This can be checked and addressed as per below:
- Check whether logs show in FortiAnalyzer to ensure logs are there.
(If logs intermittently do not show and the same behavior is visible on FortiAnalyzer too, the disk usage limit on FortiAnalyzer may have been reached, which causes FortiAnalyzer to delete old logs to free up space.)
- If FortiAnalyzer logs are visible but are not downloading on the FortiGate, run the following command:
execute log fortianalyzer test-connectivity
- If passing and there issome issue on FortiGate, run the below commands on FortiGate:
get log fortianalyzer setting
- Check the conn-timeout setting as this will impact on the logs from FortiAnalyzer. Increase the conn-timeout setting.
- Also, check the miglogd process debugs: 'diag deb app miglogd 255'.
However, note, this can be resource intensive based on amount of logs.
It is possible to set the duration to be lower like 1 minute - 'diag debug duration 1' and then enable its debugs.
To collect debug information of FortiAnalyzer enabled logs:
diagnose debug application miglogd 0x100
It shows an output as below:
Fortigate# diagnose debug application miglogd 0x100 <226> _send_queue_item()-488: type=11, cat=0, logcount=0, len=0 <226> __on_pkt_recv()-1376: dev=global-faz type=11 pkt_len=21
<226> __on_pkt_recv()-1376: opt=52, opt_len=9 ewall policy <146> _send_queue_item()-488: type=11, cat=0, logcount=0, len=0 <146> __on_pkt_recv()-1376: dev=global-faz type=11 pkt_len=21
<146> __on_pkt_recv()-1376: opt=52, opt_len=9 <226> _send_queue_item()-488: type=3, cat=1, logcount=1, len=284 <226> _send_queue_item()-488: type=11, cat=0, logcount=0, len=0 <226> __on_pkt_recv()-1376: dev=global-faz type=11 pkt_len=21
- It is possible to increase the miglogd-children process.
First determine the number of miglogd process as per command:
diag sys process pidof miglogd <----- Output as per below. 182 242
This will display the process ID pid of the miglogd process.
1 Main and 1 child process. For efficiency of logs, the child process can be increased as per below:
get sys performance status <----- Ensure enough memory is free. config system global get | grep miglogd set miglogd-children 2 get sys performance status <----- Check the resource status again.
- Other checks of miglogd process can be done as per the command 'diag test app miglogd' and it displays the whole list of optional checks.
If point 2 fails, refer to the below KB article: Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity
Other useful document:
Log-related diagnose commands
Related article:
Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity
|