Staff

Technical Tip: How to stop generating log-forward event logs

Forum|Forum|4 years ago
October 5, 2021
0 replies
4955 views

Description
This article describes how to stop generating the log-forward event logs that are continuously output every 10 minutes even when log forwarding settings are not set.

Solution
When 'Log-forward 'ld-_siem_@localhost' lag behind 99.94%, discarded 173825724379bytes' log outputs every 10 minutes in system event logs of the FortiAnalyzer , check the following steps:

1) Check the log forwarding settings on the FortiAnalyzer.
If disabled, go to next steps.

2) Running process of FortiSIEM agent daemon(siemagentd.wkrx).

9542 root 20 0 266.5m 114.6m 0.7 0.4 134:38.92 S siemagentd.wkr0
9731 root 20 0 395.8m 119.7m 0.7 0.4 85:10.76 S siemagentd.wkr1
9824 root 20 0 396.0m 119.3m 0.7 0.4 85:05.22 S siemagentd.wkr2
9944 root 20 0 395.8m 119.4m 0.7 0.4 84:43.93 S siemagentd.wkr4
9882 root 20 0 395.8m 118.6m 0.3 0.4 85:27.23 S siemagentd.wkr3

3) Check if FortiAnalyzer FortiSIEM status is active.

# diagnose test app siemagentd 2,3 and 4
FAZ SIEM: up [status enabled]
siemagentd:
uptime: 16 day 12:52:05, shm-ver: 36, shm-fazid-max: 0
conf-ver: 1630607216 (refresh in 7 sec)
total: #msg=16861, #msgpack=11550, #logs(in)=1274557, #logs(out)=1258844, #logs(skipped)=0
last-5-sec: msg/s=0.0, msgpack/s=0.0, logs/s(in)=0.0, logs/s(out)=0.0
wkr-status: init=5, fini=31, orphan=0, kill=0, signal=31, crash=0, stuck=0
Workers (total: 5):

If so, disable the siem module.

# config system global
get
disable-module siem

Check if FortiSIEM is included in 'disable-module' settings.
If not, FortiSIEM is added to prevent the event from being continuously output.

FortiAnalyzer

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded