Important Logs By Use case

This section identifies important logs for several failure use cases.

• Collector clock skew detected

• Collector failing to forward events to External System

• Collector failing to send events to Worker on time

• Collector failing to send events to Workers

• Collector/Worker to Supervisor communication issue

• Devices not sending logs

• EPS License Exceeded

• EPS Reporting

• Event Archiving Error (Elasticsearch to EventDB/NFS)

• Event Archiving Error (EventDB to EventDB/NFS)

• FortiSIEM Process is Down

• FortiSIEM process to Supervisor communication issue

• GUI Change Audit

• GUI User Login

• Incident External Integration issue

• Incident email notification issue

• Linux Agent operational errors

• Malware IOC handling Errors

• Query Errors

• Query Performance

• Rule Performance

• Rule trigger issues

• Scheduled Report issue

• Test Connectivity/Discovery Errors

• Windows/Linux Agent operational errors

• Worker failing to store events in ClickHouse

• Worker failing to store events in Elasticsearch

• Worker failing to store events in EventDB

• Worker falling behind in storing configuration files to SVN-lite

• Worker falling behind in storing events to Event Database

Use Case: Collector clock skew detected

• PH_COLLECTOR_CLOCK_SKEW

EventType: PH_COLLECTOR_CLOCK_SKEW

Description: Clock skew between Collector and Super

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
collectorId	Collector ID	uint32	This field captures the ID of a FortiSIEM Collector
collectorIp	Collector IP	IP	This field captures the IP address of a FortiSIEM Collector
superTime	Supervisor Time	Date	This field represents SupervisorTime used to determine Clock Skew between Collector and Supervisor. A Clock Skew may develop if NTP is not configured correctly in both Collector and Supervisor.
collectorTime	Collector Time	Date	This field represents Collector Time used to determine Clock Skew between Collector and Supervisor. A Clock Skew may develop if NTP is not configured correctly in both Collector and Supervisor.
timeSkewSec	Time skew	uint32	Time skew between Collector and Supervisor. If there is significant time skew then rules may not trigger, since rules need to be evaluated based on a time window.

Use Case: Collector failing to forward events to External System

• PH_AGENTMGR_KAFKA_PRODUCER_ERROR

• PH_EVENT_FWD_SOCKET_CONNECT_FAILED

• PH_EVENT_FWD_SOCKET_WRITE_FAILED

EventType: PH_AGENTMGR_KAFKA_PRODUCER_ERROR

Description: Event Forwarder failed to write events into Kafka

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errorString	Error String	string	This is the error message, synonymous to attribute errReason
count	Count	uint32	A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

EventType: PH_EVENT_FWD_SOCKET_CONNECT_FAILED

Description: Event Forwarder failed to connect the destination for TCP based forwarding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
exitValue	Command exit value	int32

EventType: PH_EVENT_FWD_SOCKET_WRITE_FAILED

Description: Event Forwarder failed to write to socket for sending events

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
exitValue	Command exit value	int32

Use Case: Collector failing to send events to Worker on time

• PH_COLLECTOR_EVENT_STORE_DELAYED

EventType: PH_COLLECTOR_EVENT_STORE_DELAYED

Description: Collector event file delayed

Severity: 9 (High)

Event Category: 3 (System Logs)

Use Case: Collector failing to send events to Workers

• PH_EVENT_PKG_FILE_UPLOAD_FAILED

• PH_EVENT_PKG_HTTP_FAILED

• PH_EVENT_PKG_HTTP_INIT_FAILED

• PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE

EventType: PH_EVENT_PKG_FILE_UPLOAD_FAILED

Description: Event Packager failed to upload event file to Worker or Super; will retry

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
filePath	File Path	string
serverIpAddr	Server IP	IP

EventType: PH_EVENT_PKG_HTTP_FAILED

Description: Event Packager encountered HTTPS error response code

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
serverIpAddr	Server IP	IP
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number

EventType: PH_EVENT_PKG_HTTP_INIT_FAILED

Description: Event Packager HTTP client initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
serverIpAddr	Server IP	IP

EventType: PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE

Description: FortiSIEM Event Packager file upload failure

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
filePath	File Path	string
errorNoInt	Error Number Int	int32
destName	Destination Host Name	string	Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

