Fortinet white logo
Fortinet white logo

Query Logs

Query Logs

This section provides logs related to querying events



EventType: PH_JAVA_QUERYSERVER_ACTION_UNSUPPORTED_ERROR

Description: Java Query Server unsupported action

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_ELASTIC_ERROR

Description: Java Query Server Elasticsearch error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_ERROR

Description: Java Query Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_INFO

Description: Java Query Server Query informational log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_QUERYID_ERROR

Description: Java Query Server unknown or expired Query ID error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_QUERY_SYNTAX_ERROR

Description: Java Query Server Query syntax error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_REDIS_ERROR

Description: Java Query Server Redis error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_WARN

Description: Java Query Server Query warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_QUERYSRV_DUPLICATED_QUERYID

Description: Duplicated query id

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERYSRV_INVALID_QUERYXML

Description: Invalid query xml

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_AGGR_RESULTS_POST_PROCESS_FAILED

Description: Query Master failed to post-process aggregate query results - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ATTR_UNDEFINED

Description: Query Master/Worker found undefined attribute in Query XML - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_BAD_RESULT_STATUS

Description: Bad Query Result Status

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CACHE_GET_FAILED

Description: FortiSIEM Query Master failed to get cache results

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_CACHE_RESULT_GET_FAILED

Description: Query Master failed to get query results from its own cache - query will be resubmitted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_CACHE_TRIGGER_EVENT_GET_FAILED

Description: Query Master failed to get trigger event query from Data Manager - Query Master will attempt to get trigger events from event database

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_CHAR_UNEXPECTED

Description: Query Master/Worker found unexpected character in expression in a Query XML - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_CH_PARSE_FAILED

Description: Query Master failed to parse CLICKHOUSE query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_CH_POST_FAILED

Description: Query Master failed to post query to CLICKHOUSE

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_CLICKHOUSE_DATA_FAILED

Description: FortiSIEM ClickHouse DATA failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CLICKHOUSE_EXEC_FAILED

Description: Failed to exec query from ClickHouse

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CLICKHOUSE_STARTS

Description: ClickHouse query starts

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CLICKHOUSE_STOP_FAILED

Description: Failed to stop ClickHouse query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_CLICKHOUSE_WAITING_QUEUE_FULL

Description: ClickHouse query waiting queue is full

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_COMMAND_BAD

Description: Internal error - unsupported query control command - expected Stop, pause and resume

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_COMPLETION_NOTIFICATION_SEND_FAILED

Description: Query Master failed to send query completion notification to App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CONFIG_UNDEFINED

Description: Query Master/Worker found undefined phoenix_config item

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_QUERY_CONVERT_FAILED

Description: Query Master/Worker failed to convert a particular query to certain format - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_DATA_ENUM_FAILED

Description: Query Master failed to enumerate inline report results for a particular report - inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_MANAGER_NODES_GET_FAILED

Description: Query Master failed to get Data Manager IP addresses - queries will be done by Query Master until the next attempt to get this list of IP addresses

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_DATA_SEND_FAILED

Description: Query Master failed to send query-related data to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_SIZE_MISMATCH

Description: Query Master found size mismatch between two data entries while loading a particular inline query - this inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_SIZE_UNEXPECTED

Description: Query Master found unexpected data size while returning results to App server - inline report will not have results

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_TYPE_UNEXPECTED

Description: Query Master found unexpected data types while returning results to App server - inline report will not have results

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DB_SERVER_HOST_UNDEFINED

Description: Database server host not defined for query master

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_QUERY_DIR_CREATE_FAILED

Description: Query Master/Worker/Data Manager failed to create directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_DIR_RENAME_FAILED

Description: Query Master/Worker/Data Manager failed to rename directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_DISTRIBUTION

Description: Query distribution (Worker IP: Workload)

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

oldDistrib

Old Distribution

string

newDistrib

New Distribution

string



EventType: PH_QUERY_DURATION

Description: Query statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_ES_PARSE_FAILED

Description: Query Master failed to parse Elastic Search Summary query result - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_ES_POST_FAILED

