Skip to main content
btan
Staff & Editor
btan
Staff & Editor
April 6, 2026

Technical Tip: Locate and download FortiClient OS Event logs in FortiAnalyzer

  • April 6, 2026
  • 0 replies
  • 119 views
Description This article describes how to download FortiClient OS Event logs in FortiAnalyzer.
Scope FortiAnalyzer v7.2 and above.
Solution

In FortiClient EMS, when configured endpoint logging towards FortiAnalyzer, the endpoint directly forwards FortiClient logs to FortiAnalyzer, without going through FortiClient EMS in the middle.

 

april-kb2-AA.png

 

To ensure the setup is working fine:

  1. In the endpoint machine, open a command prompt and run the command: telnet x.x.x.x 514. Where x.x.x.x is the FortiAnalyzer IP. A blank black window indicates the connection is reachable; this is the desired outcome.
  2. In FortiAnlyzer, open a terminal and run the command:

 

diagnose debug application oftpd 255 x.x.x.x <-- Endpoint IP.
diagnose debug enable

During the upload interval, there should be some output here to indicate FortiClient logs have indeed reached FortiAnalyzer.

 

To view and download endpoint OS event logs, navigate to: 
FortiAnalyzer -> FortiClient ADOM -> Log View -> Logs -> Log Browse -> look for 'SIEM' log type -> Download -> CSV -> untick 'compress' -> Download.

 

april-kb-2a.png

 

The downloaded CSV file will have the corresponding endpoint logs found in Windows Event Viewer:

 

april-kb2-b.png
Terms & ConditionsAccessibility statement