Description | This article describes how to resolve PH_PARSER_TOO_MANY_UNKNOWN_EVENTS errors. |
Scope | FortiSIEM. |
Solution |
When FortiSIEM Supervisor/Collector high CPU usage is observed in Cloud Health/Collector Health, it could be due to multiple reasons. One possibility is events not getting parsed using existing parsers available in FortiSIEM.
The steps below show how to check which host is sending events with an unknown event type.
From the supervisor/collector CLI on which unknown events are received, enter the following command:
tail -f /opt/phoenix/log/phoenix.log | grep -i PH_PARSER_TOO_MANY_UNKNOWN_EVENTS
This command will show results with events, as shown in this example:
PH_PARSER_TOO_MANY_UNKNOWN_EVENTS]:[eventSeverity]=PHL_WARNING,[procName]=phParser,[fileName]=parserProcess.cpp,[lineNumber]=2654,[relayDevIpAddr]=10.10.10.10,[phLogDetail]=Too many unknown events, this may cause high CPU or delay. To reduce CPU, try reducing unknown_event_skip_eps and/or unknown_event_skip_size in phoenix_config, or writing a basic parser to handle the unknown events.
From the GUI:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.