Help
FortiSIEM Discussions
Secusaurus
Contributor

Created on ‎01-15-2024 12:06 AM

FortiSIEM: Find out triggering device for "PH_RULE_NO_PERFMON_VIA_AO" incidents?

Hello everyone,

 

We are continuously experiencing the incident "High performance monitoring delay from Collector or Worker SIEM Supervisor" on our FortiSIEM platform. That one is triggered as soon as the Event Type "PH_DEV_MON_PERFMON_ALL_DEVICE_DELAY_HIGH" appears at least once. This event is also happening, so it seems absolutely correct.

 

Our health status, however is as green as it can be. No collector, worker, agent or supervisor has any issues, services down or delays.

 

Has anybody had a similar situation and/or an idea how to find out more context around the event?

 

Raw Event:

[PH_DEV_MON_PERFMON_ALL_DEVICE_DELAY_HIGH]:[phCustId]=1,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[procName]=AppServer,[relayDevName]=SIEM Supervisor,[relayDevIpAddr]=(Supervisor IP),[phLogDetail]=Performance monitoring delay for all devices from a collection point crossed high water mark

 

 

Thanks already for your input!

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Labels:
410
0 Kudos
3 REPLIES 3
premchanderr
Staff
Staff

Created on ‎01-22-2024 07:26 PM

Hi @Secusaurus ,

This event log may result from network, CPU or NTP issues causing delays in performance checks. The incident will only be resolved upon receiving the Event Type -PH_DEV_MON_PERFMON_ALL_DEVICE_DELAY_LOW.

Most of time if its minor issue within few minutes incident is cleared automatically.

If you wish to modify this, you can edit the rule, adjusting the clear condition to either a different criterion or a 10-minute interval in case the rule isn't triggered again. Additionally, you have the option to disable the ORG rule.

Regards,
Prem Chander R
368
Secusaurus
Contributor
In response to premchanderr

Created on ‎01-23-2024 09:50 AM

Hi Prem,

 

Thanks for your input.

Main issue is: The Incident triggers since more than a week every five minutes. So there seems to be something wrong, but I cannot narrow it down with "Collector or Worker SIEM Supervisor", which could be just any member of the cluster.

And just disabling the rule would not be my preferred solution, if there really was an issue here.

 

Anyways, I talked to the TAC recently and got the hint for digging deeper in the phoenix logs (tail -f /opt/glas*/dom*/dom*/logs/phoenix.log), which I will have a look at now.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
351
0 Kudos
premchanderr
Staff
Staff

Created on ‎01-23-2024 06:16 PM

HI Christian,
You are welcome.

Yes analyzing the log would help if any process is high or errors at that time of incident. Also note even if network delays for few minutes can cause this.

Regards,
Prem Chander R
340
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.