|
When the FortiSIEM RAM usage is high and not using UEBA/phFortiInsight feature, as the service is active by default and using resources, it is possible to deactivate it by following the next steps on super/worker nodes:
- Take a backup of the configuration and script file from CLI as root:
cp /opt/phoenix/config/phoenix_config.txt /opt/phoenix/config/phoenix_config.txt.orig
cp /opt/phoenix/bin/phstatus.py /opt/phoenix/bin/phstatus.py.orig
- Modify the configuration file to remove process monitoring on this feature:
vi /opt/phoenix/config/phoenix_config.txt
- Find the below exact elements and remove them from the lines:
gawk '{print $2}'</method></service><service><name>phFortiInsightAI</name><method>ps -ef | grep -v grep | grep -v Test | grep phFortiInsightAI |
<service><name>phFortiInsightAI</name><method>ps -ef | grep -v grep | grep -v Test | grep phFortiInsightAI | gawk '{print $2}'</method></service>
- Modify phstatus.py script
vi /opt/phoenix/bin/phstatus.py
- Find the below exact elements and remove them from the lines:
processes += "\nphFortiInsightAI"
elif name == "phFortiInsightAI":
for line in lines:
if "com.zonefox.ai.AI" in line:
output = line.lstrip()
break
- Stop and deactivate the service:
systemctl stop phFortiInsightAI
systemctl disable phFortiInsightAI
Now around 10GB of RAM and SWAP has been freed up. Especially useful on hardware platform type.
- Restore the service by reverting back previous steps:
mv /opt/phoenix/config/phoenix_config.txt.orig /opt/phoenix/config/phoenix_config.txt
mv /opt/phoenix/bin/phstatus.py.orig /opt/phoenix/bin/phstatus.py
systemctl start phFortiInsightAI
systemctl enable phFortiInsightAI
|