Use Case: Collector/Worker to Supervisor communication issue

• PH_COLLECTOR_DOWN

• PH_WORKER_DOWN

EventType: PH_COLLECTOR_DOWN

Description: Collector down

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_WORKER_DOWN

Description: Worker down

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Use Case: Devices not sending logs

• PH_DEV_MON_LOG_DEVICE_DELAY_HIGH

• PH_DEV_MON_LOG_DEVICE_DELAY_LOW

EventType: PH_DEV_MON_LOG_DEVICE_DELAY_HIGH

Description: Log receipt delay for a single device crossed high water mark

Notes: This event is generated by FortiSIEM Supervisor node when no events are received from a single source IP (Reporting IP) within a (high threshold) time window. The time period can be set in two ways: - Global Setting: Set the EventRecvTimeGapHigh attribute in Admin > Device Support > Custom Properties. By default it is set to 10 minutes - Per device Setting: Set the "Event Receive Time Gap High Threshold minutes" attribute in CMDB > Choose a Device > Edit > Device Properties An event is generated for each jobType, e.g. Syslog, Windows Agent Log Collection, Linux Agent Log Collection, Cloud Service Log Collection etc.

Severity: 9 (High)

Event Category: 3 (System Logs)

EventType: PH_DEV_MON_LOG_DEVICE_DELAY_LOW

Description: Log receipt delay for a single device fell below water mark

Notes: This event is generated by FortiSIEM Supervisor node when no events are received from a single source IP (Reporting IP) within a (low threshold) time window. The time period can be set in two ways: - Global Setting: Set the EventRecvTimeGapLow attribute in Admin > Device Support > Custom Properties. By default it is set to 5 minutes - Per device Setting: Set the "Event Receive Time Gap Low Threshold minutes" attribute in CMDB > Choose a Device > Edit > Device Properties An event is generated for each jobType, e.g. Syslog, Windows Agent Log Collection, Linux Agent Log Collection, Cloud Service Log Collection etc.

Severity: 1 (Low)

Event Category: 3 (System Logs)

Use Case: EPS License Exceeded

• PH_PARSER_GLOBAL_LICENSE_EXCEED

EventType: PH_PARSER_GLOBAL_LICENSE_EXCEED

Description: Global EPS license exceeded and events will be dropped

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
licenseEventsPerSec	License EPS	uint64

Use Case: EPS Reporting

• PH_SYSTEM_EPS_GLOBAL

• PH_SYSTEM_EPS_NODE

• PH_SYSTEM_EPS_ORG

EventType: PH_SYSTEM_EPS_GLOBAL

Description: FortiSIEM Global event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
licenseEventsPerSec	License EPS	uint64
incomingEventsPerSec	Incoming Event Rate	double	This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.
peakIncomingEventsPerSec	Peak Incoming Event Rate	double	This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.
dropLicenseEventsPerSec	License Dropped Event Rate	double	The number of events dropped due to exceeding license in past 3 minutes.
peakDropLicenseEventsPerSec	Peak License Dropped Event Rate	double	The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.
unusedEvents	Unused Event Count	uint64	The difference between licenseEventsPerSec and incomingEventsPerSec accumulated.

EventType: PH_SYSTEM_EPS_NODE

Description: FortiSIEM per Node event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
role	Role	string
hostName	Host Name	string	This is the hostname of the device of interest in the event
guaranteedEventsPerSec	Guaranteed EPS	uint64
incomingEventsPerSec	Incoming Event Rate	double	This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.
peakIncomingEventsPerSec	Peak Incoming Event Rate	double	This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.
ingestedEventsPerSec	Ingested Event Rate	double
dropPolicyEvents	Policy Dropped Events	uint64	The number of events dropped by Event Dropping Rules in the last 3 minutes.
dropPolicyEventsPerSec	Policy Droppped Event Rate	double	This is the per second count of events dropped by policy, which is calculated as dropPolicyEvents (3min interval) / 180 seconds.
peakDropPolicyEventsPerSec	Peak Policy Dropped Event Rate	double	The max value of dropPolicyEventsPerSec, over all 3-minute periods, since phParser started.
dropLicenseEvents	License Dropped Events	uint64	This is the total count of events dropped due to exceeding license over all 3 minute intervals since phParser started.
dropLicenseEventsPerSec	License Dropped Event Rate	double	The number of events dropped due to exceeding license in past 3 minutes.
peakDropLicenseEventsPerSec	Peak License Dropped Event Rate	double	The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.
dropLicenseEventRatio	License Dropped Event Ratio	uint16	Ratio of dropped events due to license to total incoming events in last 3 minutes.
reptDevIpAddr	Reporting IP	IP	This is the device that originated the log or event packet, also known as the reporting device.

