NFS online storage may disconnect because of network issues or NFS server maintenance.

In these cases, the FortiSIEM is not able to store the events in the NFS anymore but can still store them locally.

Follow the steps below when NFS has been disconnected for a moment and/or the / root disk is full:

1. Check Online Storage configuration.
   
   From the super and worker CLI as root: 
   
   

psql -U phoenix phoenixdb -c "select property,value from ph_sys_conf where property in ('server_ip','storage_type','mount_point');"

property | value
--------------+-----------------------------------
server_ip | 10.5.8.10
storage_type | nfs
mount_point | /Share/data
(3 rows)

cat /etc/fstab  | grep -v "^#" | grep nfs |grep /data

10.5.8.10:/Share/data /data nfs defaults,noatime,nodev,nolock 0 0

From the output of the commands, make sure that storage_type = nfs, and that the same IP and mount_point are used in both commands.

2. Check current Online storage status:
   
   

df -h /data
Filesystem Size Used Avail Use% Mounted on
10.5.8.10:/Share/data 47T 7.5T 37T 18% /data

This should return the NFS configuration and the /data mountpoint. If so, continue to step 6.

If it's showing the /dev/mapper/rl-root Filesystem, it means that NFS is not mounted correctly at /data. Proceed to the next steps to restore NFS connection.

3. Test NFS connection:
   
   

nfs_server_ip=`cat /etc/fstab | grep -v "^#" | grep nfs |grep /data | cut -d ":" -f 1`

nmap -p 2049 $nfs_server_ip

Starting Nmap 7.70 ( https://nmap.org ) at 2024-04-26 15:11 CEST
Nmap scan report for 10.5.8.10
Host is up (0.00027s latency).

PORT STATE SERVICE
2049/tcp open nfs
MAC Address: 00:E0:ED:78:04:1C (Silicom)

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

If the port state is closed, review the network configuration or NFS server state.

4. Check the access of the share:

cat /etc/fstab | grep -v "^#" | grep nfs |grep /data | awk '{print $1}'| cut -d ":" -f 2

/Share/data

showmount -e $nfs_server_ip

Export list for 10.5.8.10:
/Share 10.5.8.0/24

Make sure the expected NFS directory is listed in the exported directory from the showmount command and the FortiSIEM IP is included in the permitted network. If so, continue to the next step.

If this is not the case, review the NFS server configuration.

When using standard Linux for the NFS server, review the /etc/exports file. A line like the following should be present:

/Share 10.5.8.0/24(rw,sync,no_root_squash)

5. Mount the share and restart processes:
   
   

mount /data

df -h /data

Filesystem Size Used Avail Use% Mounted on
10.5.8.10:/Share/data 47T 7.5T 37T 18% /data

killall -9 phDataManager

killall -9 phDataPurger

Now, /data should be mounted. If not, retry the previous steps.

6. Test the access and permissions.
   
   

echo test > /data/test.txt

chown -v admin:admin /data/test.txt

ownership of '/data/test.txt' retained as admin:admin

chmod -v 755 /data/test.txt

mode of '/data/test.txt' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)

su admin

rm -rfv /data/test.txt

removed '/data/test.txt'

If output is not the same, either review the NFS server configuration for permissions or the directory permissions from this article: How to restore file permissions in local and NFS.

7. Make sure no event is present in the / root filesystem.
   
   If NFS has been disconnected while the FortiSIEM has been running, events have been stored locally and need to be moved to NFS. Execute the following commands as the root user:
   
   

df -h /

mount -o bind / /mnt

rsync -az --remove-source-files --progress /mnt/data/eventdb /data/eventdb

umount /mnt

df -h /

Now, all events will be on the NFS server.