FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff
Article Id 190739

Description

Summary of Topic

After I upgrade VA to 3.6.2, I start receiving many email notification which says “Cleared by System”.

Solution Steps

This is new feature introduced in 3.6.2. VA automatically clears an incident which is Active for more than 1 day. This functionality was added to address memory consumption by Rule Master process.

If the root cause of the incident is still actually remaining, the incident will be generated again.

Recommendation

We recommend you address and clear all incidents as soon as possible. If you do not please follow the work around:

Workaround

If you want to change the time period that System will allow Incidents to stay Active follow these steps:

1. login to ssh as admin

2. cd /opt/phoenix/config
3. vi phoenix_config.txt and find “deprecated_time”
4. change value of deprecated_time accordingly
By default, it is 86400 = 1 day. We do not recommend to increase this value too large. By increasing this value, phRuleMaster process will consume more memory.
5. save phoenix_config.txt and exit vi
6. killall -9 phRuleMaster

Additional Information

A future version of AO will provide a UI method for modifying this value.

 

Version Application

3.6.2+



 

 

Contributors