Troubleshooting Tip: How to increase query timeout for Analytics

calvinc97 · ‎09-25-2024

Description

This article describes how to increase query timeout for Analytics in FortiSIEM.

Scope

FortiSIEM.

Solution

Sample logs from backend below on noticing query timeout:

phQueryMaster[345902]: [PH_QUERY_LONG_RUNNING_STOPPED]:[eventSeverity]=PHL_WARNING,[procName]=phQueryMaster,[fileName]=QueryJobManager.cpp,[lineNumber]=2140,[queryId]=3210843,[reportName]=MSS - Top TCP/UDP Ports By Count AGIS,[phLogDetail]=Long running query stopped

phQueryMaster[345902]: [PH_QUERY_LONG_RUNNING_STOPPED]:[eventSeverity]=PHL_WARNING,[procName]=phQueryMaster,[fileName]=QueryJobManager.cpp,[lineNumber]=2140,[queryId]=3210857,[reportName]=MSS - Total Events Processed per Day by Organization AGIS,[phLogDetail]=Long running query stopped

phQueryMaster[7041]: [PH_QUERY_LONG_RUNNING_STOPPED]:[eventSeverity]=PHL_WARNING,[procName]=phQueryMaster,[fileName]=QueryJobManager.cpp,[lineNumber]=2109,[queryId]=1309493,[phLogDetail]=Long running query stopped

Note: Take a snapshot of the FortiSIEM instance before modifying the changes below.

Use the following command to make the changes:

sudo sed -i.bak 's/^interactive_query_timeout=1800.*/interactive_query_timeout=5400 # 90 mins/' /opt/phoenix/config/phoenix_config.txt

This will search for the line:

interactive_query_timeout=1800 # 30 mins

Change this line to:

interactive_query_timeout=5400 # 90 mins

If workers are available in the environment, it is possible to perform the steps above on the workers too.

After modifying the changes in phoenix_config.txt, run the following commands below to restart phQueryMaster and phQueryWorker:

killall -9 phQueryMaster
killall -9 phQueryWorker

Troubleshooting Tip: How to increase query timeout for Analytics

You are leaving our website