FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
premchanderr
Staff
Staff
Article Id 340518

 

Description This article describes how to troubleshoot the phFortiInsightAI process.
Scope FortiSIEM v7.x
Solution

Follow the steps below when the phFortiInsightAI process is down and cannot be started manually. 

 

Note:

Take a snapshot of the VM and backup of the existing configuration before making any changes.

  1. Ensure the correct permissions are set for the /opt/fortiinsight-ai/ directory:

 

# ls -lah /opt/fortiinsight-ai/
total 8.0K
drwxrwxr-x 5 admin admin 44 Aug 13 06:17 .
drwxr-xr-x 17 root root 326 Aug 19 11:14 ..
drwxrwxr-x 3 admin admin 30 Sep 10 13:06 ai_model
drwxrwxr-x 3 admin admin 4.0K Sep 10 11:11 bin
drwxrwxr-x 2 admin admin 4.0K Aug 19 10:37 lib

 

  1. Review the backend logs for potential errors:

 

# cat /opt/phoenix/log/phoenix.log | grep phFortiInsightAI
2024-08-28T17:43:25.087988+08:00 fsm-s phMonitorSupervisor[8195]: [PH_BASE_PROC_SYS_PROC_INFO_GET_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phMonitorSupervisor,[fileName]=phSystemProcessInfo.cpp,[lineNumber]=447,[phLogDetail]=Failed to get system process information(/opt/phoenix/log/phFortiInsightAI.pid)

 

Most of the time, it would be generic errors like 'Failed to get system process information(/opt/phoenix/log/phFortiInsightAI.pid)'.

 

  1. Verify the Java SDKs by running the below command and note down on missing symlinks:

 

# ls -la /etc/alternatives/java_sdk*

 

lrwxrwxrwx 1 root root 58 Aug 19 10:31 /etc/alternatives/java_sdk -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.422.b05-2.el8.x86_64
lrwxrwxrwx 1 root root 53 Aug 19 10:31 /etc/alternatives/java_sdk_17 -> /usr/lib/jvm/java-17-openjdk-17.0.12.0.7-2.el8.x86_64
lrwxrwxrwx 1 root root 53 Aug 19 10:31 /etc/alternatives/java_sdk_17_openjdk -> /usr/lib/jvm/java-17-openjdk-17.0.12.0.7-2.el8.x86_64
lrwxrwxrwx 1 root root 58 Aug 19 10:31 /etc/alternatives/java_sdk_1.8.0 -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.422.b05-2.el8.x86_64
lrwxrwxrwx 1 root root 58 Aug 19 10:31 /etc/alternatives/java_sdk_1.8.0_openjdk -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.422.b05-2.el8.x86_64
lrwxrwxrwx 1 root root 58 Aug 19 10:31 /etc/alternatives/java_sdk_openjdk -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.422.b05-2.el8.x86_64

 

For example, the file /etc/alternatives/java_sdk_1.8.0_openjdk could have symlink missing or incorrect. 

 

  1. Note down the openjdk exact build number and re-created the symbolic links.


Example:

 

# ls -lah /usr/lib/jvm/

drwxr-xr-x 7 root root 135 Aug 19 10:29 java-1.8.0-openjdk-1.8.0.422.b05-2.el8.x86_64


Create symlink:

 

# ln -s /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64 /etc/alternatives/java_sdk_1.8.0_openjdk

 

The phFortiInsightAI process would be automatically started.