Description: Query Master failed to provide Elastic Search Summary query results to App Server - query results will not be available

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_ES_SCROLL_FAILED

Description: ES Query scroll failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_EVENT_COLLECTOR_UNAVAILABLE

Description: Query Master/Worker failed to get event collector for a particular query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_EVENT_ID_GET_FAILED

Description: Query Master failed to get triggered event ID for a particular triggered event query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventId

Event ID

uint64

This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users.

queryId

Query Id

string



EventType: PH_QUERY_EVENT_PARSE_FAILED

Description: Query Master failed to parse events from Data Manager - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

queryId

Query Id

string



EventType: PH_QUERY_EVENT_PAYLOAD_READ_FAILED

Description: Query Master failed to read events - some real time events may be missed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_EXCEPTION_CAUGHT

Description: Query Worker encountered corrupt event index or data - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_EXPORT_TASK_CREAT_FAILED

Description: FortiSIEM Query Engine failed to export query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_EXPORT_TASK_INSERT_FAILED

Description: FortiSIEM Query Engine failed to start query result export task

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_EXPR_INCOMPLETE

Description: Query Master failed to handle Query XML during internal processing- Incomplete expression

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_FILE_CONTENT_BAD

Description: Query Master / Worker found invalid content in Query XML file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_CONTENT_MISSING

Description: Query Master / Worker found certain content missing in Query XML file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_COPY_FAILED

Description: Query Master failed to copy query XML file from completed/active to eventdb directory - XXX

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_CORRUPT

Description: Query Master found corrupt query status file for a particular query - query will not be completed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_CREATE_FAILED

Description: Query Master / Worker failed to create query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_EMPTY

Description: Query Master/Worker found empty query status backup file - system loses redundancy for this query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_HEADER_GET_FAILED

Description: Query Master failed to read query related file header from query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_LINK_FAILED

Description: Query Master / Worker failed to hard link query result file - query cache will not be used

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_MAGIC_BAD

Description: Query Master found bad query-related file magic inside query status or result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_MMAP_FAILED

Description: Query Master failed to memory-map summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_NAME_BAD

Description: Query Master found invalidly formatted summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_OPEN_FAILED

Description: Query Master / Worker/ Data Manager failed to open query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_READ_FAILED

Description: Query Master / Worker/ Data Manager failed to read query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_REMOVE_FAILED

Description: Query Master failed to remove cached query result file - disk may eventually get full

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_SEEK_FAILED

Description: Query Master failed to seek trend file to offset for a specific inline report - that inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_FILE_STAT_FAILED

Description: Query Master / Worker/ Data Manager failed to stat query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FORMAT_UNSUPPORTED

Description: Query Master received unsupported report export file format from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FUNC_ERROR

Description: Query Master / Worker encountered internal function error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_ID_DUPLICATE

Description: Query Master / Worker encountered duplicate query ID assigned by App server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_INACTIVE

Description: Query Master / Worker failed to retrieve supposedly active query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_NOT_FOUND

Description: Query Master / Worker failed to find Query ID not found in task queue - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_REMOVE_FAILED

Description: Query Master failed to remove trigger event query ID from task queue - partial results will be returned

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_UNSUPPORTED

Description: Query Master found unsupported query type hint from App Server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_INLINEREQUEST_BAD

Description: Query Master received bad inline query request via TCP socket - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_IPC_EVENT_SEND_FAILED

Description: Query Master failed to send IPC event (containing heartbeat data) to Data Manager - trigger event queries may be slow

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_IP_GET_FAILED

Description: Query Master failed to get Supervisor IP - Query Master will not be able to communicate with Super data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_QUERY_IP_INVALID

Description: Query Worker got invalid Query Master IP - queries will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_CREAT_FAILED

Description: Data Manager failed to create task for exporting log integrity check request from App Server - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_INSERT_FAILED

Description: Data Manager failed to insert task for exporting log integrity check request from App Server into internal task queue - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_DIR_UNCONFIGURED

