Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
premchanderr
Staff & Editor
Staff & Editor

Created on ‎12-18-2025 11:49 PM Edited on ‎12-19-2025 02:18 AM By Community Manager

Article Id 423881

Troubleshooting Tip: How to troubleshoot high phParser on FortiSIEM

Description This article describes how to probe a high phParser issue on FortiSIEM.
Scope FortiSIEM v7.x.
Solution High phParser CPU usage in FortiSIEM (Supervisor or Collector) usually happens due to :
  1. Too many incoming logs at once.
  2. A large number of unknown or unrecognized event types increases parsing load.
  3. Long raw log messages take more CPU and memory to process.
  4. Log volume exceeded system resources or license. 
  5. Poorly formatted logs and an incomplete parser can cause inefficient parsing. 


To identify the root cause from the FortiSIEM GUI :

  1. Note down the collector ID from the FortiSIEM Health tab. In case the supervisor has a high phParser, then Collector ID=1.
  2. Run a historical search for 1 hour or 1 Day:
    1. Filters: Collector ID = <xxx> AND System Event Category BETWEEN 0,6.
    2. Display conditions: Reporting IP, Event Name, Count(Matched Events).

 

The above report would provide a count of events that is high, and one can take appropriate action.

General Fixes for this involve parser fine-tuning, preventing irrelevant log collection, and scaling the resources of the FortiSIEM Node.

 

Related article:

Troubleshooting Tip: How to troubleshoot performance issues
Labels:
55
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.