Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
mbenvenuti
Staff
Staff

Created on ‎03-11-2024 07:20 AM Edited on ‎01-28-2025 06:15 AM By Moderator

Article Id 303822

Technical Tip: Good practices and How to troubleshoot rules

Description This article describes how to troubleshoot rules.
Scope FortiSIEM.
Solution

When a rule has been created or modified, it is good practice to optimize and test it before activating it, as well as to check for errors by following the next steps:

 

  1. Optimize the rule.
  • Go to Resources -> Rules, select the involved rule, and select 'Edit'.
  • In 'Step 2: Define Condition', narrow down the most the time window as per requirements
  • In filters: 
    • Avoid the usage of REGEX operators as much as possible as they require heavy computing resources. Use the CONTAIN operator instead.
    • Set the filter with at least an 'Event Type' attribute and set other attributes to have accurate incidents and less memory used where possible
  • Define a category and choose one of the four (Availability, Performance, Change, Security ) to make sure the incident will be displayed in Explorer View.
  • Use suggested values and helpers like 'Expression Builder' and 'Select from CMDB' in the dropdown menu in each field to ensure validated data.
  • Do not modify default/system rules as they can be updated during FortiSIEM upgrades. Deactivate it and then clone the rule before editing it. 

 

  1. Test the rule.
  • Go to Resources -> Rules, Select the involved rule, and deactivate it.
  • Then select the More -> Test button.

 

rule_Test.png

 

  • Paste the raw event log that should trigger the rule and select 'Test Rule'.

 

rule_Test_with_raw_log.png

 

  • Wait a moment and check for the test result in the tab.

rule_Test_result.png

 

  • If the rule cannot be parsed, review its definition.
  • If the rule is not triggered, review the filter of the definition or the raw event log of the test.

 

When the test result is as expected, activate it.

 

  1. Check rule activation.
  • Go to the FortiSIEM login portal and log in as a full admin user.
  • After, on the browser address field, enter the following (replace super_ip with the IP of the super): https://super_ip/phoenix/rest/dataRequest/rule.
  • If any exception is defined, check https://super_ip/phoenix/rest/dataRequest/ruleException.
  • Wait for the XML file to be loaded and displayed, then search (Ctrl + F) for the rule name that should be activated.

rule-xml-search.png

 

  • If there is, check for its filter definition and make sure it's the expected definition.
  • Compare with what is defined in the database with the next command from super CLI as root (replace NAME_OF_THE_RULE with the name of the rule):

 

psql -U phoenix phoenixdb -tc "select rule_xml from ph_drq_rule where name ilike '%NAME_OF_THE_RULE%';" | sed "s# *+##g" | xmllint --format -

 

def_rule_fromdb.png

 

  • If it is not present or the definition differs from the database, go to step 4 and check for errors in the logs.

 

  1. Check for Sync Errors.
  • Go to the GUI at Resources -> Rules.
  • If the Sync Errors Button is displayed next to the search bar, it means that some rules are in error and need to be corrected.

 

sync_error_button.png

 

  • Select the Sync Errors button to discover the rules having issues.

 

sync_errors.png

 

  • Select the rule and edit it to fix the parsing error of the rule.
  • Use the suggested "helpers" (Expression Builder, Select from CMDB...) in each field to validate the values inserted and fix the rule

Important note: 

As long as rules are listed in Sync Errors, any changes in rules or newly created rules will NOT be applied and activated.

 

  1. Check for errors in the logs.
  • Access the FortiSIEM SSH console on super.
  • Run the command: 

 

tail -1000f /opt/phoenix/log/phoenix.log | grep PHL_ERROR | grep phRule

 

  • From the GUI at Resources -> Rules, select the involved rule and deactivate/activate it.
  • Check for errors in the console. If errors are displayed like PH_RULEMOD_SINGLE_EVENT_CONSTRAINT_INVALID, check the details of the error and review the rule definition of the filter involved. If difficulties are encountered in identifying the rule from the filter in the log, follow section 5.

 

  1. Identify rules involved by CONSTRAINT_INVALID errors. 

The logs may contain several errors with details of the filter but not the name of the rule. The steps here describe how to identify the rule:

  • List all the constraints in errors from the SSH console with the following command:


grep PH_RULEMOD_SINGLE_EVENT_CONSTRAINT_INVALID /opt/phoenix/log/phoenix.log | sed s'#.*\[task\]=##'g | sort -u

 

  • From this list, identify keywords to search in the rule definition.
  • Run the next command from super CLI as root to list rule names ( assign the KEYWORD attribute with the keyword identified previously in the filter from the error log).

 

KEYWORD="Type_your_keyword_here"

psql -U phoenix phoenixdb -c "select ph_drq_rule.id, ph_drq_rule.name, ph_drq_rule.owner_id, ph_drq_rule.active from ph_drq_rule join ph_drq_rule2event_filter on ph_drq_rule.id=ph_drq_rule2event_filter.rule_id join ph_drq_filter on ph_drq_rule2event_filter.event_filter_id=ph_drq_filter.id where (ph_drq_filter.single_constr ilike '%${KEYWORD}%' or ph_drq_filter.group_constr ilike '%${KEYWORD}%') and ph_drq_rule.active='t' and creation_type=1;"

 

psql-cmd.png

 

  • Go into the GUI at Resources -> Rules, search for the rule names listed before, review the definitions, and renew steps from Section 1.
  1. Identify rules involved by EXCEPTION_ELEMENT_INVALID errors.

The name of the involved rule may not be contained in the logs. The steps here describe how to identify the rule:

  • List all the constraints in errors from the SSH console with the following command:

 

grep PH_RULEMOD_EXCEPTION_ELEMENT_INVALID /opt/phoenix/log/phoenix.log | sed s'#.*\[description\]=##'g | sort -u

 

  • From this list, identify keywords to search in the rule definition.
  • Run the next command from super CLI as root to list rule names ( replace KEYWORD with the keyword identified previously in the filter from the error log).

psql -U phoenix phoenixdb -c "select ph_drq_rule.id,ph_drq_rule.name, ph_drq_rule.owner_id, ph_drq_rule.active from ph_drq_rule join ph_drq_rule_exp on ph_drq_rule.id=ph_drq_rule_exp.rule_id where (ph_drq_rule_exp.single_constr ilike '%KEYWORD%') and ph_drq_rule.active='t' and creation_type=1;"

 

find_rule_name_from_excep.png

 

  • Go into the GUI at Resources -> Rules, search for the rule names listed before, review the definitions, and renew steps from Section 1.
  1. Recover all system rules

 

If several system rules have been wrongly modified, recover them by running the following command as root:

 

/opt/phoenix/deployment/phoenixCLI.sh import -host localhost -port 8181 -cust system -user admin -pass `phLicenseTool --showDatabasePassword` -type SysXml -file /opt/phoenix/data-definition/rules/

 
Labels:
1679
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.