Technical Tip: How to improve FortiAnalyzer performances when FortiSIEM module is not needed

In v6.4, the FortiSIEM database is introduced, and it consumes resources that may affect performance (i.e. CPU usage can significantly increase when the FortiSIEM module feature is enabled).

It is also necessary to adjust the resources based on MEA accordingly if required:

Management extension applications

To improve FortiAnalyzer performance, it is recommended to disable the FortiSIEM module, keeping in mind that if disabled:

• Log View -> Fabric will be unavailable. Administrators will not be able to search logs across different device types.
• Threat Hunting will be unavailable. Threat Hunting feature location across versions:

  • Version 7.2.x The Threat Hunting located under FortiSOC.

  • Versions 7.4.0 to 7.4.2: The feature was relocated to Incidents & Events.

  • Version 7.4.3 and later: Threat Hunting was moved to Log View -> Fabric.

  • Version 7.6.x Threat Hunting has been placed under Log View -> Logs.

• Event Handlers using the SIEM logs will not be triggered.
• Reports using the Normalized Logs type will be empty.
• The handler and report for DarkSide and SolarWind will function partially.

To review the current licenses:

diagnose license list

Name Status Expiry Description
---------------------------------------------------------------------
PBDS No License N/A post breach detection
SCPC No License N/A cloud storage service
SOAR No License N/A SOAR and SIEM bundle service
FOAS No License N/A FAZ Outbreak Detection Service
ISSS No License N/A Industrial Security Service
FGSA No License N/A Security Rating Update

To verify if the FortiSIEM module is up and running, the following CLI command can be used:

diagnose test app siemagentd 2
FAZ SIEM: up [status enabled]
siemagentd:
uptime: 70 day 19:06:45, shm-ver: 247, shm-fazid-max: 6

To disable the FortiSIEM module, the following CLI command can be used:

config system global
(global) set disable-module siem
(global) end
DISABLE SIEM module
Do you want to continue? (y/n)y

Note:

Consider downtime since the below command will require a reboot.

diagnose siem remove database ALL   <----- Not available in v7.6.
Remove the entire SIEM database has been requested.
This operation will remove all data in the SIEM database and reset the database server.
This operation will reboot the device.
Do you want to continue? (y/n)y

The following command can be used to enable/disable the FortiSIEM module in hardware models:

diagnose siem module-ctrl {enable | disable}

The following command can be used to start/stop the FortiSIEM module in VM-based units:

   diagnose siem service {start | stop}

To stop the daemon process of FortiSIEM:

diagnose test application siemagentd 99

diagnose test application siemdbd 99

FortiAnalyzer's SIEM module-related CLI reference: FortiAnalyzer 7.6.0 CLI Reference SIEM.

Note: 

As prompted above, FortiAnalyzer must be reloaded to make the change effective.

Related articles:

Technical Tip: How to gather information and fix high CPU and Mem utilization conditions

Technical Tip: Backup and restore of FortiAnalyzer settings, logs and reports
Technical Tip: Integrate FortiAnalyzer and FortiSIEM