Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
alaxkar
Staff
Staff

Created on ‎11-04-2025 05:00 AM

Article Id 417762

Technical Tip: How to resolve phAnomalyMaster service showing down

Description This article describes how to resolve The phAnomalyMaster service if this is showing down in FortiSIEM. This service is responsible for managing machine learning–based anomaly detection, which includes collecting and analyzing behavior patterns across monitored entities.
Scope FortiSIEM.
Solution

The phAnomalyMaster service in FortiSIEM is responsible for managing machine learning–based anomaly detection.When this service shows as Down in the GUI or via the phstatus command, it can impact behavior analytics and anomaly-based event detection.

 

Cause:

 

The phAnomalyMaster service uses port 5000 for communication.
If this port is already occupied by another process or service (for example, Python or a custom application), the phAnomalyMaster service will fail to start.

In such cases, this may also observe related warning messages in the phoenix.log file, similar to the following:


2025-10-28T12:31:33.973434+03:00 XYZ phMonitorSupervisor[3445]: [PH_BASE_PROC_SYS_PROC_INFO_GET_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phMonitorSupervisor,[fileName]=phSystemProcessInfo.cpp,[lineNumber]=460,[phLogDetail]=Failed to get system process information(/opt/phoenix/log/phAnomalyMaster.pid)
2025-10-28T12:31:38.973470+03:00 XYZ phMonitorSupervisor[3445]: [PH_BASE_PROC_SYS_PROC_INFO_GET_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phMonitorSupervisor,[fileName]=phSystemProcessInfo.cpp,[lineNumber]=460,[phLogDetail]=Failed to get system process information(/opt/phoenix/log/phAnomalyMaster.pid)

These logs indicate that the supervisor is unable to retrieve process information for phAnomalyMaster, typically because the service failed to start due to port binding conflict.

 

Solution:

 

To resolve this issue, ensure that port 5000 is free and not used by any other service before starting phAnomalyMaster.

  1. Check if port 5000 is in use:

 

netstat -tulpn | grep :5000

 

  1. Identify the conflicting process:


Example output:

 

tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 1389/python3

 

Here, another Python process is occupying port 5000.

 

  1. Free the port:
  • If the conflicting process is not critical, stop or disable it.
  • If the process is required, change its port number to another available port.

  1. Restart the phAnomalyMaster service:

 

killall phAnomaly

su admin

/opt/phoenix/bin/phAnomaly master start &

 

  1. Verify service status:

 

phstatus | grep phAnomalyMaster


Ensure that the service status is displayed as Running.

 

  1. (Optional) Check logs for confirmation:

 

tail -f /opt/phoenix/logs/phoenix.log | grep phAnomalyMaster
98
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.