 1.0s: /opt/phoenix/bin/ Wed Apr 18 12:22:45 2018

        System uptime: 12:22:46 up 18:42, 1 user, load average: 0.06, 0.02, 0.00
        Tasks: 22 total, 0 running, 5 sleeping, 17 stopped, 0 zombie
        Cpu(s): 8 cores, 0.1%us, 0.2%sy, 0.0%ni, 99.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
        Mem: 32877320k total, 5484164k used, 27393156k free, 232808k buffers
        Swap: 25165820k total, 0k used, 25165820k free, 1856612k cached


        phParser DOWN
        phQueryMaster DOWN
        phRuleMaster DOWN
        phRuleWorker DOWN
        phQueryWorker DOWN
        phDataManager DOWN
        phDiscover DOWN
        phReportWorker DOWN
        phReportMaster DOWN
        phIpIdentityWorker DOWN
        phIpIdentityMaster DOWN
        phAgentManager DOWN
        phCheckpoint DOWN
        phPerfMonitor DOWN
        phReportLoader DOWN
        phBeaconEventPackager DOWN
        phDataPurger DOWN
        phMonitor 17:34:08 0 965m 27m
        Apache 17:33:52 0 243m 13m
        Node.js 18:40:35 0 655m 35m
        AppSvr 18:42:12 0 10943m 2592m
        DBSvr 18:42:28 0 453m 21m

        Usually I can restart apache, then if phMonitor is up and restart the PH services with ./phRestartBackend, and all but three return. There are 3 processes that don’t seem to want to restart AT ALL: phParser, phDiscover, phPerfMonitor

        After a ph Services restart: 3 services still down. can not access GUI.


        phParser DOWN
        phQueryMaster 01:23 0 885m 67m
        phRuleMaster 01:23 0 553m 50m
        phRuleWorker 01:23 0 1300m 299m
        phQueryWorker 01:23 0 1331m 299m
        phDataManager 01:23 0 1066m 44m
        phDiscover DOWN
        phReportWorker 01:23 0 1390m 297m
        phReportMaster 01:23 0 422m 43m
        phIpIdentityWorker 01:23 0 914m 40m
        phIpIdentityMaster 01:23 0 377m 25m
        phAgentManager 01:23 0 1135m 194m
        phCheckpoint 01:23 0 88m 17m
        phPerfMonitor DOWN
        phReportLoader 01:23 0 698m 296m
        phBeaconEventPackager 01:23 0 1006m 42m
        phDataPurger 01:23 0 434m 52m
        phMonitor 17:41:46 0 1163m 76m
        Apache 17:41:30 0 243m 13m
        Node.js 18:48:13 0 655m 35m
        AppSvr 18:49:50 0 10943m 2592m
        DBSvr 18:50:06 0 453m 21m


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.