Troubleshooting Tip: FortiAnalyzer receive new logs but stop inserting logs

There are many ways to verify when FortiAnalyzer receives the logs, but stop inserting according to the following list:

1. Verify through Dashboards -> Status through multiple widgets: Insert Rate vs Receive Rate: When the insert rate is plotted, the insert rate is zero. Log Insert Lag Time: The graph is not plotted (not 0s) and is empty.
2. In FortiGate, run the following command:

execute log fortianalyzer test-connectivity

The highlighted red box is able to verify that the logs are being sent and received by FortiAnalyzer.

3. In FortiAnalyzer, the following command can be used to verify the analytics logs:

diagnose test application logfiled 4 <----- Verify log writing, indexing, and disk-related log operations.

From the highlighted box:

Actual from yyyy/mm/dd hh:mm:ss to yyyy/mm/dd hh:mm:ss can be compared when the command is run again after the last check time.

4. Another command can be run in the FortiAnalyzer:

diagnose test application sqllogd 4 <----- Responsible for parsing logs and writing them into the SQL database.

The command can be run 4-5 times in short succession to compare the file field in the highlighted box. It indicates the current file that the FortiAnalyzer is processing.

After running the command 4-5 times and verifying the file name has not changed, it is a good indicator that FortiAnalyzer is stuck on inserting the logs.

5. Validate that FortiAnalyzer is receiving raw logs from FortiGate by going to log view > Log browse and reviewing the latest received files.

After having verified all the symptoms, the following steps can be taken as an attempt to resolve the issue:

1. Run the following command in FortiAnalyzer CLI:

diagnose debug crash read <----- Read and display stored crash information from the device.

Based on the output, check on the latest crash daemon and observe if the crash is SQL related, and it is near the last analytics logs.

If there are any, the daemon may be restarted using the following command:

diagnose test application <daemon_name> 99 <----- Example to restart the oftpd 'diagnose test application oftpd 99'.

2. Another helpful command in FortiAnalyzer:

diagnose test application fazcfgd 6 stat 100 <----- Inspect and debug the FortiAnalyzer configuration daemon (fazcfgd), focusing on its runtime statistics.

Note:

The output would be too long as there will be event logs, ClickHouse Errors, and Postgres Errors.

From the output, check the error on that is the nearest date when the log stopped being inserted. For this example, the error from the output is extracted from the following:

Emergency/Critical log:

76163:2025-09-17 13:15:17 tz="+1000" log_id=0028037005 type=event subtype=fazsys pri=emergency desc="FortiAnalyzer daemon suspended" user="system" userfrom="system" msg="siemdbd suspended due to disk full." operation="Application suspend" performed_on="" changes="siemdbd stopped inserting logs." action="suspend"

Check the allocated storage of the ADOM and ensure enough storage is allocated by navigating to System Settings -> ADOM. Scroll to the right to see storage usage.

Note:

For FortiAnalyzer Private Cloud, the minimum system requirements are 500GB. An unexpected behavior may occur due to not meeting the minimum requirements, including FortiAnalyzer not sending the logs: Minimum system requirements.

3. When confirming there are no crash logs and there is enough storage space, performing a rebuild can help to resolve the issue using the following command.

execute sql-local rebuild-db  <----- Requires a restart.
execute sql-local rebuild-adom <AdomName> <-----  Does not require a restart. This command has been removed since v7.6.X onwards. 

Related article:

Technical Tip: FortiAnalyzer SQL database delete and rebuild