FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
cfirpo_FTNT
Staff
Staff
Article Id 192612
Description
Analyzer and Collector mode can be used together to increase overall performance for Logging and Reporting.  The FortiGate first sends logs to the Collector which then forwards the logs to the Analyzer.

See "Operation Modes" in the FortiAnalyzer Online Guide.

The Collector's primary role is storing and uploading logs (aka "Archive" data), with analysis taking place on the Analyzer.  For this reason, starting in FortiAnalyzer 5.4, SQL database insertion is disabled on the Collector by default. 

When the Collector has SQL disabled, Log View on the FortiGate GUI will not work properly when the FortiGate is configured to display log data from the FortiAnalyzer

FortiGate: Log settings > View logs from > FortiAnalyzer

Solution

In order for LogView on the FortiGate to work, either:

1) Change to "View logs from: Disk" on the FortiGate
2) Enable SQL database on the Collector (this has a performance impact on the Collector)

Or instead, ensure that the appropriate admin users can log in directly to the FortiAnalyzer in Analyzer mode in order to use Log View there.

Contributors