FortiAnalyzer Logging Stops

Question

I have a FortiGate 200E that is setup to log to the FortiAnalyzer. From time to time, I'll log in to the Analyzer and notice that logging has stopped. Does anyone know how to setup an alert that will notify us that logging has stopped on the FortAnalyzer? I can fix it by logging in to the FortiGate and toggling the logging from real-time to every minute, that seems to get it going again.

Shawn

adawson_van_FTNT · Accepted Answer

Please be advised that in FortiAnalyzer firmware version 6.0, the default configuration has changed to 1440 minutes

FAZ-VM64-Bridged # get system locallog setting log-interval-dev-no-logging: 1440

Therefore, the FortiAnalyzer will wait 24 hours to perform the log check and therefore generate a System Event Log if no logs have been received by the device.

However, it is important to consider that lowering this value and therefore increasing the frequency may hinder device performance.

hzhao_FTNT · Answer

Hi Shawn,

By default, there will be some system event logs about "Device offline" as below:

2018-02-27 11:30:15 log_id=0029038009 type=event subtype=logdev pri=warning desc="Device offline" user="system" userfrom="system" msg="Device[xxxxxxxxxxxxxx] did not receive any log in last xx minutes."

In root ADOM, you can create an event handler based on this log and enable "Send Alert Email" on it.

Regards,

hz

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded