This article describes how to deactivate the UEBA/phFortiInsightAI service.
Scope
FortiSIEM.
Solution
When the FortiSIEM RAM usage is high and not using UEBA/phFortiInsight feature, as the service is active by default and using resources, it is possible to deactivate it by following the next steps on super/worker nodes:
Take a backup of the configuration file from CLI as root:
cp /opt/phoenix/config/phoenix_config.txt /opt/phoenix/config/phoenix_config.txt.orig
Modify the configuration file to remove process monitoring on this feature:
vi /opt/phoenix/config/phoenix_config.txt
Find the below exact elements and remove them from the lines:
gawk '{print $2}'</method></service><service><name>phFortiInsightAI</name><method>ps -ef | grep -v grep | grep -v Test | grep phFortiInsightAI |
<service><name>phFortiInsightAI</name><method>ps -ef | grep -v grep | grep -v Test | grep phFortiInsightAI | gawk '{print $2}'</method></service>
Stop and deactivate the service:
systemctl stop phFortiInsightAI systemctl disable phFortiInsightAI
Now around 10GB of RAM and SWAP has been freed up. Especially useful on hardware platform type.
Restore the service by reverting back previous steps:
mv /opt/phoenix/config/phoenix_config.txt.orig /opt/phoenix/config/phoenix_config.txt systemctl start phFortiInsightAI systemctl enable phFortiInsightAI