Technical Tip: FortiGate not sending syslog to FortiAnalyzer when using multi VDOM environment
| Description | This article describes how to resolve FortiGate not sending VDOM syslogs to FortiAnalyzer via the mgmt interface. |
| Scope | FortiGate v7.4/v7.6. |
| Solution | When the FortiGate has multiple VDOMs, the default setting for how to send syslogs to FortiAnalyzer for each VDOM is as follows:
With this default setting, the FortiGate will send syslogs for each vdom to FortiAnalyzer via the management interface.
If the device has already been running for some time, this feature may get into a state where all syslogs are sent via the management interface, without marking each vdom. When importing VDOMs into a new FortiAnalyzer, this will cause the VDOMs not to be imported correctly.
Below is an example of VDOMs not importing:
The 3000F in this case has been imported, but we cannot see each VDOM separately. The FortiGate-VM below has been imported correctly.
To resolve this issue, enable the setting 'faz-override', generate test logs, disable the setting 'faz-override', then generate test logs again. Repeat this step for each VDOM.
After completing these steps for each VDOM, the FortiGate will generate syslogs correctly, and the VDOMs will import into FortiAnalyzer.
Related articles: Technical Tip: Logs generated while using the 'diagnose log test' command |