Description: Query Master failed to obtain log integrity export directory - particular request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_FAILED

Description: Query Master failed to export bad event blocks from file - log integrity query from App server will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_LONG_RUNNING_STOPPED

Description: Long running query stopped

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_MEM_ALLOC_FAILED

Description: Query Master / Worker failed to allocate memory during event / rule processing

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_QUERY_MESSAGE_SEND_FAILED

Description: FortiSIEM Query Engine failed to send message

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

type

Type

string

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_QUERY_MODULE_INIT_FAILED

Description: Query Master / Worker module failed to initialize

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_MODULE_UNCONFIGURED

Description: Query Master / Worker module failed to obtain some parameters during phoenix_config.txt during initialization - module likely will not start

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_QUERY_ONLINE_WORKER_CHANGED

Description: FortiSIEM Online Query Worker number changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_QUERY_PARSED_EVENT_LOAD_FAILED

Description: Query Worker failed to load parsed event from shared buffer during real time query which may not show events from this Query Worker node

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PARTIAL_WORKER_FAILURE

Description: Partial query results due to worker failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_PCAP_FINALIZE_FAILED

Description: Query Master failed to finalize pcap export - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PCAP_LOAD_FAILED

Description: Query Master failed to load query results in pcap format - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PCAP_RENAME_FAILED

Description: Query Master failed to rename pcap file - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_PCAP_TRANSFER_FAILED

Description: Query Master failed to transfer event to pcap packet - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PGDB_EXEC_SQL_FAILED

Description: Query Master failed to execute SQL statement against Supervisor Postgres DB for Incident Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_QUERY_PGDB_RECONNECT_FAILED

Description: Query Master failed to reconnect to Supervisor Postgres DB - Query Master will remain disconnected and all incident queries will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PGDB_SQL_GET_VAL_FAILED

Description: Query Master failed to get column value from SQL result - incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_POST_FILTER_PARSE_FAILED

Description: Query Master failed to parse post-filter inline query results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_PQ_ERROR

Description: FortiSIEM Postgres DB connection or execution error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROCESS_GET_FAILED

Description: Query Master failed to get its own parent process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_ATTR_UNSPECIFIED

Description: Query Master failed to find specified attribute in Profile Query XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_EVENT_TYPE_ERROR

Description: Query Master encountered unexpected event type in a Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_FUNCITION_ERROR

Description: Query Master hit Function error while executing Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_NOT_MARKED_AS_BASELINE

Description: Query Master will not execute a profile query since it is not marked as baseline

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_PROGRESS_REJECTED

Description: Query Worker fails to upload query progress to Query Master - some progress reporting will be skipped

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_REPORTEXPORT_TASK_CREAT_FAILED

Description: Query Master failed to create task for exporting CSV/PCAP formatted Query request from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORTEXPORT_TASK_INSERT_FAILED

Description: Query Master failed to insert task for exporting CSV/PCAP formatted Query request from App Server into internal task queue - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORT_RESULTS_LOAD_FAILED

Description: Query Master failed to load inline query report results from file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REPORT_RESULTS_POST_FILTER_FAILED

Description: Query Master failed to post-filter inline query report results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_REPORT_RESULT_FILE_NOT_EXIST

Description: Query report result file not exist

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REQUEST_BAD

Description: FortiSIEM Query Engine received bad request

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_FILES_MERGE_FAILED

Description: Query Master failed to merge inline query result files - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_GET_FAILED

Description: Query Master failed to produce inline query result / CSV export - operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_NOT_READY

Description: Query Master failed to find Query result directory for CSV export

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_PARSE_FAILED

Description: Query Master failed to parse trigger event query result from Data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_REJECTED

Description: Query Master rejected query result upload from Query Worker

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_RESULT_SAVE_FAILED

Description: FortiSIEM Query Engine failed to save query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_UPLOAD_FAILED

Description: Query Worker failed to upload query result to Query Master - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

queryId

Query Id

string

filePath

File Path

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_RT_ERROR

Description: Query Worker spawned excessive threads to handle reat time search and will exit (delete)

