FortiSIEM Discussions
KarlH
Contributor

Help seeking a diagnostiocs document for when the ph processes are down. phAgentManager

Hi everyone,

Regarding the ph processes.  First phAgentManager is down disk capacity is below 85%. I just see the health is showing this one proc is down. and I cannot find one doc about this anywhere? Why am I missing this?

 

I just tried to search the community for the name phAgentManager,  and the search tried to correct me and asked if I meant Fortiseim Manager?  

Also I am looking for a set of diagnostic steps I can use to create a runbook for when one or some or all of the ph processes are found to be down and my fellow engineers come on board. I am about a month in on this gig so still learning. Not having any luck with the search. 

 

Cheers, Karl

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
1 Solution
aebadi
Staff
Staff

Hi Kar,
you will likely need to debug those two process to see what's taking the bandwidth .
ideally you would look at the backend logs of your customer collector and see what each process is doing . Here is the path to the back end logs  - opt/phoenix/log/phoenix.log


phParser is a big component in the siem as its always busy, its likely that you have a lot of Uknown events filling up the logs which will need for the correct parser picking them up if that's the issue.

phAgentManager, as you have mentioned,  is responsible for managing agent communication . Likely the last integration you added to the Siem is having some load issues.

I would start by reviewing the back end logs which I gave you earlier and filter for both processes to see what happening in the backend, likely you will need a support ticket to help tell you the story of what the logs are showing 



View solution in original post

6 REPLIES 6
KarlH
Contributor

So I found this article https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-How-to-troubleshoot-error-while-regi...

interestingly at the bottom it  provides some links one of which points back to itself.... Where are the steps to handle phAgentManager or even what it is and why its down?

The other link https://community.fortinet.com/t5/Internal-Knowledge-Base-Articles/Technical-Note-Accelops-KB-If-a-u...

gave me, "You do not have sufficient privileges for this resource or its parent to perform this action.

Click your browser's Back button to continue."

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
KarlH
Contributor

Desperate I asked chatgpt what the process is, it claims  phAgentManager is a key component of FortiSIEM responsible for managing agent communication and data collection. When encountering issues, FortiSIEM logs can provide detailed insights. check phoenix.log  If it’s down, additional troubleshooting steps, including checking the license with phLicenseTool, can help. Can anyone clear up diagnosing this for future occurrences?

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
premchanderr
Staff
Staff

Hi Karl,

 

You can run below command on discovery node (super or collector) to see which device is causing high phAgentManager: 

# cat /opt/phoenix/log/phoenix.log | grep -i phAgent

 

Now temporarily disable the logs pulling for this device and fine tune the errors related to that device.

 

You can also debug by following the below documentation for a process:

https://help.fortinet.com/fsiem/7-2-3/Online-Help/HTML5_Help/appendix-managing-fortisiem-operations....

 

If you have too many devices discovered then consider adding another collector.

Regards,
Prem Chander R
KarlH

Hello, and thank you for your time. Sorry I was not clear I need to help the client on the collector not on the super. The client collector is the one with the ph processes like phParser and PhAgentManager etc. Both of which are high CPU.

Unfortunately 

cat /opt/phoenix/log/phoenix.log | grep -i phAgent 

does not show anything on the super by the way.  Also thanks for the phStatus tool link I've used that.

I'm not sure what you mean by fine tune the errors. I'm pretty new with FortiSIEM engineering.

 

What does it mean when the phparser and AgentManager get so busy and stay that way?  Can you please point me to diagnostic material by Fortinet that would offer step by step guidance and recommendations I can make to the client, based on  metrics to consider.  Appreciate your help.

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
aebadi
Staff
Staff

Hi Kar,
you will likely need to debug those two process to see what's taking the bandwidth .
ideally you would look at the backend logs of your customer collector and see what each process is doing . Here is the path to the back end logs  - opt/phoenix/log/phoenix.log


phParser is a big component in the siem as its always busy, its likely that you have a lot of Uknown events filling up the logs which will need for the correct parser picking them up if that's the issue.

phAgentManager, as you have mentioned,  is responsible for managing agent communication . Likely the last integration you added to the Siem is having some load issues.

I would start by reviewing the back end logs which I gave you earlier and filter for both processes to see what happening in the backend, likely you will need a support ticket to help tell you the story of what the logs are showing 



KarlH

Thank you both for the replies, in the analytics section can I do a search settnig event type contains unknown_ and organization is name? I do not get any results.. what is the correct query I can run until such time I can get on the clients collector?

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"