Query Logs
This section provides logs related to querying events
EventType: PH_JAVA_QUERYSERVER_ACTION_UNSUPPORTED_ERROR
Description: Java Query Server unsupported action
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_ELASTIC_ERROR
Description: Java Query Server Elasticsearch error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_ERROR
Description: Java Query Server error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_INFO
Description: Java Query Server Query informational log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_QUERYID_ERROR
Description: Java Query Server unknown or expired Query ID error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_QUERY_SYNTAX_ERROR
Description: Java Query Server Query syntax error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_REDIS_ERROR
Description: Java Query Server Redis error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_JAVA_QUERYSERVER_WARN
Description: Java Query Server Query warning
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_QUERYSRV_DUPLICATED_QUERYID
Description: Duplicated query id
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERYSRV_INVALID_QUERYXML
Description: Invalid query xml
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_AGGR_RESULTS_POST_PROCESS_FAILED
Description: Query Master failed to post-process aggregate query results - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_ATTR_UNDEFINED
Description: Query Master/Worker found undefined attribute in Query XML - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_BAD_RESULT_STATUS
Description: Bad Query Result Status
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_CACHE_GET_FAILED
Description: FortiSIEM Query Master failed to get cache results
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_CACHE_RESULT_GET_FAILED
Description: Query Master failed to get query results from its own cache - query will be resubmitted
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_CACHE_TRIGGER_EVENT_GET_FAILED
Description: Query Master failed to get trigger event query from Data Manager - Query Master will attempt to get trigger events from event database
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_CHAR_UNEXPECTED
Description: Query Master/Worker found unexpected character in expression in a Query XML - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_CH_PARSE_FAILED
Description: Query Master failed to parse CLICKHOUSE query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_CH_POST_FAILED
Description: Query Master failed to post query to CLICKHOUSE
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_QUERY_CLICKHOUSE_DATA_FAILED
Description: FortiSIEM ClickHouse DATA failure
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_CLICKHOUSE_EXEC_FAILED
Description: Failed to exec query from ClickHouse
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_CLICKHOUSE_STARTS
Description: ClickHouse query starts
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_CLICKHOUSE_STOP_FAILED
Description: Failed to stop ClickHouse query
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_CLICKHOUSE_WAITING_QUEUE_FULL
Description: ClickHouse query waiting queue is full
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_COMMAND_BAD
Description: Internal error - unsupported query control command - expected Stop, pause and resume
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_COMPLETION_NOTIFICATION_SEND_FAILED
Description: Query Master failed to send query completion notification to App server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_CONFIG_UNDEFINED
Description: Query Master/Worker found undefined phoenix_config item
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
configName |
Config Name |
string |
|
EventType: PH_QUERY_CONVERT_FAILED
Description: Query Master/Worker failed to convert a particular query to certain format - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_DATA_ENUM_FAILED
Description: Query Master failed to enumerate inline report results for a particular report - inline report will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_DATA_MANAGER_NODES_GET_FAILED
Description: Query Master failed to get Data Manager IP addresses - queries will be done by Query Master until the next attempt to get this list of IP addresses
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_DATA_SEND_FAILED
Description: Query Master failed to send query-related data to App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_DATA_SIZE_MISMATCH
Description: Query Master found size mismatch between two data entries while loading a particular inline query - this inline report will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_DATA_SIZE_UNEXPECTED
Description: Query Master found unexpected data size while returning results to App server - inline report will not have results
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_DATA_TYPE_UNEXPECTED
Description: Query Master found unexpected data types while returning results to App server - inline report will not have results
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_DB_SERVER_HOST_UNDEFINED
Description: Database server host not defined for query master
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
configName |
Config Name |
string |
|
EventType: PH_QUERY_DIR_CREATE_FAILED
Description: Query Master/Worker/Data Manager failed to create directory
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_DIR_RENAME_FAILED
Description: Query Master/Worker/Data Manager failed to rename directory
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_DISTRIBUTION
Description: Query distribution (Worker IP: Workload)
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
oldDistrib |
Old Distribution |
