Hi everyone,
Regarding the ph processes. First phAgentManager is down disk capacity is below 85%. I just see the health is showing this one proc is down. and I cannot find one doc about this anywhere? Why am I missing this?
I just tried to search the community for the name phAgentManager, and the search tried to correct me and asked if I meant Fortiseim Manager?
Also I am looking for a set of diagnostic steps I can use to create a runbook for when one or some or all of the ph processes are found to be down and my fellow engineers come on board. I am about a month in on this gig so still learning. Not having any luck with the search.
Cheers, Karl
Solved! Go to Solution.
Hi Kar,
you will likely need to debug those two process to see what's taking the bandwidth .
ideally you would look at the backend logs of your customer collector and see what each process is doing . Here is the path to the back end logs - opt/phoenix/log/phoenix.log
phParser is a big component in the siem as its always busy, its likely that you have a lot of Uknown events filling up the logs which will need for the correct parser picking them up if that's the issue.
phAgentManager, as you have mentioned, is responsible for managing agent communication . Likely the last integration you added to the Siem is having some load issues.
I would start by reviewing the back end logs which I gave you earlier and filter for both processes to see what happening in the backend, likely you will need a support ticket to help tell you the story of what the logs are showing
So I found this article https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-How-to-troubleshoot-error-while-regi...
interestingly at the bottom it provides some links one of which points back to itself.... Where are the steps to handle phAgentManager or even what it is and why its down?
The other link https://community.fortinet.com/t5/Internal-Knowledge-Base-Articles/Technical-Note-Accelops-KB-If-a-u...
gave me, "You do not have sufficient privileges for this resource or its parent to perform this action.
Click your browser's Back button to continue."
Desperate I asked chatgpt what the process is, it claims phAgentManager is a key component of FortiSIEM responsible for managing agent communication and data collection. When encountering issues, FortiSIEM logs can provide detailed insights. check phoenix.log If it’s down, additional troubleshooting steps, including checking the license with phLicenseTool, can help. Can anyone clear up diagnosing this for future occurrences?
Hi Karl,
You can run below command on discovery node (super or collector) to see which device is causing high phAgentManager:
# cat /opt/phoenix/log/phoenix.log | grep -i phAgent
Now temporarily disable the logs pulling for this device and fine tune the errors related to that device.
You can also debug by following the below documentation for a process:
If you have too many devices discovered then consider adding another collector.
Created on 10-08-2024 01:02 PM Edited on 10-08-2024 02:49 PM
Hello, and thank you for your time. Sorry I was not clear I need to help the client on the collector not on the super. The client collector is the one with the ph processes like phParser and PhAgentManager etc. Both of which are high CPU.
Unfortunately
cat /opt/phoenix/log/phoenix.log | grep -i phAgent
does not show anything on the super by the way. Also thanks for the phStatus tool link I've used that.
I'm not sure what you mean by fine tune the errors. I'm pretty new with FortiSIEM engineering.
What does it mean when the phparser and AgentManager get so busy and stay that way? Can you please point me to diagnostic material by Fortinet that would offer step by step guidance and recommendations I can make to the client, based on metrics to consider. Appreciate your help.
Hi Kar,
you will likely need to debug those two process to see what's taking the bandwidth .
ideally you would look at the backend logs of your customer collector and see what each process is doing . Here is the path to the back end logs - opt/phoenix/log/phoenix.log
phParser is a big component in the siem as its always busy, its likely that you have a lot of Uknown events filling up the logs which will need for the correct parser picking them up if that's the issue.
phAgentManager, as you have mentioned, is responsible for managing agent communication . Likely the last integration you added to the Siem is having some load issues.
I would start by reviewing the back end logs which I gave you earlier and filter for both processes to see what happening in the backend, likely you will need a support ticket to help tell you the story of what the logs are showing
Thank you both for the replies, in the analytics section can I do a search settnig event type contains unknown_ and organization is name? I do not get any results.. what is the correct query I can run until such time I can get on the clients collector?
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.