EventType: PH_SYSTEM_EPS_ORG

Description: FortiSIEM per Organization event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
incomingEventsPerSec	Incoming Event Rate	double	This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.
peakIncomingEventsPerSec	Peak Incoming Event Rate	double	This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.
dropLicenseEventsPerSec	License Dropped Event Rate	double	The number of events dropped due to exceeding license in past 3 minutes.
peakDropLicenseEventsPerSec	Peak License Dropped Event Rate	double	The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

Use Case: Event Archiving Error (Elasticsearch to EventDB/NFS)

• PH_ES_COLD_STORAGE_ARCHIVING_FAILED

• PH_ES_HOT_STORAGE_ARCHIVING_FAILED

• PH_ES_WARM_STORAGE_ARCHIVING_FAILED

EventType: PH_ES_COLD_STORAGE_ARCHIVING_FAILED

Description: Failed to archive indices from cold nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

EventType: PH_ES_HOT_STORAGE_ARCHIVING_FAILED

Description: Failed archive indices from hot nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

EventType: PH_ES_WARM_STORAGE_ARCHIVING_FAILED

Description: Failed to archive indices from warm nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

Use Case: Event Archiving Error (EventDB to EventDB/NFS)

• PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED

• PH_SYSTEM_DISK_ARCHIVING_FAILED

EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 10 (High)

Event Category: 3 (System Logs)

EventType: PH_SYSTEM_DISK_ARCHIVING_FAILED

Description: Online FortiSIEM EventDB Archiving encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)

Use Case: FortiSIEM Process is Down

• PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR

• PH_MODULE_ABORT

• PH_MODULE_ABORT_FOUND

• PH_MODULE_EXITING

• PH_MODULE_INIT_FAILURE

EventType: PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR

Description: App Server Phoenix Caching system initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_MODULE_ABORT

Description: Module exited abnormally

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
coreDumpFile	Coredump File Name	string

EventType: PH_MODULE_ABORT_FOUND

Description: Module found aborted

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
reptProcName	Reported Process Name	string
eventTime	Event Occur Time	Date

EventType: PH_MODULE_EXITING

Description: Module exiting

Severity: 1 (Low)

Event Category: 3 (System Logs)

EventType: PH_MODULE_INIT_FAILURE

Description: Module initialization failure

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
module	Module Name	string

Use Case: FortiSIEM process to Supervisor communication issue

• PH_DATAMANAGER_HTTP_UPLOAD_ERROR

• PH_DISCOV_DISCOV_REQ_GET_FAILED

• PH_DISCOV_TEST_CONN_GET_REQ_FAILED

• PH_EVT_PACKAGER_HTTP_RESPONSE_ERROR

• PH_IDENTITYMASTER_HTTP_UPLOAD_ERROR

• PH_MONITOR_UNABLE_CONTACT_APPSVR

• PH_PARSER_HTTP_RESPONSE_ERROR

• PH_PARSER_HTTP_UPLOAD_FAILURE

EventType: PH_DATAMANAGER_HTTP_UPLOAD_ERROR

Description: Data Manager module failed to upload event database statistics to App server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errReason	Reason for Error	string	This is the reason for an error if given.
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number

EventType: PH_EVT_PACKAGER_HTTP_RESPONSE_ERROR

Description: FortiSIEM Event Packager http response error from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errorNoInt	Error Number Int	int32

EventType: PH_IDENTITYMASTER_HTTP_UPLOAD_ERROR

Description: Identity Master failed to upload identity location information to App server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number
errReason	Reason for Error	string	This is the reason for an error if given.

