Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
premchanderr
Staff
Staff

Created on ‎01-23-2025 01:20 AM

Article Id 371981

Troubleshooting Tip: FortiSIEM Windows Agent consumes high CPU/Memory on Windows server

Description

 

This article describes how to investigate if FortiSIEM Windows Agent spikes high CPU utilization on Windows servers.

 

Scope

 

Windows Agent v4.4.x, v5.x, v7.x.x, v7.1.x, v7.2.x. Supervisor and Collector v6.x, v7.x, v7.1.x, v7.2.x.

 

Solution

 

  1. Verify if high utilization is caused by the FortiSIEM Agent by checking the CPU and Memory Utilization of the FSMLogAgent process on the Windows server Task Manager. 

FSM_High_CPU_Usage.png

 

FortiSIEM Agents are designed to be lightweight and not consume more than 5% of a system's CPU and memory. 

 

  1. Ensure that the system has met the pre-requisite defined in the Windows Agent Installation Guide and FortiSIEM Version Compatibility Matrix as per the installed agent version. 

     

     

  2. On the Windows server navigate to Windows Event Viewer -> Application, System, and Security logs. Check if any event is generated by the FortiSIEM agent.

     

  3. On the Windows server navigate to Windows Event Viewer -> Application, System, and Security logs. Assess for any unusually high number of events. In this case, fine-tune the system audit policies and analyze what is triggering such a high event rate. 

     

     

  4. Investigate from the FortiSIEM Analytics tab to find out which event type count is maximum.

     

    Run a historical search for 10mins or 1 hour :

    Filters: Reporting IP = <Windows-IP> AND System Event Category BETWEEN 0,6

    Display conditions: Reporting IP , Event Name , Count(Matched Events)

    Report_Analytics_Filter.png


    Export a 10-60 minutes duration report and review.

     

  5. Temporarily exclude the high event type eventID from Windows Agent Template and click Apply on Template, to observe if system utilization has restored to normal. Later evaluate if still the event is required in FortiSIEM or can reduce the occurrence on Windows server.

     

     

  6. Probe for any errors in Agent logs from the Windows server located in C:\ProgramData\FortiSIEM\Agent\Logs\.

     

  7. Probe for any errors in FortiSIEM collector logs phAgentManager process :


    cat /opt/phoenix/log/phoenix.log | grep -i phAgentManager

     

     

  8. Inspect Network Connectivity between the Windows server and collector for any latency. 

     

     

  9. Verify if large events are cached on the Windows server. The cache for the Windows agent is stored in the following directory:

     

C:\ProgramData\AccelOps\Agent\Database\AoWinAgt.db

 

If still issue persists then contact Fortinet Support with all the above details. 

Labels:
262
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.