FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 197534


This article describes how to check high CPU usage and how to fix it.




FortiAnalyzer, FortiManager.



  • Double-check the hardware resources.
  • Check that the system sizing matches the network log requirements for FortiAnalyzer. (example on FortiAnalyzer KVM on 7.4.2).
  • Refer to the product's datasheet for hardware sizing. (example on FMG KVM on 7.4.2).
  • Refer to the Product datasheet if using a HW FortiManager/FortiAnalyzer.
  • If a VM is being used, adjust the CPU and RAM allowance of the VM.

1. FortiManager sizing:

Get the number of managed devices using the following command:


diag dvm device list


Read more about the minimum system requirements in the documentation.

2. FortiAnalyzer sizing:

Retrieve the number of logs received per second using the following command:


diag fortilog log

diagnose fortilogd lograte (on version 7.0. and higher)


Once the HW is adjusted, deeper analyses of how the system is behaving can be seen using the following command:


get system performance


Figure 1
exe top
Figure 2

The load average section represents the average 'load' over 1, 5, and 15 minutes. 'Load' is a measure of the amount of computational work a system performs.

A system is considered to be loaded when the CPU is above 90% for 1, 5, and 15 minutes, and also when the system appears to run slow.

The us value in Figure 2 is the time the CPU spends executing processes in userspace. Similarly, the sy value is the time spent on running kernelspace processes.


exe iotop


Figure 3
diag debug sysinfo
Figure 4
diag debug crashlog read

Check that the system is not looping into a crash that may create a high load on the CPU. Identify this kind of crash condition by running the above command and checking the time stamp.

Depending on the process listed as a high CPU user, try to restart it using the following command:


diag test application <module> 99


This is often useful to restart an OFTPD or SQLOGD daemon. For example:


diagnose test application oftpd 99; diagnose test application sqllogd 99


If the module cannot be accessed with the diagnose test application, use the kill command:


diagnose sys process list


Once the process responsible for hitting the CPU cycles is identified, kill the process using the following command:


diagnose test application sqllogd 99


(This may kill the postgress daemon as well as restart sqllogd.)




diagnose test application logfiled 99




diagnose test application oftpd 99


If the process is not one of the above, contact the support team for further analysis.


Note: A specific PID may be killed by running the exe top command using the 'k' key. (Be aware that some processes should not be killed with the 'k' key in exe top, as this may result in system instability).

Monitor the system behavior using the exe top and get system performance commands to check if the system is now behaving as normal.

If the steps above do not remedy the issue, provide the following information to support:


exe tac report

exe top                   <- Let it run for 10 sec.

exe iotop                 <- Let it run for 10 sec.

diag debug sysinfo

get sys perf              <- Run it multiple time.

diag hardware info

diag debug klog


Check what times of day the CPU usage is high and try to correlate these times with the network load. This can offer some hints for the troubleshooting phase.

If possible, run the attached tera term script and let it run until the CPU usage is identified.


Related article: