Troubleshooting Tip: How to resolve PH_PARSER_TOO_MANY_UNKNOWN_EVENTS errors

When FortiSIEM Supervisor/Collector high CPU usage is observed in Cloud Health/Collector Health, it could be due to multiple reasons. One possibility is events not getting parsed using existing parsers available in FortiSIEM.

The steps below show how to check which host is sending events with an unknown event type.

From the supervisor/collector CLI on which unknown events are received, enter the following command:

tail -f /opt/phoenix/log/phoenix.log | grep -i PH_PARSER_TOO_MANY_UNKNOWN_EVENTS

This command will show results with events, as shown in this example:

PH_PARSER_TOO_MANY_UNKNOWN_EVENTS]:[eventSeverity]=PHL_WARNING,[procName]=phParser,[fileName]=parserProcess.cpp,[lineNumber]=2654,[relayDevIpAddr]=10.10.10.10,[phLogDetail]=Too many unknown events, this may cause high CPU or delay. To reduce CPU, try reducing unknown_event_skip_eps and/or unknown_event_skip_size in phoenix_config, or writing a basic parser to handle the unknown events.

From the GUI:

1. Login to FortiSIEM and go to the Analytics tab.
2. Run a query with the event type as 'IN Unknown_EventType' with Display Columns Reporting IP,  Event type, Event Name, Collector ID, COUNT(Matched Events). It will show results as follows:

• The Query will return results with the Reporting IP of a device generating events with the Unknown Event Type.
• The log method needs to be identified. Under CMDB -> Devices, search for the device/application with the IP Address.
• Check how the device/application is sending events.
• Check if the events received with Unknown Event Type are required.
• If the events are not required, stop them being sent towards FortiSIEM from the Reporting IP.
• If the events are required, the basic parser must be developed to parse the events properly.