FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 229794
Description This article describes how to mitigate the FortiAnalyzer high CPU usage when the FortiSIEM module is enabled but not used.
Scope FortiAnalyzer v6.4+.

In FortiAnalyzer 6.4, the FortiSIEM database is introduced and it consumes resources that may affect performance (i.e. CPU usage can significantly increase when the FortiSIEM module feature is enabled).


In order to improve FortiAnalyzer performances, it is recommended to disable FortiSIEM module by keeping in mind that if disabled:


  • Log View -> Fabric will be unavailable. Administrators will not be able to search logs across different device types.
  • FortiSoc -> Threat Hunting will be unavailable.
  • Event Handlers using the SIEM logs will not be triggered.
  • Reports using the Normalized Logs type will be empty.
  • Handler and report for the DarkSide and Solarwind will partially work.

To review the current licenses:


diagnose license list

Name Status Expiry Description
PBDS No License N/A post breach detection
SCPC No License N/A cloud storage service
SOAR No License N/A SOAR and SIEM bundle service
FOAS No License N/A FAZ Outbreak Detection Service
ISSS No License N/A Industrial Security Service
FGSA No License N/A Security Rating Update


To verify if FortiSIEM module is up and running, the following CLI command can be used:


diagnose test app siemagentd 2
FAZ SIEM: up [status enabled]
uptime: 70 day 19:06:45, shm-ver: 247, shm-fazid-max: 6

To disable SIEM module, the following CLI command can be used:


config system global
(global) set disable-module siem
(global) end
Do you want to continue? (y/n)y

diagnose siem remove database ALL
Remove the entire SIEM database has been requested.
This operation will remove all data in the SIEM database and reset the database server.
This operation will reboot the device.
Do you want to continue? (y/n)y



As prompted above, FortiAnalyzer needs to be reloaded to make the change effective.


Related articles:

Technical Tip: How to gather information and fix high CPU and Mem utilization conditions

Technical Tip: Backup and restore of FortiAnalyzer settings, logs and reports