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_SORT_SPEC_GET_FAILED

Description: Query Master failed to get sort specfication for cached query result - query will automatically rerun

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_START_FAILED

Description: Query Worker failed to start a query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_STATE_BAD

Description: Query Master encounters invalid query state - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_STATUS_LOAD_FAILED

Description: Query Master failed to load query status from disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_STATUS_SAVE_FAILED

Description: Query Master failed to save query status to disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_BAD

Description: Query Master encoutered bad attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_MISSING

Description: Query Master failed to locate an attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_UPDATE_FAILED

Description: Query Master failed to update certain host attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_SUMM_COLUMN_UNSUPPORTED

Description: Query Master encountered unsupported attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_EVENT_SKIPPED

Description: Query Master skipped a bad event for Summary Dashboard data cache - performance metrics will be partially updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_SUMM_PARSE_FAILED

Description: Query Master failed to parse Summary Dashboard Query XML - one query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_SUMM_PERF_ETINFO_UNSUPPORTED

Description: Query Master encountered unsupported perfETInfo in Summary Dashboard Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_TASK_INVALID

Description: FortiSIEM Query task and worker IP are not matched

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

clientIpAddr

Client IP

IP



EventType: PH_QUERY_TASK_REROUTED

Description: FortiSIEM Query task is rerouted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_TASK_REROUTE_FAILED

Description: FortiSIEM Query Task Reroute failed

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_VALUE_TYPE_UNSUPPORTED

Description: FortiSIEM Query Engine encountered bad value type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_WORKERS_GET_FAILED

Description: Query Master failed to get the list of query workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_WORKERS_SPLIT_AMONG_FAILED

Description: Query Master failed to split query among workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_WORKER_CHANGED_TO_OFFLINE

Description: FortiSIEM Query Worker Status Changed from online to offline

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_WORKER_CHANGED_TO_ONLINE

Description: FortiSIEM Query Worker Status Changed from offline to online

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_XML_PARSE_FAILED

Description: Query Master / Worker failed to parse query XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.


Query Logs

Query Logs

This section provides logs related to querying events



EventType: PH_JAVA_QUERYSERVER_ACTION_UNSUPPORTED_ERROR

Description: Java Query Server unsupported action

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_ELASTIC_ERROR

Description: Java Query Server Elasticsearch error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_ERROR

Description: Java Query Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_INFO

Description: Java Query Server Query informational log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_QUERYID_ERROR

Description: Java Query Server unknown or expired Query ID error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_QUERY_SYNTAX_ERROR

Description: Java Query Server Query syntax error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_REDIS_ERROR

Description: Java Query Server Redis error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_JAVA_QUERYSERVER_WARN

Description: Java Query Server Query warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_QUERYSRV_DUPLICATED_QUERYID

Description: Duplicated query id

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERYSRV_INVALID_QUERYXML

Description: Invalid query xml

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_AGGR_RESULTS_POST_PROCESS_FAILED

Description: Query Master failed to post-process aggregate query results - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ATTR_UNDEFINED

Description: Query Master/Worker found undefined attribute in Query XML - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_BAD_RESULT_STATUS

Description: Bad Query Result Status

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CACHE_GET_FAILED

Description: FortiSIEM Query Master failed to get cache results

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_CACHE_RESULT_GET_FAILED

Description: Query Master failed to get query results from its own cache - query will be resubmitted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_CACHE_TRIGGER_EVENT_GET_FAILED

Description: Query Master failed to get trigger event query from Data Manager - Query Master will attempt to get trigger events from event database

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_CHAR_UNEXPECTED

Description: Query Master/Worker found unexpected character in expression in a Query XML - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_CH_PARSE_FAILED

Description: Query Master failed to parse CLICKHOUSE query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_CH_POST_FAILED

Description: Query Master failed to post query to CLICKHOUSE

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_CLICKHOUSE_DATA_FAILED

Description: FortiSIEM ClickHouse DATA failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CLICKHOUSE_EXEC_FAILED

