Fortinet black logo

Release Notes

Home FortiSIEM 6.6.2 Release Notes

What's New in 6.6.2

6.6.2
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.2.8
5.2.7
5.2.6
5.2.5
5.2.5
5.2.1
5.1.2
5.1.1
5.1.0
5.0.1
4.10.0
4.9.0
Copy Link
Copy Doc ID 6a351ab9-3835-11ed-9d74-fa163e15d75b:469115
Download PDF

What's New in 6.6.2

Bug Fixes

This release resolves the following issues:

  1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

  2. Bug 842147: Parser process on any FortiSIEM node may have high CPU or even crash, while evaluating event retention policies. This bug was introduced in release 6.6.0.

Known Issues

  1. phFortiInsightAI process may consume high CPU on Workers from excessive Win-Security-4624 logs.

    The following workaround is available:

    1. SSH to each Supervisor and Worker node.

    2. Find the file /opt/phoenix/data-definition/FINS-template.json. Open the file for edit and remove the following two entries and then save the file.

      "Win-Security-4624": {
    "ac": "user logged on"
},
"Win-Security-4634": {
    "ac": "user logged off"
},

    3. Kill phDataManager process on each worker and supervisor by running the following command.

      killall -9 phDataManager

      phDataManager will restart.

    4. Refresh the AI model by running the following on each worker and supervisor:

      1. Stop the phfortiInsightAI service by running the following command.

        service stop phFortiInsightAI

      2. Remove the local model by running the following command.

        rm -rf /opt/fortiinsight-ai/ai_model

      3. Start the phFortiInsightAI service by running the following command.

        service start phFortiInsightAI

        Once the model is removed, and service restarted, the AI will turn back to training mode. Training will resume for 2 weeks time period.

    5. Confirm by running the following command.

      curl http://localhost:8144/api/stats

      It should return

      {"cargo":{"memory":{"free":2182098520,"total":2244476928,"limit":2822242304,"allocated":15100232,"warning_threshold":2547567820,"warning_issued":false},"live":{"status":"training",...

    6. If not, then run the following command.

      curl http://localhost:8144/api/live?type=training

  2. FortiSIEM uses dynamic mapping for Keyword fields to save Cluster state. Elasticsearch needs to encounter some events containing these fields before it can determine their type. For this reason, queries containing group by on any of these fields will fail if Elasticsearch has not seen any event containing these fields. Workaround is to first run a non-group by query with these fields to make sure that these fields have non-null haves.

Previous
Next

What's New in 6.6.2

Bug Fixes

This release resolves the following issues:

  1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

  2. Bug 842147: Parser process on any FortiSIEM node may have high CPU or even crash, while evaluating event retention policies. This bug was introduced in release 6.6.0.

Known Issues

  1. phFortiInsightAI process may consume high CPU on Workers from excessive Win-Security-4624 logs.

    The following workaround is available:

    1. SSH to each Supervisor and Worker node.

    2. Find the file /opt/phoenix/data-definition/FINS-template.json. Open the file for edit and remove the following two entries and then save the file.

      "Win-Security-4624": {
    "ac": "user logged on"
},
"Win-Security-4634": {
    "ac": "user logged off"
},

    3. Kill phDataManager process on each worker and supervisor by running the following command.

      killall -9 phDataManager

      phDataManager will restart.

    4. Refresh the AI model by running the following on each worker and supervisor:

      1. Stop the phfortiInsightAI service by running the following command.

        service stop phFortiInsightAI

      2. Remove the local model by running the following command.

        rm -rf /opt/fortiinsight-ai/ai_model

      3. Start the phFortiInsightAI service by running the following command.

        service start phFortiInsightAI

        Once the model is removed, and service restarted, the AI will turn back to training mode. Training will resume for 2 weeks time period.

    5. Confirm by running the following command.

      curl http://localhost:8144/api/stats

      It should return

      {"cargo":{"memory":{"free":2182098520,"total":2244476928,"limit":2822242304,"allocated":15100232,"warning_threshold":2547567820,"warning_issued":false},"live":{"status":"training",...

    6. If not, then run the following command.

      curl http://localhost:8144/api/live?type=training

  2. FortiSIEM uses dynamic mapping for Keyword fields to save Cluster state. Elasticsearch needs to encounter some events containing these fields before it can determine their type. For this reason, queries containing group by on any of these fields will fail if Elasticsearch has not seen any event containing these fields. Workaround is to first run a non-group by query with these fields to make sure that these fields have non-null haves.

Previous
Next