string |
|
newDistrib |
New Distribution |
string |
|
EventType: PH_QUERY_DURATION
Description: Query statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportName |
Report Name |
string |
FortiSIEM report name. |
EventType: PH_QUERY_ES_PARSE_FAILED
Description: Query Master failed to parse Elastic Search Summary query result - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_ES_POST_FAILED
Description: Query Master failed to provide Elastic Search Summary query results to App Server - query results will not be available
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_QUERY_ES_SCROLL_FAILED
Description: ES Query scroll failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_EVENT_COLLECTOR_UNAVAILABLE
Description: Query Master/Worker failed to get event collector for a particular query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_EVENT_ID_GET_FAILED
Description: Query Master failed to get triggered event ID for a particular triggered event query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
eventId |
Event ID |
uint64 |
This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users. |
queryId |
Query Id |
string |
|
EventType: PH_QUERY_EVENT_PARSE_FAILED
Description: Query Master failed to parse events from Data Manager - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
queryId |
Query Id |
string |
|
EventType: PH_QUERY_EVENT_PAYLOAD_READ_FAILED
Description: Query Master failed to read events - some real time events may be missed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_EXCEPTION_CAUGHT
Description: Query Worker encountered corrupt event index or data - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_EXPORT_TASK_CREAT_FAILED
Description: FortiSIEM Query Engine failed to export query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_EXPORT_TASK_INSERT_FAILED
Description: FortiSIEM Query Engine failed to start query result export task
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_EXPR_INCOMPLETE
Description: Query Master failed to handle Query XML during internal processing- Incomplete expression
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_FILE_CONTENT_BAD
Description: Query Master / Worker found invalid content in Query XML file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_FILE_CONTENT_MISSING
Description: Query Master / Worker found certain content missing in Query XML file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_FILE_COPY_FAILED
Description: Query Master failed to copy query XML file from completed/active to eventdb directory - XXX
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_CORRUPT
Description: Query Master found corrupt query status file for a particular query - query will not be completed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_FILE_CREATE_FAILED
Description: Query Master / Worker failed to create query result file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_EMPTY
Description: Query Master/Worker found empty query status backup file - system loses redundancy for this query
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_FILE_HEADER_GET_FAILED
Description: Query Master failed to read query related file header from query result file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_FILE_LINK_FAILED
Description: Query Master / Worker failed to hard link query result file - query cache will not be used
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_MAGIC_BAD
Description: Query Master found bad query-related file magic inside query status or result file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_FILE_MMAP_FAILED
Description: Query Master failed to memory-map summary event cache file - summary event query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_NAME_BAD
Description: Query Master found invalidly formatted summary event cache file - summary event query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_FILE_OPEN_FAILED
Description: Query Master / Worker/ Data Manager failed to open query related file - related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_READ_FAILED
Description: Query Master / Worker/ Data Manager failed to read query related file - related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_REMOVE_FAILED
Description: Query Master failed to remove cached query result file - disk may eventually get full
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FILE_SEEK_FAILED
Description: Query Master failed to seek trend file to offset for a specific inline report - that inline report will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_FILE_STAT_FAILED
Description: Query Master / Worker/ Data Manager failed to stat query related file - related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_FORMAT_UNSUPPORTED
Description: Query Master received unsupported report export file format from App Server - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_FUNC_ERROR
Description: Query Master / Worker encountered internal function error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_ID_DUPLICATE
Description: Query Master / Worker encountered duplicate query ID assigned by App server - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_ID_INACTIVE
Description: Query Master / Worker failed to retrieve supposedly active query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_ID_NOT_FOUND
Description: Query Master / Worker failed to find Query ID not found in task queue - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_ID_REMOVE_FAILED
Description: Query Master failed to remove trigger event query ID from task queue - partial results will be returned
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_ID_UNSUPPORTED
