Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
InfraAdmin
Staff
Staff

Created on ‎04-17-2023 10:34 PM

Article Id 252832

Troubleshooting Tip: FortiSIEM Sends Blank Emails

Description This article describes that some or All Incident Emails from FortiSIEM are Empty.
Scope Supervisor (FortiSIEM versions 6.1.x - 6.6.x) .
Solution

To check phoenix.log on the supervisor for the error, use the following command: 

 

cat /opt/glassfish/domains/domain1/logs/phoenix.log | grep formEmailBodyAndSubject 

 

The output will look like this: 

 

2023-04-05 14:52:39,000 ERROR [p: thread-pool-1; w: 51] com.ph.phoenix.da.incident.IncidentEmailManagerBean - [PH_APPSERVER_GENERIC_ERROR]:[phCustId]=1,[eventSeverity]=PHL_ERROR, 

[phEventCategory]=3,[procName]=AppServer,[phLogDetail]=formEmailBodyAndSubject Exception : com.ph.phoenix.da.EntityNotFoundException: User@6268103 was not found 

at com.ph.phoenix.da.incident.IncidentEmailManagerBean.formEmailBodyAndSubject 

(IncidentEmailManagerBean.java:196) at com.sun.proxy.$Proxy355.formEmailBodyAndSubject(Unknown Source) 

 

This error occurs because the user who created the notification Policy has been removed. 

Look for confirmation of sent emails in the log for more details.

 

It should look like this: 

 

2023-04-05 14:52:39,283 INFO [p: thread-pool-1; w: 43] com.ph.phoenix.service.notify.NotificationHelper –  

[PH_INCIDENT_ACTION_STATUS]:[phCustId]=1,[eventSeverity]=PHL_INFO,[actionTime]=Wed Mar 29 14:17:39 MDT 2023,[incidentSrc]=srcIpAddr:192.153.74.91,[procName]=AppServer,[incidentTarget]=destIpAddr:192.168.200.102, 

[actionResult]=Successful,[phEventCategory]=3,[policyId]=1139051,[incidentDetail]=compEventType:FortiGate-ips-signature-45360; ipsSignatureId:45360; incidentCount:3,[ruleName]=Stealth Scan,[actionId]=1139108,[ruleId]=938107,[incidentId]=57563,[customer]=Super,[actionName]= 

Email sent to (test@example.com),[phLogDetail]=Record incident notification action result 

 

To fix this error, create a separate user for emails. Follow these steps: 

 

1) Create a user with full admin privileges from the GUI: CMDB > Users > Ungrouped. 

2) Name the user emailuser and give them a password. 

3) Assign the Full Admin profile to the user. 

4) Save the user and log in as emailuser. 

 

After logging in as emailuser, go to ADMIN -> Settings -> Notification Policy, and recreate the relevant notification policy.  

In this example, it is necessary to recreate the notification policy that was sent to test@example.com for the Stealth Scan rule. 
429
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.