Fortinet Community
HelpSign In
Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER CONTINUE AS A GUEST
  • Forums
    • Support Forum
  • Knowledge Base
    • Customer Service
    • Internal Article Nominations
    • FortiGate
    • FortiClient
    • FortiAP
    • FortiAnalyzer
    • FortiADC
    • FortiAuthenticator
    • FortiBridge
    • FortiCache
    • FortiCarrier
    • FortiCASB
    • FortiConnect
    • FortiConverter
    • FortiCNP
    • FortiDAST
    • FortiDDoS
    • FortiDB
    • FortiDNS
    • FortiDLP
    • FortiDevSec
    • FortiDeceptor
    • FortiDirector
    • FortiEDR
    • FortiExtender
    • FortiGate Cloud
    • FortiHypervisor
    • FortiGuard
    • FortiInsight
    • FortiIsolator
    • FortiMail
    • FortiMonitor
    • FortiManager
    • FortiNAC
    • FortiNAC-F
    • FortiNDR (on-premise)
    • FortiNDRCloud
    • FortiPAM
    • FortiPhish
    • FortiPortal
    • FortiProxy
    • FortiRecon
    • FortiRecorder
    • FortiSRA
    • FortiSandbox
    • FortiSASE
    • FortiScan
    • FortiSIEM
    • FortiSOAR
    • FortiSwitch
    • FortiTester
    • FortiToken
    • FortiVoice
    • FortiWAN
    • FortiWeb
    • FortiWebCloud
    • Lacework
    • Wireless Controller
    • RMA Information and Announcements
    • FortiCloud Products
    • ZTNA
    • 4D Documents
  • Community Groups
    • Agora
    • Engage Services
    • The EPSP Platform
    • The ETSP Platform
    • Finland
    • FortiGate-VM on Azure
      • Discussions & Onboarding Information
      • Technical Learning
    • FortiGate-VM on AWS
      • Discussions & Onboarding Information
      • Technical Learning
    • FortiGate CNF (All Marketplaces)
      • Getting Started Resources
      • Technical Learning
    • FortiWeb Cloud (All Marketplaces)
      • Getting Started Resources
      • Technical Learning
    • Fortinet for SAP
      • Discussions
      • Technical Learning
      • Knowledge Base
      • Idea Exchange
      • Events
    • FortiSIEM
      • Discussions
      • Blog
    • FortiSOAR
      • Discussions
      • Announcements
      • Idea Exchange
    • KCS
    • Lacework
    • Super User
  • Blogs
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
  • Fortinet Community
  • Knowledge Base
  • FortiAnalyzer
  • Technical Tip: How to improve FortiAnalyzer perfor...
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
acapalbo
acapalbo Staff
Staff

Created on ‎11-14-2022 05:13 AM Edited on ‎10-22-2024 07:52 AM By Moderator Jean-Philippe_P

Article Id 229794

Technical Tip: How to improve FortiAnalyzer performances when FortiSIEM module is not needed

Description This article describes how to mitigate the FortiAnalyzer high CPU usage when the FortiSIEM module is enabled but not used.
Scope FortiAnalyzer v6.4+.
Solution

In FortiAnalyzer 6.4, the FortiSIEM database is introduced and it consumes resources that may affect performance (i.e. CPU usage can significantly increase when the FortiSIEM module feature is enabled).

It is also necessary to adjust the resources based on MEA accordingly if required:

Management extension applications

 

To improve FortiAnalyzer performances, it is recommended to disable the FortiSIEM module by keeping in mind that if disabled:

 

  • Log View -> Fabric will be unavailable. Administrators will not be able to search logs across different device types.
  • FortiSoc -> Threat Hunting will be unavailable.
  • Event Handlers using the SIEM logs will not be triggered.
  • Reports using the Normalized Logs type will be empty.
  • Handler and report for the DarkSide and Solarwind will partially work.

 

To review the current licenses:

 

diagnose license list


Name Status Expiry Description
---------------------------------------------------------------------
PBDS No License N/A post breach detection
SCPC No License N/A cloud storage service
SOAR No License N/A SOAR and SIEM bundle service
FOAS No License N/A FAZ Outbreak Detection Service
ISSS No License N/A Industrial Security Service
FGSA No License N/A Security Rating Update

 

To verify if the FortiSIEM module is up and running, the following CLI command can be used:

 

diagnose test app siemagentd 2
FAZ SIEM: up [status enabled]
siemagentd:
uptime: 70 day 19:06:45, shm-ver: 247, shm-fazid-max: 6


To disable the SIEM module, the following CLI command can be used:

 

config system global
(global) set disable-module siem
(global) end
DISABLE SIEM module
Do you want to continue? (y/n)y


diagnose siem remove database ALL
Remove the entire SIEM database has been requested.
This operation will remove all data in the SIEM database and reset the database server.
This operation will reboot the device.
Do you want to continue? (y/n)y

 

The following command can be used to Enable/disable the SIEM module in hardware models:

 

diagnose siem module-ctrl {enable | disable}

 

The following command can be used to start/ stop the SIEM module in VM-based units:

 

   diagnose siem service {start | stop}

 

FortiAnalyzer's SIEM module related CLI reference.

 

Note.

As prompted above, FortiAnalyzer needs to be reloaded to make the change effective.

 

Related articles:

  • Technical Tip: How to gather information and fix high CPU and Mem utilization conditions
  • Technical Tip: Backup and restore of FortiAnalyzer settings, logs and reports
5717
4 Kudos
Submit Article Idea
Contributors
  • acapalbo
    acapalbo
  • vraev
    vraev
  • basicnbb
    basicnbb
  • Stephen_G
    Stephen_G
  • Jean-Philippe_P
    Jean-Philippe_P
  • mdeparisse_FTNT
    mdeparisse_FTNT
  • Anthony_E
    Anthony_E
fortinet
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
  • Threat Research
  • FortiGuard Labs
  • Threat Map
  • Threat Briefs
  • Ransomware
  • Getting Started Resources
Company
  • About Us
  • Security Fabric
  • Exec. Mgmt
  • Careers
  • Certifications
  • Events
  • Industry Awards
  • Social Responsibility
News & Articles
  • News Releases
  • News Articles
  • Trademarks
Contact Us
  • Corporate
  • Community

Copyright 2024 Fortinet, Inc. All Rights Reserved.

  • Terms of Service
  • Privacy Policy
  • GDPR
  • Cookie Settings