Troubleshooting Tip: phParser down after cloning or migrating a FortiSIEM supervisor VM

Description

This article describes how to resolve an issue where the phParser process remains down after cloning or migrating a FortiSIEM Supervisor virtual machine to a different host.

Affected systems may report 'phParser Down' in the FortiSIEM user interface, and restarting services using phtools --stop all and phtools --start all does not resolve the issue.

Backend logs may contain errors similar to the following:

curl error (3) URL using bad/illegal format or missing URL
Failed to connect to notification server
Cannot connect to heartbeat server
Failed to establish notification connection from phRuleMaster to phParser

The issue can occur when the FortiSIEM configuration references an incorrect IP address after the VM is cloned or moved to a different host.

Scope

 FortiSIEM v7.x+.

Solution

1. Verify FortiSIEM IP configuration.
   Review the FortiSIEM configuration file:
   
   

   vi /opt/phoenix/config/phoenix_config.txt

   
   Verify the following parameters:
   
   

   APP_SERVER_HOST
   MON_SERVER_HOST
   PARSER_SERVER_HOST
   FSIEM_IP (not seen in version <7.5.0)
   parser_server_host

   
   

   Ensure that these parameters are configured with the correct management IP address assigned to the active network interface (typically eth0).
   
   

2. Replace incorrect IP addresses.
   If any of the parameters contain an incorrect or obsolete IP address inherited from the original VM, replace it with the correct IPv4 management address.

   
   Example:
   
   

   APP_SERVER_HOST=192.168.1.10
   MON_SERVER_HOST=192.168.1.10
   PARSER_SERVER_HOST=192.168.1.10
   FSIEM_IP=192.168.1.10
   parser_server_host=192.168.1.10

   
   

3. Save the configuration.
   Save the file and exit the editor:
   
   

   ESC
   :wq

   
   

4. Restart FortiSIEM services (optional).
   Restart FortiSIEM services if the phParser process did not automatically start:
   
   

   phtools --stop all
   phtools --start all

   
   

5. Verify phParser status.
   Confirm that the phParser process is running successfully:
   
   

   phstatus

The phParser process should return to a healthy state, and inter-process communication errors should no longer be observed.

Root cause:

After a Supervisor VM is cloned or migrated, FortiSIEM may continue to reference an outdated IP address stored in phoenix_config.txt. As a result, internal components such as phMonitorSupervisor, phRuleMaster, phEventForwarder, and phQueryWorker are unable to communicate with the local Supervisor and phParser services.

This causes heartbeat failures, notification connection failures, and repeated curl errors, ultimately resulting in the phParser Down condition.