Hello everyone,
I'm currently managing an environment with approximately 5000 EPS and encountering an issue where the PHparser crashes frequently. Our setup includes one supervisor and two workers, each running on servers equipped with a 32-core processor and 64 GB of RAM. Despite not using custom parsers, the PHparser fails every 20-25 minutes, recovers, and then continues to crash intermittently.
We are seeking advice on troubleshooting this problem. Any suggestions on what might be causing these frequent downtimes or how to stabilize the parser would be greatly appreciated.
Thank you! :)
FortiSIEM
@premchanderr
@FSM_FTNT
@Richie_C
Solved! Go to Solution.
Hi @Prakash_576 ,
The factors that cause high phParser are:
1) Too many unknown event types
2) Lot of events than which a super or collector can handle
3) Long length of a raw log causing issue in reading and parsing.
To narrow down on the issue you can:
1) Run a search in analytics :
Filter: System Event Category BETWEEN 0,6 AND Collector ID = "xxx"
Display Conditions: Reporting IP, Event Type, Count(Matched Events)
2) Collect a tcpdump on the FortiSIEM node:
# tcpdump -i any "host x.x.x.x" -vvv -w Traffic.pcap //x.x.x.x --- is the FortiSIEM IP
Hi @Prakash_576 ,
The factors that cause high phParser are:
1) Too many unknown event types
2) Lot of events than which a super or collector can handle
3) Long length of a raw log causing issue in reading and parsing.
To narrow down on the issue you can:
1) Run a search in analytics :
Filter: System Event Category BETWEEN 0,6 AND Collector ID = "xxx"
Display Conditions: Reporting IP, Event Type, Count(Matched Events)
2) Collect a tcpdump on the FortiSIEM node:
# tcpdump -i any "host x.x.x.x" -vvv -w Traffic.pcap //x.x.x.x --- is the FortiSIEM IP
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.