EventType: PH_MONITOR_UNABLE_CONTACT_APPSVR

Description: phMonitor uable to contact App Server - see respnse code

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
httpStatusCode	HTTP Status	string

EventType: PH_PARSER_HTTP_RESPONSE_ERROR

Description: Parser module failed to get response from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number

EventType: PH_PARSER_HTTP_UPLOAD_FAILURE

Description: Parser module failed to upload information to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Use Case: GUI Change Audit

• PH_AUDIT_CASE_CLOSED

• PH_AUDIT_CASE_CREATED

• PH_AUDIT_CASE_UPDATED

• PH_AUDIT_CMDB_DISK_PRUNE_FAILED

• PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS

• PH_AUDIT_DASHBOARD_SHARED

• PH_AUDIT_DEVICE_ADDED

• PH_AUDIT_DEVICE_DELETED

• PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED

• PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

• PH_AUDIT_DEVICE_STATUS_CHANGED

• PH_AUDIT_GROUP_CREATED

• PH_AUDIT_GROUP_DELETED

• PH_AUDIT_INCIDENT_SYS_CLEAR

• PH_AUDIT_INCIDENT_USER_CLEAR

• PH_AUDIT_MALWARE_DATA_DELETED

• PH_AUDIT_MALWARE_DATA_UPDATED

• PH_AUDIT_OBJECT_CREATED

• PH_AUDIT_OBJECT_DELETED

• PH_AUDIT_OBJECT_UPDATED

• PH_AUDIT_PASSWORD_CHANGED

• PH_AUDIT_REPORT_SCHEDULED

• PH_AUDIT_RULE_ACTIVATED

• PH_AUDIT_RULE_DEACTIVATED

• PH_AUDIT_USER_ADDED

• PH_AUDIT_USER_DEFAULT_ROLE_CHANGED

• PH_AUDIT_USER_DELETED

• PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED

• PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED

• PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED

EventType: PH_AUDIT_CASE_CLOSED

Description: FortiSIEM Case Closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
user	User	string
caseId	Case ID	uint64	Unique ID of a FortiSIEM Case
title	Title	string
comment	Comment	string

EventType: PH_AUDIT_CASE_CREATED

Description: FortiSIEM Case Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
user	User	string
caseId	Case ID	uint64	Unique ID of a FortiSIEM Case
title	Title	string

EventType: PH_AUDIT_CASE_UPDATED

Description: FortiSIEM Case Updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

EventType: PH_AUDIT_CMDB_DISK_PRUNE_FAILED

Description: CMDB Disk Prune Failed

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
hostName	Host Name	string	This is the hostname of the device of interest in the event
hostIpAddr	Host IP	IP	This is the IP of the device of interest in the event.
freeDiskMB	Free Disk MB	uint32

EventType: PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS

Description: CMDB Disk Prune Success

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
hostName	Host Name	string	This is the hostname of the device of interest in the event
hostIpAddr	Host IP	IP	This is the IP of the device of interest in the event.
freeDiskMB	Free Disk MB	uint32

EventType: PH_AUDIT_DASHBOARD_SHARED

Description: FortiSIEM dashboard folder shared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjName	Object Name	string
targetUserGrp	Target User Group	string

EventType: PH_AUDIT_DEVICE_ADDED

Description: System CMDB device added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
hostName	Host Name	string	This is the hostname of the device of interest in the event
hostIpAddr	Host IP	IP	This is the IP of the device of interest in the event.

EventType: PH_AUDIT_DEVICE_DELETED

Description: System CMDB device deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
hostName	Host Name	string	This is the hostname of the device of interest in the event
hostIpAddr	Host IP	IP	This is the IP of the device of interest in the event.

EventType: PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED

Description: System CMDB device changed by discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
hostName	Host Name	string	This is the hostname of the device of interest in the event
hostIpAddr	Host IP	IP	This is the IP of the device of interest in the event.
objType	Object Type	string
addedItem	Added Item	string

EventType: PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

Description: Two devices with different hostname merged becsuase of overlapping IP addresses

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
hostName	Host Name	string	This is the hostname of the device of interest in the event
targetHostName	Target Host Name	string
overlapIp	Overlapping IP	string	This field repsents the list of IP addresses of a just discovered device that overlaps with an existing device in CMDB.

