Skip to main content
Previgarb
Previgarb
New Member
May 6, 2022
Question

Fortianalyzer | Fortiview is empty

  • May 6, 2022
  • 9 replies
  • 17834 views

FortiAnalyzerFortiGate 

Hi,

 

I've tried and tried and don't seem to be able to fix this problem I have with FA.

I have a setup with Fortigate 61F + EMS + Fortianalyzer. All V7.0.3.

Security fabric is enable with FG unit as fabric root and all looks ok, but... although in the FA "Log View" I can see the FG logs that have been stored for the last few months, in the FotiView most log categories (such as all in Traffic f. ex.) are empty with a "This chart requires following Log to be enabled: (log name)", and the ones who don't show the warnig are empty as well.

 

In the FG unit log settings I have sending logs to FA enabled, status connected, upload realtime... oddly Storage/Analytics /Archive usage show "0%". In "Logs Sent to FortiAnalyzer Daily" bellow, I have ~1GB daily.

 

I've reviewed everything and  I feel lost at this point...What have I missed?..

 

Thanks in advance,

9 replies

A
Anonymous_User
New Contributor III
May 9, 2022

Hello Previgarb, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

 Fortinet Community Team 

seshuganesh
Staff
seshuganesh
Staff
May 9, 2022

Hi Team,

 

Please let us know if you are able to see logs under logs and reports >> forward traffic

Alos, please share us the below logs for further analysis:

get sys performance status

diag sys top (press ctrl+c after getting three outputs)

diag debug application miglogd -1

diag debug enable

Wait for five mins, once the logs are generated please disable the debug by executing this command "diag debug disable"

Previgarb
PrevigarbAuthor
New Member
May 11, 2022

FortiAnalyser_2.png

Previgarb
PrevigarbAuthor
New Member
May 9, 2022

Hi,

Thank you for your reply,

 

I can view the logs when, in "LogLocation" I select either "Disk" or "FG Cloud". If I select "FortiAnalyzer" it comes out empty.

 

get sys performance status

 

CPU states: 2% user 0% system 0% nice 98% idle 0% iowait 0% irq 0% softirq CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU1 states: 8% user 0% system 0% nice 92% idle 0% iowait 0% irq 0% softirq CPU2 states: 3% user 0% system 0% nice 97% idle 0% iowait 0% irq 0% softirq CPU3 states: 3% user 0% system 0% nice 97% idle 0% iowait 0% irq 0% softirq CPU4 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU5 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU6 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU7 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq Memory: 1964668k total, 1227508k used (62.5%), 444600k free (22.6%), 292560k freeable (14.9%) Average network usage: 16588 / 16771 kbps in 1 minute, 13724 / 13874 kbps in 10 minutes, 13326 / 13512 kbps in 30 minutes Average sessions: 2284 sessions in 1 minute, 1806 sessions in 10 minutes, 1803 sessions in 30 minutes Average session setup rate: 14 sessions per second in last 1 minute, 13 sessions per second in last 10 minutes, 13 sessions per second in last 30 minutes Average NPU sessions: 279 sessions in last 1 minute, 230 sessions in last 10 minutes, 215 sessions in last 30 minutes Average nTurbo sessions: 20 sessions in last 1 minute, 18 sessions in last 10 minutes, 18 sessions in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 0 days,  6 hours,  12 minutes

 

 

diag sys top

 

Run Time:  0 days, 6 hours and 13 minutes 0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1918T, 426F             node      174      S       2.4     2.7    1        ipsengine      300      S <     0.4     3.7    7        ipsengine      298      S <     0.4     3.7    5              wad      254      S       0.4     3.1    0          sslvpnd      260      S       0.4     1.2    2              wad      250      S       0.4     0.3    0        ipsengine      299      S <     0.0     3.7    6              wad      253      S       0.0     3.3    1              wad      251      S       0.0     3.0    1              wad      255      S       0.0     2.6    0        ipshelper      187      S <     0.0     2.4    1          cmdbsvr      141      S       0.0     2.3    3        scanunitd      200      S <     0.0     1.9    2          miglogd      282      S       0.0     1.8    0          miglogd      193      S       0.0     1.8    1        extenderd      239      S       0.0     1.5    6          sslvpnd      195      S       0.0     1.4    6           fcnacd      191      S       0.0     1.3    6           cw_acd      229      S       0.0     1.3    3             csfd      240      S       0.0     1.2    1

 

 

diag debug enable

https://pastebin.com/taUBhDDS - Cant paste it here because it exceeds character limit.

 

Thanks,

Previgarb
PrevigarbAuthor
New Member
May 10, 2022

FortiAnalyser.png

seshuganesh
Staff
seshuganesh
Staff
May 11, 2022

Kindly get us the output of these two commands:

diag test application miglogd 20

diag test application miglogd 6

diag debug crashlog read

diag sniffer packet any 'host a.b.c.d' 4 0 a (where a.b.c.d is the fortianalyzer ip address), Once you run the sniffer we will be able to know whether firewall is sending packets or not to the fortianalyzer

Previgarb
PrevigarbAuthor
New Member
May 11, 2022

Hi,

 

Command outputs:

https://pastebin.com/C0CwU55i

 

Thanks,

Previgarb
PrevigarbAuthor
New Member
May 16, 2022

bump

pietruchapp
pietruchapp
New Member
June 21, 2022

Hello
Has the problem been resolved?

    JPratt
    Staff
    JPratt
    Staff
    July 13, 2022

    Hi,

    In the Fortigate do you have a policy with Application Control Security Profile enabled? This is needed to show Applications under FortiView in FAZ.

     

    Previgarb
    PrevigarbAuthor
    New Member
    July 20, 2022

    Hi JPratt,

     

    Thank you for your reply,
    I have several Application Sensors under “Security control > Application control”. The one I use is set to monitor all categories.
    I have that profile enabled in our Proxy Policy and in most of our Firewall Policies.
    Although the FAZ logs virtual disk has ~300GB of used space, and it's running since february (meaning it's collecting the logs), Fortiview has most of the categories greyed out. When I hover the mouse over, lets say "Traffic > Top Sources" it says "This chart requires following Log to be enabled: Traffic".
    Do you have any idea of what else I should check?

     

    Thanks in advance,
    Cheers,

    Zhuo
    Zhuo
    Explorer
    July 15, 2022

    May be related to SQL database

    Hope the following link can help you.

    https://community.fortinet.com/t5/FortiAnalyzer/Troubleshooting-Tip-No-entries-are-displayed-in-FortiView-after/ta-p/197565?cmd=displayKC&dialogID=184548430&docType=kc&docTypeID=DT_KCARTICLE_1_1&externalId=FD35390&sliceId=1&stateId=0%200%20184550042%27

    Previgarb
    PrevigarbAuthor
    New Member
    July 21, 2022

    Hi Zhuo,

     

    Thank you for your reply,

    For what I read the problems with the SQL DB come from updating FAZ.

    I've never updated it and the issue is there since I first installed back in February.

     

    Thanks,

    Cheers,

     

    mk99
    mk99
    New Member
    September 7, 2023

    Did you ever get this fixed?

    Terms & ConditionsAccessibility statement