Technical Tip: How to monitor system status and EPS in real time from the supervisor CLI in FortiSIEM

The command below provides a comprehensive real-time view of FortiSIEM system performance, including EPS statistics, resource utilization, and process status. 

• Recommended: run during peak hours to capture worst‑case load.

/opt/phoenix/bin/phstatus.py -a

This command is typically executed from the FortiSIEM node command line interface with root access.

The output is divided into multiple sections, each providing important operational information.

• System uptime.
• Load average.
• CPU utilization.
• Memory utilization.

The top section.

Displays system uptime, load average, number of users, running tasks, and CPU utilization and memory utilization.

Example:

This information helps determine system load and whether CPU resources are saturated.

High load average values relative to CPU cores may indicate performance bottlenecks.

High system CPU percentage may indicate heavy parsing, event processing, or database activity.

High memory usage may indicate heavy event ingestion or insufficient RAM allocation.

Swap usage should remain minimal, as swap utilization can significantly impact performance.

Disk utilization.

The disk section displays filesystem usage, size, used space, available space, and mount points.

Example:

The '/data', '/cmdb', and '/opt' partitions are critical for FortiSIEM operation.

High disk usage may prevent event ingestion or database writes.

Disk usage above 80 percent should be investigated.

EPS statistics.

This section provides critical information about the event ingestion rate.

Example:

These values represent different categories of events.

EPS:

Represents external events received from devices such as FortiGate, servers, and network devices.

This is the primary metric used to measure ingestion rate.

EPS INTERNAL:

Represents internal FortiSIEM events generated by system components.

Examples include health monitoring events and internal process logs.

This value is typically low and stable.

EPS PERF:

Represents performance monitoring events.

These include system performance metrics.

Process status section.

This section displays detailed information about FortiSIEM processes.

Example:

Each column provides critical operational details.

PROCESS:

Displays the FortiSIEM process name.

UPTIME:

Displays how long the process has been running.

Frequent restarts may indicate instability.

CPU%:

Displays CPU usage per process.

High CPU usage may indicate heavy event load or processing bottlenecks.

VIRT_MEM:

Displays total virtual memory allocated.

RES_MEM:

Displays actual physical memory used.

High memory consumption may indicate a heavy load.

FILE_DESC:

Displays the number of file descriptors used.

High values may indicate a heavy workload.

THR_NUM:

Displays the number of threads used.

This command allows monitoring of:

• System status.
• Event ingestion rate.
• Process stability.
• Resource utilization.

This command is commonly used during troubleshooting, performance analysis, and capacity planning.

It provides real-time information about the operational status of FortiSIEM. Using this command regularly helps to monitor system status, event ingestion rate, process stability, and overall resource utilization.