Troubleshooting Tip: Supervisor health critical du...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 389853

Description

The article describes how to fix a supervisor health critical due to 'ClickHouse Replication Delay Greater Than 30 Minutes' even though no longer a ClickHouse replica.

Scope

FortiSIEM Supervisor.

Solution

The health of the Supervisor is displayed as critical in the GUI under ADMIN -> Health -> Cloud Health when the Supervisor node is no longer part of the ClickHouse data cluster in ADMIN -> Settings -> ClickHouse Config. However, it still holds outdated replicated table data.

Take a VM snapshot of the Supervisor node and remove the residual replicated tables from the Supervisor using the ClickHouse client. This action is safe because the supervisor has already been removed from the ClickHouse cluster under:
ADMIN -> Settings -> ClickHouse Config.

Execute the following commands on the Supervisor to clean up residual replicated tables:

For v7.2.1 and lower:

clickhouse-client -q "DROP TABLE fsiem.events_replicated"
clickhouse-client -q "DROP TABLE fsiem.summary"

For v7.2.2 and higher:

clickhouse-client -q "DROP TABLE fsiem.events_replicated"
clickhouse-client -q "DROP TABLE fsiem.summary"
clickhouse-client -q "DROP TABLE fsiem.mv_t_events"

Note:

Ensure these commands are executed on the supervisor node only, and confirm it has been removed from the cluster configuration under ADMIN -> Settings -> ClickHouse Config before proceeding.

525

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: Supervisor health critical due to 'ClickHouse Replication Delay Greater Than 30 Minutes' even though no longer a ClickHouse replica

You are leaving our website