Description | This article describes that some or All Incident Emails from FortiSIEM are Empty. |
Scope | Supervisor (FortiSIEM versions 6.1.x - 6.6.x) . |
Solution |
To check phoenix.log on the supervisor for the error, use the following command:
cat /opt/glassfish/domains/domain1/logs/phoenix.log | grep formEmailBodyAndSubject
The output will look like this:
2023-04-05 14:52:39,000 ERROR [p: thread-pool-1; w: 51] com.ph.phoenix.da.incident.IncidentEmailManagerBean - [PH_APPSERVER_GENERIC_ERROR]:[phCustId]=1,[eventSeverity]=PHL_ERROR, [phEventCategory]=3,[procName]=AppServer,[phLogDetail]=formEmailBodyAndSubject Exception : com.ph.phoenix.da.EntityNotFoundException: User@6268103 was not found at com.ph.phoenix.da.incident.IncidentEmailManagerBean.formEmailBodyAndSubject (IncidentEmailManagerBean.java:196) at com.sun.proxy.$Proxy355.formEmailBodyAndSubject(Unknown Source)
This error occurs because the user who created the notification Policy has been removed. Look for confirmation of sent emails in the log for more details.
It should look like this:
2023-04-05 14:52:39,283 INFO [p: thread-pool-1; w: 43] com.ph.phoenix.service.notify.NotificationHelper – [PH_INCIDENT_ACTION_STATUS]:[phCustId]=1,[eventSeverity]=PHL_INFO,[actionTime]=Wed Mar 29 14:17:39 MDT 2023,[incidentSrc]=srcIpAddr:192.153.74.91,[procName]=AppServer,[incidentTarget]=destIpAddr:192.168.200.102, [actionResult]=Successful,[phEventCategory]=3,[policyId]=1139051,[incidentDetail]=compEventType:FortiGate-ips-signature-45360; ipsSignatureId:45360; incidentCount:3,[ruleName]=Stealth Scan,[actionId]=1139108,[ruleId]=938107,[incidentId]=57563,[customer]=Super,[actionName]= Email sent to (test@example.com),[phLogDetail]=Record incident notification action result
To fix this error, create a separate user for emails. Follow these steps:
1) Create a user with full admin privileges from the GUI: CMDB > Users > Ungrouped. 2) Name the user emailuser and give them a password. 3) Assign the Full Admin profile to the user. 4) Save the user and log in as emailuser.
After logging in as emailuser, go to ADMIN -> Settings -> Notification Policy, and recreate the relevant notification policy. In this example, it is necessary to recreate the notification policy that was sent to test@example.com for the Stealth Scan rule. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.