1. Too many incoming logs at once.
2. A large number of unknown or unrecognized event types increases parsing load.
3. Long raw log messages take more CPU and memory to process.
4. Log volume exceeded system resources or license. 
5. Poorly formatted logs and an incomplete parser can cause inefficient parsing. 

To identify the root cause from the FortiSIEM GUI :

1. Note down the collector ID from the FortiSIEM Health tab. In case the supervisor has a high phParser, then Collector ID=1.
2. Run a historical search for 1 hour or 1 Day:
   1. Filters: Collector ID = <xxx> AND System Event Category BETWEEN 0,6.
   2. Display conditions: Reporting IP, Event Name, Count(Matched Events).

Backend verification.

On the affected node, use the following command to confirm CPU usage by phParser:

top -Hp $(pidof phParser)

This helps validate whether phParser threads are consuming excessive CPU.

Recommended mitigation:

• Tune or optimize existing parsers, especially custom parsers.
• Disable or block irrelevant or noisy log sources.
• Filter logs at the source device where possible.
• Reduce unknown event types by updating or creating parsers.
• Scale FortiSIEM resources (CPU/RAM) or add additional Collectors.
• Verify EPS usage against the licensed capacity.

The above report would provide a count of events that is high, and one can take appropriate action.

General Fixes for this involve parser fine-tuning, preventing irrelevant log collection, and scaling the resources of the FortiSIEM Node.

Related article:

Troubleshooting Tip: How to troubleshoot performance issues