Troubleshooting Tip: FortiGate to FortiAnalyzer Logs sent but device status down
| Description | This article describes that FortiGate firewalls may show successful log transmission to FortiAnalyzer (Tx & Rx in connectivity tests), yet the FortiAnalyzer reports the device as down with no ongoing log reception. |
| Scope | FortiAnalyzer, FortiGate. |
| Solution | The FortiGate logging daemon (miglogd) fails to prepare log upload directories due to the filesystem being mounted read-only, preventing sustained connections despite initial handshakes succeeding. This blocks log forwarding to the FortiAnalyzer. And the FortiGate will appear to be down.
The following error messages in miglogd debugs from the FortiGate will be seen:
failed to create/open temp crash file: Read-only file system create_upload_dir(): /var/log/log/root/upload error (30) miglog_create_dir(): /var/log/log/root/fams_report error:30 miglog_faz_stop_conn(): faz: connection close. reason:virtual domain add/delete
These indicate that miglogd cannot initialize VDOM log directories, triggering repeated connection drops despite network connectivity. Rebooting the FortiGate resolves the issue, which will clear the filesystem state. |