Skip to main content
mhamza
mhamza
New Member
September 17, 2025
Solved

EMS Logs Not Ingesting in FortiAnalyzer Only FortiClient Logs Visible

  • September 17, 2025
  • 5 replies
  • 760 views

Hello Fortinet Support,

 

We are facing an issue where EMS logs are not being ingested into Forti Analyzer. At present, only FortiClient logs are visible, but EMS server activity/logs are not showing up.

Details:

  • Product: Forti Analyzer & FortiClient EMS

  • Issue: EMS logs not ingesting/forwarding to Forti Analyzer

  • Observed: Only FortiClient logs are displayed

  • Expected: Both FortiClient and EMS logs should be ingested for full visibility

Request:
Could you please assist us in troubleshooting and resolving this? If any specific configuration or version requirements are needed for EMS log forwarding, kindly provide guidance.

Best answer by AEK

Hi Hamza

Did you configure log forward to FAZ on your EMS? Can you share a screenshot of the config?

Did you authorize EMS on FAZ?

You can also use "diag sniffer" on FAZ to check if logs are received from EMS.

5 replies

AEK
SuperUser
AEKAnswer
SuperUser
September 19, 2025

Hi Hamza

Did you configure log forward to FAZ on your EMS? Can you share a screenshot of the config?

Did you authorize EMS on FAZ?

You can also use "diag sniffer" on FAZ to check if logs are received from EMS.

AEK
    mhamza
    mhamzaAuthor
    New Member
    September 23, 2025

    Please check the attach configuration snapEMS Configuration.png

    AEK
    SuperUser
    AEK
    SuperUser
    September 23, 2025

    The config from EMS side looks fine.

    What about FAZ side?

    • Did you authorize EMS on FAZ?
    • You can also use "diag sniffer" on FAZ (for few minutes) to check if logs are received by FAZ from EMS.
     
    AEK
      eddienashuwu
      eddienashuwu
      New Member
      February 10, 2026

      FortiClient logs are visible because they’re sending directly to FortiAnalyzer, while EMS itself isn’t registered/authorized or configured to send logs to FortiAnalyzer.

      nabes44
      nabes44
      New Member
      February 24, 2026

      We are currently experiencing an issue where FortiClient EMS server logs are not being ingested by FortiAnalyzer. While endpoint logs (FortiClient) are flowing correctly, the system logs from the EMS server itself are missing.

      AEK
      SuperUser
      AEK
      SuperUser
      February 24, 2026

      Did you configure log forward to FAZ on your EMS?
      What does "diag sniffer" on FAZ show when you filter on EMS IP?

      AEK
        H
        hyuhn
        New Member
        May 30, 2026

        The error indicates that intel-platform-vsec-dkms is already installed or registered in DKMS, which is preventing a new build from being created. Before attempting to build or reinstall the module again, you need to remove the existing DKMS entry. You can do this by using the dkms remove command for the currently installed version of intel-platform-vsec-dkms. Once the old module has been removed successfully, retry the build or installation process to avoid conflicts and ensure a clean setup.

          Terms & ConditionsAccessibility statement