Description: Failed to exec query from ClickHouse

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CLICKHOUSE_STARTS

Description: ClickHouse query starts

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CLICKHOUSE_STOP_FAILED

Description: Failed to stop ClickHouse query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_CLICKHOUSE_WAITING_QUEUE_FULL

Description: ClickHouse query waiting queue is full

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_COMMAND_BAD

Description: Internal error - unsupported query control command - expected Stop, pause and resume

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_COMPLETION_NOTIFICATION_SEND_FAILED

Description: Query Master failed to send query completion notification to App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_CONFIG_UNDEFINED

Description: Query Master/Worker found undefined phoenix_config item

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_QUERY_CONVERT_FAILED

Description: Query Master/Worker failed to convert a particular query to certain format - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_DATA_ENUM_FAILED

Description: Query Master failed to enumerate inline report results for a particular report - inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_MANAGER_NODES_GET_FAILED

Description: Query Master failed to get Data Manager IP addresses - queries will be done by Query Master until the next attempt to get this list of IP addresses

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_DATA_SEND_FAILED

Description: Query Master failed to send query-related data to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_SIZE_MISMATCH

Description: Query Master found size mismatch between two data entries while loading a particular inline query - this inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_SIZE_UNEXPECTED

Description: Query Master found unexpected data size while returning results to App server - inline report will not have results

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DATA_TYPE_UNEXPECTED

Description: Query Master found unexpected data types while returning results to App server - inline report will not have results

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_DB_SERVER_HOST_UNDEFINED

Description: Database server host not defined for query master

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_QUERY_DIR_CREATE_FAILED

Description: Query Master/Worker/Data Manager failed to create directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_DIR_RENAME_FAILED

Description: Query Master/Worker/Data Manager failed to rename directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_DISTRIBUTION

Description: Query distribution (Worker IP: Workload)

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

oldDistrib

Old Distribution

string

newDistrib

New Distribution

string



EventType: PH_QUERY_DURATION

Description: Query statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_ES_PARSE_FAILED

Description: Query Master failed to parse Elastic Search Summary query result - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_ES_POST_FAILED

Description: Query Master failed to provide Elastic Search Summary query results to App Server - query results will not be available

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_ES_SCROLL_FAILED

Description: ES Query scroll failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_EVENT_COLLECTOR_UNAVAILABLE

Description: Query Master/Worker failed to get event collector for a particular query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_EVENT_ID_GET_FAILED

Description: Query Master failed to get triggered event ID for a particular triggered event query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventId

Event ID

uint64

This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users.

queryId

Query Id

string



EventType: PH_QUERY_EVENT_PARSE_FAILED

Description: Query Master failed to parse events from Data Manager - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

queryId

Query Id

string



EventType: PH_QUERY_EVENT_PAYLOAD_READ_FAILED

Description: Query Master failed to read events - some real time events may be missed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_EXCEPTION_CAUGHT

Description: Query Worker encountered corrupt event index or data - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_EXPORT_TASK_CREAT_FAILED

Description: FortiSIEM Query Engine failed to export query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_EXPORT_TASK_INSERT_FAILED

Description: FortiSIEM Query Engine failed to start query result export task

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_EXPR_INCOMPLETE

Description: Query Master failed to handle Query XML during internal processing- Incomplete expression

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_FILE_CONTENT_BAD

Description: Query Master / Worker found invalid content in Query XML file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_CONTENT_MISSING

Description: Query Master / Worker found certain content missing in Query XML file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_COPY_FAILED

Description: Query Master failed to copy query XML file from completed/active to eventdb directory - XXX

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_CORRUPT

Description: Query Master found corrupt query status file for a particular query - query will not be completed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_CREATE_FAILED

Description: Query Master / Worker failed to create query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_EMPTY

Description: Query Master/Worker found empty query status backup file - system loses redundancy for this query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_HEADER_GET_FAILED

Description: Query Master failed to read query related file header from query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_LINK_FAILED

Description: Query Master / Worker failed to hard link query result file - query cache will not be used

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_MAGIC_BAD

Description: Query Master found bad query-related file magic inside query status or result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_MMAP_FAILED