Description: Query Master found unsupported query type hint from App Server - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_INLINEREQUEST_BAD
Description: Query Master received bad inline query request via TCP socket - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_IPC_EVENT_SEND_FAILED
Description: Query Master failed to send IPC event (containing heartbeat data) to Data Manager - trigger event queries may be slow
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
EventType: PH_QUERY_IP_GET_FAILED
Description: Query Master failed to get Supervisor IP - Query Master will not be able to communicate with Super data Manager
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_QUERY_IP_INVALID
Description: Query Worker got invalid Query Master IP - queries will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_QUERY_IP_TYPE_INVALID
Description: Invalid IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_CREAT_FAILED
Description: Data Manager failed to create task for exporting log integrity check request from App Server - request will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_INSERT_FAILED
Description: Data Manager failed to insert task for exporting log integrity check request from App Server into internal task queue - request will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_DIR_UNCONFIGURED
Description: Query Master failed to obtain log integrity export directory - particular request will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_FAILED
Description: Query Master failed to export bad event blocks from file - log integrity query from App server will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_LONG_RUNNING_STOPPED
Description: Long running query stopped
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
reportName |
Report Name |
string |
FortiSIEM report name. |
EventType: PH_QUERY_MEM_ALLOC_FAILED
Description: Query Master / Worker failed to allocate memory during event / rule processing
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_QUERY_MESSAGE_SEND_FAILED
Description: FortiSIEM Query Engine failed to send message
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
type |
Type |
string |
|
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_QUERY_MODULE_INIT_FAILED
Description: Query Master / Worker module failed to initialize
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_MODULE_UNCONFIGURED
Description: Query Master / Worker module failed to obtain some parameters during phoenix_config.txt during initialization - module likely will not start
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
EventType: PH_QUERY_ONLINE_WORKER_CHANGED
Description: FortiSIEM Online Query Worker number changed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
count |
Count |
uint32 |
A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also. |
EventType: PH_QUERY_PARSED_EVENT_LOAD_FAILED
Description: Query Worker failed to load parsed event from shared buffer during real time query which may not show events from this Query Worker node
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PARTIAL_WORKER_FAILURE
Description: Partial query results due to worker failure
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
reportName |
Report Name |
string |
FortiSIEM report name. |
EventType: PH_QUERY_PCAP_FINALIZE_FAILED
Description: Query Master failed to finalize pcap export - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PCAP_LOAD_FAILED
Description: Query Master failed to load query results in pcap format - results will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_PCAP_RENAME_FAILED
Description: Query Master failed to rename pcap file - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_PCAP_TRANSFER_FAILED
Description: Query Master failed to transfer event to pcap packet - results will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_PGDB_EXEC_SQL_FAILED
Description: Query Master failed to execute SQL statement against Supervisor Postgres DB for Incident Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbQuery |
Database Query |
string |
|
EventType: PH_QUERY_PGDB_RECONNECT_FAILED
Description: Query Master failed to reconnect to Supervisor Postgres DB - Query Master will remain disconnected and all incident queries will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PGDB_SQL_GET_VAL_FAILED
Description: Query Master failed to get column value from SQL result - incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_POST_FILTER_PARSE_FAILED
Description: Query Master failed to parse post-filter inline query results - no post-filtering is going to occur
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_PQ_ERROR
Description: FortiSIEM Postgres DB connection or execution error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_PROCESS_GET_FAILED
Description: Query Master failed to get its own parent process
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PROFILE_ATTR_UNSPECIFIED
Description: Query Master failed to find specified attribute in Profile Query XML from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PROFILE_EVENT_TYPE_ERROR
Description: Query Master encountered unexpected event type in a Profile Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_PROFILE_FUNCITION_ERROR
Description: Query Master hit Function error while executing Profile Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_PROFILE_NOT_MARKED_AS_BASELINE
Description: Query Master will not execute a profile query since it is not marked as baseline
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_PROGRESS_REJECTED
Description: Query Worker fails to upload query progress to Query Master - some progress reporting will be skipped
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_QUERY_REPORTEXPORT_TASK_CREAT_FAILED
