In some scenarios, the FortiSIEM Supervisor may continuously report the following backend error in the 'phoenix.log':

PH_REPORT_SQLITE3_PREPARE_ERROR

This typically occurs when the baseline profile database becomes corrupted or when a custom rule referencing a specific profile ID (e.g., 'profile_113') is causing issues during baseline rule processing. This can lead to repeated backend errors and performance impact during rule evaluation.

For the 'Error in SQLite3 prepare' message: To resolve it, it is necessary to clear the baseline profile database from the Super node by performing the following steps:

cd /opt/phoenix/cache

rm profile.db
rm profile.db-shm
rm profile.db-wal

rm daily.db
rm daily.db-shm
rm daily.db-wal

phtools --stop phRuleMaster
phtools --start phRuleMaster

If the error still appears on the backend, monitor it using the command below on the Super node:

tail -f /opt/phoenix/log/phoenix.log | grep -i PH_REPORT_SQLITE3_PREPARE_ERROR

If the error persists, it may be related to a custom rule associated with e.g., profile_113. Follow the commands below to identify the rule:

cd /opt/phoenix/data-definition/rules
grep \:113 *.xml

Then check the corresponding rule in the database:

psql -U phoenix phoenixdb -c "select name from ph_drq_rule where incident_attr like '%:113%';"

This should help isolate the rule causing the issue.