Help
FortiSIEM Discussions
Prakash_576
New Contributor

Created on ‎06-24-2024 05:46 AM

Frequent PHParser Downtime Issues in Environment

Hello everyone,

I'm currently managing an environment with approximately 5000 EPS and encountering an issue where the PHparser crashes frequently. Our setup includes one supervisor and two workers, each running on servers equipped with a 32-core processor and 64 GB of RAM. Despite not using custom parsers, the PHparser fails every 20-25 minutes, recovers, and then continues to crash intermittently.

 

We are seeking advice on troubleshooting this problem. Any suggestions on what might be causing these frequent downtimes or how to stabilize the parser would be greatly appreciated.

Thank you! :)


FortiSIEM 
@premchanderr 
@FSM_FTNT 
@Richie_C 

Labels:
86
0 Kudos
2 REPLIES 2
premchanderr
Staff
Staff

Created on ‎06-25-2024 02:57 AM

Hi @Prakash_576 ,

 

The factors that cause high phParser are:
1) Too many unknown event types
2) Lot of events than which a super or collector can handle

3) Long length of a raw log causing issue in reading and parsing.

To narrow down on the issue you can:
1) Run a search in analytics :
Filter: System Event Category BETWEEN 0,6  AND Collector ID = "xxx" 
Display Conditions: Reporting IP, Event Type, Count(Matched Events)
2) Collect a tcpdump on the FortiSIEM node:

# tcpdump -i any "host x.x.x.x" -vvv -w Traffic.pcap //x.x.x.x --- is the FortiSIEM  IP

Regards,
Prem Chander R
47
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.