|
Sample logs from backend below on noticing query timeout:
phQueryMaster[345902]: [PH_QUERY_LONG_RUNNING_STOPPED]:[eventSeverity]=PHL_WARNING,[procName]=phQueryMaster,[fileName]=QueryJobManager.cpp,[lineNumber]=2140,[queryId]=3210843,[reportName]=MSS - Top TCP/UDP Ports By Count AGIS,[phLogDetail]=Long running query stopped
phQueryMaster[345902]: [PH_QUERY_LONG_RUNNING_STOPPED]:[eventSeverity]=PHL_WARNING,[procName]=phQueryMaster,[fileName]=QueryJobManager.cpp,[lineNumber]=2140,[queryId]=3210857,[reportName]=MSS - Total Events Processed per Day by Organization AGIS,[phLogDetail]=Long running query stopped
phQueryMaster[7041]: [PH_QUERY_LONG_RUNNING_STOPPED]:[eventSeverity]=PHL_WARNING,[procName]=phQueryMaster,[fileName]=QueryJobManager.cpp,[lineNumber]=2109,[queryId]=1309493,[phLogDetail]=Long running query stopped
Note: Take a snapshot of the FortiSIEM instance before modifying the changes below.
Run the following command below on FortiSIEM Supervisor SSH as root:
vi /opt/phoenix/config/phoenix_config.txt
Search for the line:
interactive_query_timeout=1800 # 30 mins
Change this line to:
interactive_query_timeout=5400 # 90 mins
:wq!
If workers are available in the environment, it is possible to perform the steps above on the workers too.
After modifying the changes in phoenix_config.txt, run the following commands below to restart phQueryMaster and phQueryWorker:
killall -9 phQueryMaster
killall -9 phQueryWorker
|