Description: Query Master failed to memory-map summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_NAME_BAD

Description: Query Master found invalidly formatted summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_OPEN_FAILED

Description: Query Master / Worker/ Data Manager failed to open query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_READ_FAILED

Description: Query Master / Worker/ Data Manager failed to read query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_REMOVE_FAILED

Description: Query Master failed to remove cached query result file - disk may eventually get full

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_SEEK_FAILED

Description: Query Master failed to seek trend file to offset for a specific inline report - that inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_FILE_STAT_FAILED

Description: Query Master / Worker/ Data Manager failed to stat query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FORMAT_UNSUPPORTED

Description: Query Master received unsupported report export file format from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FUNC_ERROR

Description: Query Master / Worker encountered internal function error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_ID_DUPLICATE

Description: Query Master / Worker encountered duplicate query ID assigned by App server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_INACTIVE

Description: Query Master / Worker failed to retrieve supposedly active query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_NOT_FOUND

Description: Query Master / Worker failed to find Query ID not found in task queue - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_REMOVE_FAILED

Description: Query Master failed to remove trigger event query ID from task queue - partial results will be returned

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_UNSUPPORTED

Description: Query Master found unsupported query type hint from App Server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_INLINEREQUEST_BAD

Description: Query Master received bad inline query request via TCP socket - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_IPC_EVENT_SEND_FAILED

Description: Query Master failed to send IPC event (containing heartbeat data) to Data Manager - trigger event queries may be slow

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_IP_GET_FAILED

Description: Query Master failed to get Supervisor IP - Query Master will not be able to communicate with Super data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_QUERY_IP_INVALID

Description: Query Worker got invalid Query Master IP - queries will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_CREAT_FAILED

Description: Data Manager failed to create task for exporting log integrity check request from App Server - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_INSERT_FAILED

Description: Data Manager failed to insert task for exporting log integrity check request from App Server into internal task queue - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_DIR_UNCONFIGURED

Description: Query Master failed to obtain log integrity export directory - particular request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_FAILED

Description: Query Master failed to export bad event blocks from file - log integrity query from App server will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_LONG_RUNNING_STOPPED

Description: Long running query stopped

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_MEM_ALLOC_FAILED

Description: Query Master / Worker failed to allocate memory during event / rule processing

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_QUERY_MESSAGE_SEND_FAILED

Description: FortiSIEM Query Engine failed to send message

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

type

Type

string

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_QUERY_MODULE_INIT_FAILED

Description: Query Master / Worker module failed to initialize

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_MODULE_UNCONFIGURED

Description: Query Master / Worker module failed to obtain some parameters during phoenix_config.txt during initialization - module likely will not start

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_QUERY_ONLINE_WORKER_CHANGED

Description: FortiSIEM Online Query Worker number changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_QUERY_PARSED_EVENT_LOAD_FAILED

Description: Query Worker failed to load parsed event from shared buffer during real time query which may not show events from this Query Worker node

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PARTIAL_WORKER_FAILURE

Description: Partial query results due to worker failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_PCAP_FINALIZE_FAILED

Description: Query Master failed to finalize pcap export - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PCAP_LOAD_FAILED

Description: Query Master failed to load query results in pcap format - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PCAP_RENAME_FAILED

Description: Query Master failed to rename pcap file - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_PCAP_TRANSFER_FAILED

Description: Query Master failed to transfer event to pcap packet - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PGDB_EXEC_SQL_FAILED

Description: Query Master failed to execute SQL statement against Supervisor Postgres DB for Incident Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_QUERY_PGDB_RECONNECT_FAILED

Description: Query Master failed to reconnect to Supervisor Postgres DB - Query Master will remain disconnected and all incident queries will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PGDB_SQL_GET_VAL_FAILED

Description: Query Master failed to get column value from SQL result - incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_POST_FILTER_PARSE_FAILED

Description: Query Master failed to parse post-filter inline query results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_PQ_ERROR

Description: FortiSIEM Postgres DB connection or execution error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROCESS_GET_FAILED