EventType: PH_AUDIT_DEVICE_STATUS_CHANGED

Description: CMDB Device audit status changed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
hostName	Host Name	string	This is the hostname of the device of interest in the event
hostIpAddr	Host IP	IP	This is the IP of the device of interest in the event.
user	User	string
origStatus	Original Status	string
newStatus	New Status	string
eventSource	Event Source	string

EventType: PH_AUDIT_GROUP_CREATED

Description: FortiSIEM GUI Group Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
osObjName	Object Name	string
osObjType	OS Object Type	string

EventType: PH_AUDIT_GROUP_DELETED

Description: FortiSIEM GUI Group Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
osObjName	Object Name	string
osObjType	OS Object Type	string

EventType: PH_AUDIT_INCIDENT_SYS_CLEAR

Description: FortiSIEM Incident System Auto-Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjName	Object Name	string
osObjHandleID	Object Handle	string

EventType: PH_AUDIT_INCIDENT_USER_CLEAR

Description: FortiSIEM Incident User Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjName	Object Name	string
osObjHandleID	Object Handle	string

EventType: PH_AUDIT_MALWARE_DATA_DELETED

Description: Malware data deleted by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
updateTime	Update Time	Date
count	Count	uint32	A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.
folder	Folder	string

EventType: PH_AUDIT_MALWARE_DATA_UPDATED

Description: Malware data updated by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
updateTime	Update Time	Date
count	Count	uint32	A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.
folder	Folder	string

EventType: PH_AUDIT_OBJECT_CREATED

Description: System data object created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjType	OS Object Type	string
osObjName	Object Name	string

EventType: PH_AUDIT_OBJECT_DELETED

Description: System data object deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
user	User	string

EventType: PH_AUDIT_OBJECT_UPDATED

Description: System data object updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjType	OS Object Type	string
objType	Object Type	string
osObjName	Object Name	string
osObjAction	Object Action	string
targetCustomer	Target Organization Name	string
oldSettingsValue	Old Settings Value	string
newSettingsValue	New Settings Value	string

EventType: PH_AUDIT_PASSWORD_CHANGED

Description: System user password changed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
targetUser	Target User	string
user	User	string
domain	Domain	string

EventType: PH_AUDIT_REPORT_SCHEDULED

Description: FortiSIEM Report Scheduled

Severity: 1 (Low)

Event Category: 3 (System Logs)

EventType: PH_AUDIT_RULE_ACTIVATED

Description: FortiSIEM Rule activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjName	Object Name	string

EventType: PH_AUDIT_RULE_DEACTIVATED

Description: FortiSIEM Rule de-activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
osObjName	Object Name	string

EventType: PH_AUDIT_USER_ADDED

Description: System user added

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
targetUser	Target User	string
user	User	string
domain	Domain	string

EventType: PH_AUDIT_USER_DEFAULT_ROLE_CHANGED

Description: FortiSIEM Admin User Default Role Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
user	User	string
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
targetUser	Target User	string
targetCustomer	Target Organization Name	string
role	Role	string

EventType: PH_AUDIT_USER_DELETED

Description: System user deleted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
user	User	string
targetUser	Target User	string
details	Details	string

EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED

Description: FortiSIEM Admin User Organization Role changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
user	User	string
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
targetUser	Target User	string
targetCustomer	Target Organization Name	string
role	Role	string

EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED

Description: FortiSIEM Admin User Organization Role enabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED

Description: FortiSIEM Admin User Organization Role disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
user	User	string
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
targetUser	Target User	string
targetCustomer	Target Organization Name	string
role	Role	string

Use Case: GUI User Login

• PH_AUDIT_ACCOUNT_LOCKED

• PH_AUDIT_USER_LOGIN_FAILURE

• PH_AUDIT_USER_LOGIN_SUCCESS

• PH_AUDIT_USER_LOGOFF

EventType: PH_AUDIT_ACCOUNT_LOCKED

Description: System user account locked due to excessive login failures

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
reason	Reason	string
targetUser	Target User	string
srcIpAddr	Source IP	IP	Source IP of a device as identified in the event.

