Skip to main content
cashbuddy
cashbuddy
New Member
July 3, 2017
Question

Fortigate 200D - logging to syslog broken after firmware upgrade

  • July 3, 2017
  • 2 replies
  • 9958 views

Hi

Our Fortigate is not logging to syslog after firmware upgrade from "5.4.4" to "5.6.0, Build 1449"

 

Configuration:

IE-SV-For01-TC # config log syslogd setting

IE-SV-For01-TC (setting) # show full-configuration
config log syslogd setting
    set status enable
    set server "192.168.1.160"
    set reliable disable
    set port 9998
    set facility local0
    set source-ip "192.168.1.150"
    set format default
end

IE-SV-For01-TC (setting) # end

 

IE-SV-For01-TC # config log syslogd filter

IE-SV-For01-TC (filter) # show full-configuration
config log syslogd filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set filter ''
    set filter-type include
end

 

By looking at datasources in Splunk i can see that almost all of them but fgt_log stopped working (see file attached)

 

I was checking fortigate-whats-new-56.pdf and i didn't see any major changes in logging system.

Already tried to "set status disabled" and re-enable it but it didn't make any difference

 

    2 replies

    emnoc
    emnoc
    New Member
    July 3, 2017

    Why don't you try to disable the server and re-enable. At the same time run cli cmd  diag sniffer packet any "dst port 9998" and in a 2nd  window execute a cli cmd "diag log  test", do you see any packets outbound? Does the  syslog-target have an active listener on tcp.port 9998 ( e.g netstat -an | grep 9998  )

     

    Also use the  "diag test  application  miglogd  4" and look at your active log device and the log statistics for syslogd

     

    diag test  application  miglogd  6

     

    Reference my previous post  for  some cool trips

    http://socpuppet.blogspot.com/2014/07/how-to-diagnostic-forticloud-issues-52ga.html

     

    ALSO TO EDIt, make sure you have no  strange severity filters enabled like emergency only

     

    e.g

     

    SOCPUP01 (global) # show log  syslogd filter   config log syslogd filter     set severity emergency end Even with the test command, a severity of "emergency" will not trigger. I hope this helps.

     

     

    Ken

    cashbuddy
    cashbuddyAuthor
    New Member
    July 4, 2017

    emnoc wrote:
    Why don't you try to disable the server and re-enable.

    I already ran following:

     

    config log syslogd setting
    set status disable
    end

    config log syslogd setting
    set status enabled
    end

    And it didn't make any difference

     

    emnoc wrote:
    At the same time run cli cmd  diag sniffer packet any "dst port 9998" and in a 2nd  window execute a cli cmd "diag log  test", do you see any packets outbound?

    Yes i see packets (around 300 per minute) going to fgt_log datasource only. Sample packet:

    Jul  4 08:50:34 192.168.1.150 date=2017-07-04 time=08:50:34 devname=Forti01 devid=FG200D********** logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.160 srcport=53826 srcintf="port1" dstip=xxx.xxx.xxx.xxx dstport=443 dstintf="wan1" poluuid="ce6733d8-a837-51e6-af07-3a30e8bbd8e8" sessionid=180385418 proto=6 action="server-rst" policyid=197 policytype="policy" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=213.168.224.167 transport=53826 service="HTTPS" duration=5 sentbyte=1157 rcvdbyte=5029 sentpkt=10 rcvdpkt=10 appcat="unscanned" wanin=4617 wanout=629 lanin=629 lanout=629

    but fgt_event, fgt_traffic, and fgt_utm is still not working (nothing is logged into datasources).

     

    emnoc wrote:
    Does the  syslog-target have an active listener on tcp.port 9998 ( e.g netstat -an | grep 9998  )

    Yes, becasue there's data logged in into fgt_log datasource.

     

    I will try to troubleshoot it with the commands you gave me at the end in the previous post.

     

    cashbuddy
    cashbuddyAuthor
    New Member
    July 4, 2017

    Oops...

     

    It seems everything is fine with Fortigate... I use "Fortinet Fortigate app for Splunk" and it converts all data from fgt_log to other data sources.

    By querying Splunk with sourcetype="fgt_log" type="event" i can see they started to appear in Splunk on the day we upgraded Firmware on Fortigate.

    So something changed on the Fortigate itself but i guess changes has to be made in Splunk App rather than on the fortigate itself.

     

    Thank You for your help @emnoc commands you have provided were very helpful for me

    MariusClaudiu
    MariusClaudiu
    Visitor III
    February 24, 2024

    hi

    i need firmware for 200d rev.2

    5.4.8.i think was last one , whithout licence i can get it ,a n i can t upgrade

    if somebody can help me

    thank s a lot

     

    Terms & ConditionsAccessibility statement