Description: Query Master failed to get its own parent process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_ATTR_UNSPECIFIED

Description: Query Master failed to find specified attribute in Profile Query XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_EVENT_TYPE_ERROR

Description: Query Master encountered unexpected event type in a Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_FUNCITION_ERROR

Description: Query Master hit Function error while executing Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_NOT_MARKED_AS_BASELINE

Description: Query Master will not execute a profile query since it is not marked as baseline

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_PROGRESS_REJECTED

Description: Query Worker fails to upload query progress to Query Master - some progress reporting will be skipped

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_REPORTEXPORT_TASK_CREAT_FAILED

Description: Query Master failed to create task for exporting CSV/PCAP formatted Query request from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORTEXPORT_TASK_INSERT_FAILED

Description: Query Master failed to insert task for exporting CSV/PCAP formatted Query request from App Server into internal task queue - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORT_RESULTS_LOAD_FAILED

Description: Query Master failed to load inline query report results from file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REPORT_RESULTS_POST_FILTER_FAILED

Description: Query Master failed to post-filter inline query report results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_REPORT_RESULT_FILE_NOT_EXIST

Description: Query report result file not exist

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REQUEST_BAD

Description: FortiSIEM Query Engine received bad request

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_FILES_MERGE_FAILED

Description: Query Master failed to merge inline query result files - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_GET_FAILED

Description: Query Master failed to produce inline query result / CSV export - operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_NOT_READY

Description: Query Master failed to find Query result directory for CSV export

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_PARSE_FAILED

Description: Query Master failed to parse trigger event query result from Data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_REJECTED

Description: Query Master rejected query result upload from Query Worker

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_RESULT_SAVE_FAILED

Description: FortiSIEM Query Engine failed to save query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_UPLOAD_FAILED

Description: Query Worker failed to upload query result to Query Master - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

queryId

Query Id

string

filePath

File Path

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_RT_ERROR

Description: Query Worker spawned excessive threads to handle reat time search and will exit (delete)

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_SORT_SPEC_GET_FAILED

Description: Query Master failed to get sort specfication for cached query result - query will automatically rerun

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_START_FAILED

Description: Query Worker failed to start a query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_STATE_BAD

Description: Query Master encounters invalid query state - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_STATUS_LOAD_FAILED

Description: Query Master failed to load query status from disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_STATUS_SAVE_FAILED

Description: Query Master failed to save query status to disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_BAD

Description: Query Master encoutered bad attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_MISSING

Description: Query Master failed to locate an attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_UPDATE_FAILED

Description: Query Master failed to update certain host attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_SUMM_COLUMN_UNSUPPORTED

Description: Query Master encountered unsupported attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_EVENT_SKIPPED

Description: Query Master skipped a bad event for Summary Dashboard data cache - performance metrics will be partially updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_SUMM_PARSE_FAILED

Description: Query Master failed to parse Summary Dashboard Query XML - one query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_SUMM_PERF_ETINFO_UNSUPPORTED

Description: Query Master encountered unsupported perfETInfo in Summary Dashboard Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_TASK_INVALID

Description: FortiSIEM Query task and worker IP are not matched

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

clientIpAddr

Client IP

IP



EventType: PH_QUERY_TASK_REROUTED

Description: FortiSIEM Query task is rerouted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_TASK_REROUTE_FAILED

Description: FortiSIEM Query Task Reroute failed

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_VALUE_TYPE_UNSUPPORTED

Description: FortiSIEM Query Engine encountered bad value type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_WORKERS_GET_FAILED

Description: Query Master failed to get the list of query workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_WORKERS_SPLIT_AMONG_FAILED

Description: Query Master failed to split query among workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_WORKER_CHANGED_TO_OFFLINE

Description: FortiSIEM Query Worker Status Changed from online to offline

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_WORKER_CHANGED_TO_ONLINE

Description: FortiSIEM Query Worker Status Changed from offline to online

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_XML_PARSE_FAILED

Description: Query Master / Worker failed to parse query XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.