Description |
This article describes how to log and monitor the single CPU core usage spike. |
Scope |
FortiGate with multiple CPU cores; FortiOS version 7.2.4 and above. |
Solution |
The System event generally records the CPU usage every 5 minutes by default as seen in the example below:
date=2024-01-08 time=09:41:11 eventtime=1704703271275848977 tz="+0100" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=43 totalsession=33 disk=1 bandwidth="10/208" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=15172 sysuptime=523228 waninfo="N/A" msg="Performance statistics: average CPU: 1, memory: 43, concurrent sessions: 33, setup-rate: 0"
However, the CPU usage recorded above is the average CPU usage seen across all the available CPU cores. Hence, a single CPU core spike may get overlooked on a FortiGate with multiple CPU cores.
To log any CPU usage spike seen against a particular core, the below can be enabled:
config system global
log-single-cpu-high: Enable/disable logging in the event of a single CPU core reaching the CPU usage threshold.
The CPU use threshold is by default 90. It would then generate logs as shown in the sample below if the usage exceeds 90%:
date=2024-01-08 time=09:45:44 eventtime=1666143944430584293 tz="+0100" logid="0100040707" type="event" subtype="system" level="notice" vd="root" logdesc="CPU single core usage statistics" action="cpu-single-core-usage" core=8 cpu=99 msg="CPU core 8 usage reaches: 99"
When enabled, CPU single core usage will be polled every 3 seconds and any single CPU core usage above the CPU usage threshold will report an event log. If a core is reported, that core will not be rechecked for 30 seconds. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.