Description: Query Master failed to create task for exporting CSV/PCAP formatted Query request from App Server - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_REPORTEXPORT_TASK_INSERT_FAILED
Description: Query Master failed to insert task for exporting CSV/PCAP formatted Query request from App Server into internal task queue - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_REPORT_RESULTS_LOAD_FAILED
Description: Query Master failed to load inline query report results from file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_REPORT_RESULTS_POST_FILTER_FAILED
Description: Query Master failed to post-filter inline query report results - no post-filtering is going to occur
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_REPORT_RESULT_FILE_NOT_EXIST
Description: Query report result file not exist
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_REQUEST_BAD
Description: FortiSIEM Query Engine received bad request
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
queryId |
Query Id |
string |
|
EventType: PH_QUERY_RESULT_FILES_MERGE_FAILED
Description: Query Master failed to merge inline query result files - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_RESULT_GET_FAILED
Description: Query Master failed to produce inline query result / CSV export - operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_RESULT_NOT_READY
Description: Query Master failed to find Query result directory for CSV export
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_RESULT_PARSE_FAILED
Description: Query Master failed to parse trigger event query result from Data Manager
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
queryId |
Query Id |
string |
|
EventType: PH_QUERY_RESULT_REJECTED
Description: Query Master rejected query result upload from Query Worker
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_QUERY_RESULT_SAVE_FAILED
Description: FortiSIEM Query Engine failed to save query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_RESULT_UPLOAD_FAILED
Description: Query Worker failed to upload query result to Query Master - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
queryId |
Query Id |
string |
|
filePath |
File Path |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_RT_ERROR
Description: Query Worker spawned excessive threads to handle reat time search and will exit (delete)
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_SORT_SPEC_GET_FAILED
Description: Query Master failed to get sort specfication for cached query result - query will automatically rerun
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_START_FAILED
Description: Query Worker failed to start a query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
queryId |
Query Id |
string |
|
reportName |
Report Name |
string |
FortiSIEM report name. |
EventType: PH_QUERY_STATE_BAD
Description: Query Master encounters invalid query state - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_STATUS_LOAD_FAILED
Description: Query Master failed to load query status from disk - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_STATUS_SAVE_FAILED
Description: Query Master failed to save query status to disk - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_ATTR_BAD
Description: Query Master encoutered bad attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_ATTR_MISSING
Description: Query Master failed to locate an attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_ATTR_UPDATE_FAILED
Description: Query Master failed to update certain host attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_QUERY_SUMM_COLUMN_UNSUPPORTED
Description: Query Master encountered unsupported attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_EVENT_SKIPPED
Description: Query Master skipped a bad event for Summary Dashboard data cache - performance metrics will be partially updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_SUMM_PARSE_FAILED
Description: Query Master failed to parse Summary Dashboard Query XML - one query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_SUMM_PERF_ETINFO_UNSUPPORTED
Description: Query Master encountered unsupported perfETInfo in Summary Dashboard Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_TASK_INVALID
Description: FortiSIEM Query task and worker IP are not matched
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
clientIpAddr |
Client IP |
IP |
|
EventType: PH_QUERY_TASK_REROUTED
Description: FortiSIEM Query task is rerouted
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
srcIpAddr |
Source IP |
IP |
Source IP of a device as identified in the event. |
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
EventType: PH_QUERY_TASK_REROUTE_FAILED
Description: FortiSIEM Query Task Reroute failed
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_VALUE_TYPE_UNSUPPORTED
Description: FortiSIEM Query Engine encountered bad value type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_WORKERS_GET_FAILED
Description: Query Master failed to get the list of query workers - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_WORKERS_SPLIT_AMONG_FAILED
Description: Query Master failed to split query among workers - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_WORKER_CHANGED_TO_OFFLINE
Description: FortiSIEM Query Worker Status Changed from online to offline
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
serverIpAddr |
Server IP |
IP |
|
EventType: PH_QUERY_WORKER_CHANGED_TO_ONLINE
Description: FortiSIEM Query Worker Status Changed from offline to online
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
serverIpAddr |
Server IP |
IP |
|
EventType: PH_QUERY_XML_PARSE_FAILED
Description: Query Master / Worker failed to parse query XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |