Troubleshooting Tip: How to troubleshoot a FortiAnalyzer that is not showing filtered log information

At FortiAnalyzer, go to Log View -> FortiGate -> Traffic -> Filter:

• Time filter = 30 days ago.
• Device = FGT_A.
• destination ip = 1.2.3.4 .
• source ip = 10.10.10.10.

However, FortiAnalyzer is unable to get the information from the above filter.

At FortiAnalyzer, go to Log View -> Log Browse -> Filter:

• Time filter = 30 days ago
• Device = FGT_A
• destination ip = 1.2.3.4 
• source ip = 10.10.10.10

After that, it will show (.tlog) type, which means it is a traffic log.

For example, it shows 3 (.tlog) type logs, select 1 of them and double click to go inside and filter to search it.

• destination ip = 1.2.3.4 
• source ip = 10.10.10.10

If all 3 (.tlog) type logs also do not show the information, it means that the FortiGate does not send (destination ip = 1.2.3.4 & source ip = 10.10.10.10) log information to FortiAnalyzer from the beginning.

Troubleshooting steps:

1. Generate traffic related to (destination ip = 1.2.3.4 & source ip = 10.10.10.10).
2. At FGT_A, go to Log & Report -> Forward Traffic (log location change from FortiAnalyzer to memory/disk), monitor the real-time traffic logs is it (destination ip = 1.2.3.4 & source ip = 10.10.10.10) information is generated.

If no (destination ip = 1.2.3.4 & source ip = 10.10.10.10) log information is generated from FGT_A, go to the firewall policy to check it and fine-tune it.

On Fortianalyzer fortilogd status can also be checked using the following command:

diag fortilogd status