Technical Tip: How to fix 'PH_DROP_EVENT_FROM_SHAR...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 371267

Description

This article describes the steps to apply to resolve the error 'PH_DROP_EVENT_FROM_SHARED_BUFFER'.

Scope

FortiSIEM.

Solution

The main cause for the 'PH_DROP_EVENT_FROM_SHARED_BUFFER' error is Full Queue drops by the Workers.
The steps to follow are below:

Remove the files from the cache - To DO ON SUPER/WORKERS DURING DOWNTIME - Take a snapshot first:

cd /opt/phoenix/cache/<SUPERIP>/phoenix/rest/dataRequest/rule/
rm -f *

mv /opt/phoenix/cache/<SUPERIP> /opt/phoenix/cache/SUPERIP.old

vi /opt/phoenix/config/phoenix_config.txt -> Search for the line 'notification_server_thread_num'.

Now change this from:

notification_server_thread_num=20

To:

notification_server_thread_num=50 -> Search for 'count_distinct_precision'.

Modify the value to the below:

count_distinct_precision=9

Save the configuration and exit the file.

Restart the following on Super:

killall -9 phMonitor phRuleWorker phRuleMaster

Restart the following On Worker:

killall -9 phRuleWorker

Make sure all processes are up and running:

phstatus

472

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: How to fix 'PH_DROP_EVENT_FROM_SHARED_BUFFER' error

You are leaving our website