Skip to main content
KarlH
KarlH
Explorer II
October 4, 2024
Solved

Help seeking a diagnostiocs document for when the ph processes are down. phAgentManager

  • October 4, 2024
  • 4 replies
  • 2028 views

Hi everyone,

Regarding the ph processes.  First phAgentManager is down disk capacity is below 85%. I just see the health is showing this one proc is down. and I cannot find one doc about this anywhere? Why am I missing this?

 

I just tried to search the community for the name phAgentManager,  and the search tried to correct me and asked if I meant Fortiseim Manager?  

Also I am looking for a set of diagnostic steps I can use to create a runbook for when one or some or all of the ph processes are found to be down and my fellow engineers come on board. I am about a month in on this gig so still learning. Not having any luck with the search. 

 

Cheers, Karl

      Best answer by aebadi

      Hi Kar,
      you will likely need to debug those two process to see what's taking the bandwidth .
      ideally you would look at the backend logs of your customer collector and see what each process is doing . Here is the path to the back end logs  - opt/phoenix/log/phoenix.log


      phParser is a big component in the siem as its always busy, its likely that you have a lot of Uknown events filling up the logs which will need for the correct parser picking them up if that's the issue.

      phAgentManager, as you have mentioned,  is responsible for managing agent communication . Likely the last integration you added to the Siem is having some load issues.

      I would start by reviewing the back end logs which I gave you earlier and filter for both processes to see what happening in the backend, likely you will need a support ticket to help tell you the story of what the logs are showing 



      4 replies

      KarlH
      KarlHAuthor
      Explorer II
      October 4, 2024

      So I found this article https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-How-to-troubleshoot-error-while-registering/ta-p/189739

      interestingly at the bottom it  provides some links one of which points back to itself.... Where are the steps to handle phAgentManager or even what it is and why its down?

      The other link https://community.fortinet.com/t5/Internal-Knowledge-Base-Articles/Technical-Note-Accelops-KB-If-a-user-has-changed-their-IP-or-DNS/ta-p/195530?externalID=FD39849

      gave me, "You do not have sufficient privileges for this resource or its parent to perform this action.

      Click your browser's Back button to continue."

      KarlH
      KarlHAuthor
      Explorer II
      October 4, 2024

      Desperate I asked chatgpt what the process is, it claims  phAgentManager is a key component of FortiSIEM responsible for managing agent communication and data collection. When encountering issues, FortiSIEM logs can provide detailed insights. check phoenix.log  If it’s down, additional troubleshooting steps, including checking the license with phLicenseTool, can help. Can anyone clear up diagnosing this for future occurrences?

      premchanderr
      Staff & Editor
      premchanderr
      Staff & Editor
      October 6, 2024

      Hi Karl,

       

      You can run below command on discovery node (super or collector) to see which device is causing high phAgentManager: 

      # cat /opt/phoenix/log/phoenix.log | grep -i phAgent

       

      Now temporarily disable the logs pulling for this device and fine tune the errors related to that device.

       

      You can also debug by following the below documentation for a process:

      https://help.fortinet.com/fsiem/7-2-3/Online-Help/HTML5_Help/appendix-managing-fortisiem-operations.htm

       

      If you have too many devices discovered then consider adding another collector.

      KarlH
      KarlHAuthor
      Explorer II
      October 8, 2024

      Hello, and thank you for your time. Sorry I was not clear I need to help the client on the collector not on the super. The client collector is the one with the ph processes like phParser and PhAgentManager etc. Both of which are high CPU.

      Unfortunately 

      cat /opt/phoenix/log/phoenix.log | grep -i phAgent 

      does not show anything on the super by the way.  Also thanks for the phStatus tool link I've used that.

      I'm not sure what you mean by fine tune the errors. I'm pretty new with FortiSIEM engineering.

       

      What does it mean when the phparser and AgentManager get so busy and stay that way?  Can you please point me to diagnostic material by Fortinet that would offer step by step guidance and recommendations I can make to the client, based on  metrics to consider.  Appreciate your help.

      aebadi
      Staff
      aebadiAnswer
      Staff
      October 9, 2024

      Hi Kar,
      you will likely need to debug those two process to see what's taking the bandwidth .
      ideally you would look at the backend logs of your customer collector and see what each process is doing . Here is the path to the back end logs  - opt/phoenix/log/phoenix.log


      phParser is a big component in the siem as its always busy, its likely that you have a lot of Uknown events filling up the logs which will need for the correct parser picking them up if that's the issue.

      phAgentManager, as you have mentioned,  is responsible for managing agent communication . Likely the last integration you added to the Siem is having some load issues.

      I would start by reviewing the back end logs which I gave you earlier and filter for both processes to see what happening in the backend, likely you will need a support ticket to help tell you the story of what the logs are showing 



      KarlH
      KarlHAuthor
      Explorer II
      October 9, 2024

      Thank you both for the replies, in the analytics section can I do a search settnig event type contains unknown_ and organization is name? I do not get any results.. what is the correct query I can run until such time I can get on the clients collector?

      Terms & ConditionsAccessibility statement