EventType: PH_AUDIT_USER_LOGIN_FAILURE

Description: System user failed to login

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
user	User	string
domain	Domain	string
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant

EventType: PH_AUDIT_USER_LOGIN_SUCCESS

Description: System user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
user	User	string
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
userFullName	User Full Name	string

EventType: PH_AUDIT_USER_LOGOFF

Description: System user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
userFullName	User Full Name	string

Use Case: Incident External Integration issue

• PH_APPSERVER_IN_INTEGRATION_ERROR

• PH_APPSERVER_OUT_INTEGRATION_ERROR

EventType: PH_APPSERVER_IN_INTEGRATION_ERROR

Description: Inbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_OUT_INTEGRATION_ERROR

Description: Outbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Use Case: Incident email notification issue

• PH_APPSERVER_NOTIFIER_ERROR

• PH_INCIDENT_ACTION_STATUS

EventType: PH_APPSERVER_NOTIFIER_ERROR

Description: App Server Notifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_INCIDENT_ACTION_STATUS

Description: Record action result for incident notification

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
scriptOutput	Script Output	string

Use Case: Linux Agent operational errors

• PH_FAILED_TO_EXEC

• PH_LINUX_AGENT_BIND_PORT_FAILED

• PH_LINUX_AGENT_CONFIG_ATTR_NOT_FOUND

• PH_LINUX_AGENT_CREATE_SOCKET_FAILED

• PH_LINUX_AGENT_HOST_IP_GOT_FAILED

• PH_LINUX_AGENT_OPEN_FILE_FAILED

• PH_LINUX_AGENT_OPEN_PORT_FAILED

• PH_LINUX_AGENT_RECV_ERROR

• PH_LINUX_AGENT_VERIFIER_ERROR

EventType: PH_FAILED_TO_EXEC

Description: Failed to execute specified command

Severity: 6 (Medium)

Event Category: 3 (System Logs)

EventType: PH_LINUX_AGENT_BIND_PORT_FAILED

Description: Socket failed to bind port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
destIpPort	Destination TCP/UDP Port	uint16	This is the destination TCP or UDP port as identified in the event

EventType: PH_LINUX_AGENT_CONFIG_ATTR_NOT_FOUND

Description: Cannot find attribute in config file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
fileName	File Name	string

EventType: PH_LINUX_AGENT_CREATE_SOCKET_FAILED

Description: Failed to create socket

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errorString	Error String	string	This is the error message, synonymous to attribute errReason

EventType: PH_LINUX_AGENT_HOST_IP_GOT_FAILED

Description: Failed to get host ip

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_LINUX_AGENT_OPEN_FILE_FAILED

Description: Linux agent open file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
fileName	File Name	string
errorString	Error String	string	This is the error message, synonymous to attribute errReason

EventType: PH_LINUX_AGENT_OPEN_PORT_FAILED

Description: Failed to open port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
ipPort	IP Port	uint16	IP port number

EventType: PH_LINUX_AGENT_RECV_ERROR

Description: Linux agent received error from socket

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number
recvBytes64	Received Bytes64	uint64	Number of bytes received by a host. This has 64bit resolution.

EventType: PH_LINUX_AGENT_VERIFIER_ERROR

Description: Linux agent verifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
fileName	File Name	string
errorString	Error String	string	This is the error message, synonymous to attribute errReason
size	Size	uint32

Use Case: Malware IOC handling Errors

• PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR

• PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR

• PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR

EventType: PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR

Description: External Threat Intelligence update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR

Description: FortiGuard IOC data download/parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR

Description: App Server failed to create External Threat Intelligence Update task

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Use Case: Query Errors

• PH_APPSERVER_QUERY_EXPORT_ERROR

• PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR

• PH_APPSERVER_QUERY_RUN_ERROR

• PH_APPSERVER_QUERY_STOP_ERROR

• PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR

EventType: PH_APPSERVER_QUERY_EXPORT_ERROR

Description: App Server failed to export historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR

Description: App Server failed to retrieve historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_QUERY_RUN_ERROR

Description: App Server failed to run historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_QUERY_STOP_ERROR

