Troubleshooting Tip: Supervisor Not Parsing Custom Logs Even After Custom Parser Is Created and Applied

koolishami · ‎10-21-2025

Description

This article describes how to resolve an issue where the Supervisor does not parse custom logs correctly, even after a custom parser has been created and applied under Admin -> Device Support -> Parsers.

Scope

FortiSIEM v7.x+.

Solution

The next steps can be followed when:

When logs are sent to the Collector, they are parsed correctly.
When the same logs are sent directly to the Supervisor, they are not parsed.
The following log is seen in /opt/phoenix/log/phoenix.log (Supervisor):

2025-10-17T10:21:20.223098+08:00 FortiSIEM phParser[7124]: [PH_PARSER_TOO_MANY_UNKNOWN_EVENTS]:[eventSeverity]=PHL_WARNING,[procName]=phParser,[fileName]=parserProcess.cpp,[lineNumber]=2664,[relayDevIpAddr]=192.168.X.X ,[phLogDetail]=Too many unknown events, this may cause high CPU or delay. To reduce CPU, try reducing unknown_event_skip_eps and/or unknown_event_skip_size in phoenix_config, or writing a basic parser to handle the unknown events.

Restart the phParser process on the Supervisor to reload the parser configuration and resume proper parsing. Run the following commands from the FortiSIEM Supervisor CLI:

phtools --stop phParser
phstatus
phtools --start phParser
phstatus

After restarting, re-test the log parsing. The Supervisor should now correctly parse logs using the custom parser.

Additional Note:

Ensure that the custom parser is correctly assigned to the relevant device type in Admin -> Device Support -> Parsers.

If the issue persists, verify the log format consistency and review the parser rules using Parser Debug mode.

Related documents:

Troubleshooting Tip: How to resolve PH_PARSER_TOO_MANY_UNKNOWN_EVENTS errors

Working with Parsers

Troubleshooting Tip: Supervisor Not Parsing Custom Logs Even After Custom Parser Is Created and Applied

You are leaving our website