Fortinet black logo

User Guide

Troubleshooting the FortiMonitor Linux Agent Heartbeat Incident

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:657037
Download PDF

Troubleshooting the FortiMonitor Linux Agent Heartbeat Incident

An Agent heartbeat incident occurs when the FortiMonitor Agent is unable to sync to our platform. The following troubleshooting steps should be performed on Linux servers experiencing heartbeat incidents.

Determine if the server running the Agent is able to reach our platform

  • From the Linux terminal, run the following command:

https://rx.us01.fortimonitor.com/v2/hello
  • You should receive a response similar to the following:

{"hello": "world", "timestamp": 1612463423}

If you do not receive a response similar to what is shown in the example above, this indicates that this server is unable to reach our platform and is unable to sync. If this server cannot reach our platform, the agent will experience an agent heartbeat incident. Please check your network configuration to determine why the server cannot reach our platform.

Verify that the cron service is running on the server

The Agent uses cron to run. If cron is not running on the server, then the agent will not be able to sync. This will result in an agent heartbeat incident.

The command to check if cron is running on Ubuntu: service cron status
The command to check if cron is running on RHEL: service crond status

Confirm that the Agent Server Key matches the Server Key of the affected FortiMonitor instance.

  • To check the server key in Linux, run the following command:

$ grep -i server_key /etc/fm-agent/fm_agent.cfg

You should receive output similar to the following:

server_key = svjf-uqi2-kmm4-rsqj

Once you have the agent server key, confirm that this key matches the key that you are seeing in the FortiMonitor Control Panel. If the server keys do not match, confirm you are looking at the right server.

If you are looking at the correct server, then you will need to change the server key on the instance to match the key that is found in the fm_agent.cfg file.

Server Key Example as Shown on Server Instance:

Confirm that the User Agent is not locked out and the password is unexpired

  • This article covers the process of checking the agent password expiration.

If the steps above do not identify the cause of the agent heartbeat problem, please send us a copy of your agent logs. Our support team will look at them and follow up with you.

fm-agent log location: /var/log/fm-agent/

Troubleshooting the FortiMonitor Linux Agent Heartbeat Incident

An Agent heartbeat incident occurs when the FortiMonitor Agent is unable to sync to our platform. The following troubleshooting steps should be performed on Linux servers experiencing heartbeat incidents.

Determine if the server running the Agent is able to reach our platform

  • From the Linux terminal, run the following command:

https://rx.us01.fortimonitor.com/v2/hello
  • You should receive a response similar to the following:

{"hello": "world", "timestamp": 1612463423}

If you do not receive a response similar to what is shown in the example above, this indicates that this server is unable to reach our platform and is unable to sync. If this server cannot reach our platform, the agent will experience an agent heartbeat incident. Please check your network configuration to determine why the server cannot reach our platform.

Verify that the cron service is running on the server

The Agent uses cron to run. If cron is not running on the server, then the agent will not be able to sync. This will result in an agent heartbeat incident.

The command to check if cron is running on Ubuntu: service cron status
The command to check if cron is running on RHEL: service crond status

Confirm that the Agent Server Key matches the Server Key of the affected FortiMonitor instance.

  • To check the server key in Linux, run the following command:

$ grep -i server_key /etc/fm-agent/fm_agent.cfg

You should receive output similar to the following:

server_key = svjf-uqi2-kmm4-rsqj

Once you have the agent server key, confirm that this key matches the key that you are seeing in the FortiMonitor Control Panel. If the server keys do not match, confirm you are looking at the right server.

If you are looking at the correct server, then you will need to change the server key on the instance to match the key that is found in the fm_agent.cfg file.

Server Key Example as Shown on Server Instance:

Confirm that the User Agent is not locked out and the password is unexpired

  • This article covers the process of checking the agent password expiration.

If the steps above do not identify the cause of the agent heartbeat problem, please send us a copy of your agent logs. Our support team will look at them and follow up with you.

fm-agent log location: /var/log/fm-agent/