Description: App Server failed to stop historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR

Description: Print report bundle error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Use Case: Query Performance

• PH_AUDIT_QUERY_COMPLETED

EventType: PH_AUDIT_QUERY_COMPLETED

Description: Audit query completed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
user	User	string
osObjName	Object Name	string
customer	Organization Name	string	This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.
durationMSec	Duration	uint32	Duration of a connection (in msec)
queryFilter	Query Filter	string
queryDisplay	Query Display	string
queryId	Query Id	string
usageType	Usage Type	string

Use Case: Rule Performance

• PH_RULEMOD_PROFILE

EventType: PH_RULEMOD_PROFILE

Description: FortiSIEM Rule resource usage profile

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
ruleName	Rule Name	string	FortiSIEM rule name.
memTotalB	Total Memory Bytes	uint32
updateQueueSize	Update Queue Size	uint32

Use Case: Rule trigger issues

• PH_DROP_EVENT_FROM_SHARED_BUFFER

• PH_DROP_INCIDENT

• PH_REPORT_PACK_FAILED

• PH_RULEMOD_SUMMARY_UPLOAD_FAILED

• PH_UTIL_NOTIFICATION_UPLOAD_FAILURE

EventType: PH_DROP_EVENT_FROM_SHARED_BUFFER

Description: Event dropped from shared buffer

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
collectorId	Collector ID	uint32	This field captures the ID of a FortiSIEM Collector
count	Count	uint32	A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

EventType: PH_DROP_INCIDENT

Description: Incident dropped

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
ruleId	Rule ID	uint64	Unique ID of a FortiSIEM rule.
ruleName	Rule Name	string	FortiSIEM rule name.
incidentId	Incident ID	uint64	Unique ID of a FortiSIEM Incident
details	Details	string
errReason	Reason for Error	string	This is the reason for an error if given.

EventType: PH_REPORT_PACK_FAILED

Description: Failed to pack data

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errReason	Reason for Error	string	This is the reason for an error if given.

EventType: PH_RULEMOD_SUMMARY_UPLOAD_FAILED

Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
ruleId	Rule ID	uint64	Unique ID of a FortiSIEM rule.
ruleName	Rule Name	string	FortiSIEM rule name.

EventType: PH_UTIL_NOTIFICATION_UPLOAD_FAILURE

Description: Failed to Send Notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
msg	Message	string

Use Case: Scheduled Report issue

• PH_REPORT_ACTION_STATUS

EventType: PH_REPORT_ACTION_STATUS

Description: Record action result for report notification

Severity: 1 (Low)

Event Category: 3 (System Logs)

Use Case: Test Connectivity/Discovery Errors

• PH_DISCOV_DISCOV_REQ_GET_FAILED

• PH_DISCOV_RESULT_SEND_FAILED

• PH_DISCOV_TEST_CONN_GET_REQ_FAILED

• PH_DISCOV_TEST_CONN_RESULT_SEND_ERROR

EventType: PH_DISCOV_DISCOV_REQ_GET_FAILED

Description: Discovery module failed to get discovery request from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EventType: PH_DISCOV_RESULT_SEND_FAILED

Description: Discovery module failed to send discovery result to App server after many retries; discovery will fail

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phDiscovFailCode	PH Discovery Failure Code	string

EventType: PH_DISCOV_TEST_CONN_GET_REQ_FAILED

Description: Discovery module failed to get test connectivity request from App server

Severity: 9 (High)

Event Category: 3 (System Logs)

EventType: PH_DISCOV_TEST_CONN_RESULT_SEND_ERROR

Description: Discovery module encountered error in sending Test Connectivity result to app server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
phDiscovFailCode	PH Discovery Failure Code	string

Use Case: Windows/Linux Agent operational errors

• PH_AUDIT_AGENT_DISABLED

• PH_AUDIT_AGENT_NOTRESPONDING

• PH_AUDIT_AGENT_UNINSTALLED

EventType: PH_AUDIT_AGENT_DISABLED

Description: FortiSIEM Windows/Linux Agent disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
monitorState	Monitor State	string
type	Type	string
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
phAgentId	Agent ID	string	Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.
hostName	Host Name	string	This is the hostname of the device of interest in the event

EventType: PH_AUDIT_AGENT_NOTRESPONDING

Description: FortiSIEM Windows/Linux Agent not responding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
monitorState	Monitor State	string
type	Type	string
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
phAgentId	Agent ID	string	Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.
hostName	Host Name	string	This is the hostname of the device of interest in the event

EventType: PH_AUDIT_AGENT_UNINSTALLED

Description: FortiSIEM Windows/Linux Agent uninstalled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
monitorState	Monitor State	string
type	Type	string
phCustId	Organization ID	uint32	This is the FortiSIEM organization ID unique to each tenant
phAgentId	Agent ID	string	Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.
hostName	Host Name	string	This is the hostname of the device of interest in the event

Use Case: Worker failing to store events in ClickHouse

• PH_CLICKHOUSE_INSERTION_DROP_EVENTS

• PH_DATAMANAGER_CLICKHOUSE_HTTP_UPLOAD_ERROR

EventType: PH_CLICKHOUSE_INSERTION_DROP_EVENTS

Description: FortiSIEM dropped events while failing to insert them to ClickHouse after retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
totBytes64	Total Bytes64	uint64	Total number of sent and received bytes by a host. This has 64bit resolution.

EventType: PH_DATAMANAGER_CLICKHOUSE_HTTP_UPLOAD_ERROR

Description: Failed to upload events to ClickHouse

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errReason	Reason for Error	string	This is the reason for an error if given.
serverName	Server Name	string

Use Case: Worker failing to store events in Elasticsearch

• PH_DATAMANAGER_EVTLOADER_ERROR

• PH_DATA_CLUSTER_ELASTIC_INDEX_SEND_FAIL

EventType: PH_DATAMANAGER_EVTLOADER_ERROR

Description: Data Manager failed to load events from shared buffer

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errReason	Reason for Error	string	This is the reason for an error if given.
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number
dirName	Directory Name	string

EventType: PH_DATA_CLUSTER_ELASTIC_INDEX_SEND_FAIL

Description: Elasticsearch indexing failed at the last time

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
infoURL	Informational URL	string	This field captures an URL if present in an event
size	Size	uint32
errorString	Error String	string	This is the error message, synonymous to attribute errReason

Use Case: Worker failing to store events in EventDB

• PH_DATAMANAGER_EVTLOADER_ERROR

• PH_DATAMANAGER_SUMMARYWRITER_ERROR

• PH_UNABLE_ACCESS_DIR

• PH_UNABLE_CREATE_DIR

• PH_UNABLE_OPEN_DIR

EventType: PH_DATAMANAGER_SUMMARYWRITER_ERROR

Description: Data Manager failed to write inline report results

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
errReason	Reason for Error	string	This is the reason for an error if given.
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number

EventType: PH_UNABLE_ACCESS_DIR

Description: Unable to access archive directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
dirName	Directory Name	string

EventType: PH_UNABLE_CREATE_DIR

Description: Unable to create dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
dirName	Directory Name	string
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number

EventType: PH_UNABLE_OPEN_DIR

Description: Unable to open dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id	Display name	Type	Description
dirName	Directory Name	string
errorNo	Error Number Unsigned	uint32	This is an unsigned integer error number

Use Case: Worker falling behind in storing configuration files to SVN-lite

• PH_EVT_HANDLER_SVN_QUEUE_WARNING

EventType: PH_EVT_HANDLER_SVN_QUEUE_WARNING

Description: Worker Input Event Queue large

Severity: 10 (High)

Event Category: 3 (System Logs)

Use Case: Worker falling behind in storing events to Event Database

• PH_EVT_HANDLER_EVT_QUEUE_LARGE

• PH_EVT_HANDLER_EVT_QUEUE_WARNING

EventType: PH_EVT_HANDLER_EVT_QUEUE_LARGE

Description: Uploaded event files on Worker has a size of more than 100MB

Severity: 6 (Medium)

Event Category: 3 (System Logs)

EventType: PH_EVT_HANDLER_EVT_QUEUE_WARNING

Description: Worker Input Event Queue large

Severity: 10 (High)

Event Category: 3 (System Logs)