Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Anonymous
Not applicable

Created on ‎10-03-2023 08:06 AM Edited on ‎04-17-2025 07:47 AM By Moderator

Article Id 277214

Technical Tip: How to configure and troubleshoot Log Forwarding on FortiAnalyzer

Description This article explains how FortiAnalyzer enables log forwarding to an external syslog server, Common Event Format (CEF) server, or another FortiAnalyzer. It provides a detailed guide on configuring Log Forwarding and includes troubleshooting steps.
Scope FortiAnalyzer.
Solution
  1. On the FortiAnalyzer GUI, configure Log Forwarding Settings under System Settings -> Advanced, first Tab called Log Fowarding. Select the Create New button.

 

Log fowarding conf. for article.png

 

If Log messages match 'All', the configuration will be as follows:


set log-filter-status enable
set log-filter-logic "and"

 

If log messages match 'Any of the following Conditions', the configuration will be as follows:

 

set log-filter-status enable
config log-filter

 

  1. The configuration can be completed through the FortiAnalyzer CLI as follows:

     

    config system log-forward

        edit 1

            set mode forwarding

            set fwd-max-delay realtime

            set server-name "ABC"

            set server-addr "10.35.81.33"

            set fwd-server-type syslog

                config device-filter

                    edit 1

                        set adom "root"

                        set device "FGVM02TM19005470"

                    next

                end

            set log-filter-status enable

                config log-filter

                    edit 1

                        set value "event"

                    next

                    edit 2

                        set field level

                        set oper >=

                        set value "information"

                    next

                end

            set signature 175067477637460517

        next

    end

     

  2. Run the following debug commands to check the log forwarding status via the CLI as follows:

     

    diagnose test application logfwd 2 <----- Shows the thread pool status.

    diagnose test application logfwd 3 <----- Shows the log forwarding configurations.

    diagnose test application logfwd 4 <----- Shows the log forwarding status.

    diagnose test application logfwd 7  <----- Shows the runtime logs.

     

     

Upon using 'Any of the following Conditions' if a log row is matched from a condition, others are not checked.

 

Consider this configuration:

 

wrong conf.png

 

config system log-forward

    edit 1

        set mode forwarding

        set fwd-max-delay realtime

        set server-name "ABC"

        set server-addr "10.35.81.33"

        set fwd-server-type syslog

        set log-filter-status enable

            config log-filter

                edit 1

                    set field level

                    set oper !=

                    set value "debug"

                next

                edit 2

                    set field free-text

                    set oper match

                    set value "!dstport==53"

                next

            end

        set signature 5425690669366982019

    next

end                        

 

Logs of DNS queries will be forwarded.

If the goal is to resolve debug logs and logs related to DNS queries not being forwarded to the ABC Syslog server, it is necessary to pass to 'All' in the Log messages matching settings.

 

This is clear in the last row of the output of the debug with level 3:

  • With the option 'Any of the following Conditions': Log-filter: level!=7 or ( not dstport=53 )
  • With the option 'All': Log-filter: level!=7 and ( not dstport=53 )

  1. Finally, it is also possible to check the Receive Rate versus the Forwarding Graph under System Settings -> Dashboard. The graph displays the log forwarding rate (logs/second) to the server.

     

    2. Receive Rate vs Forwarding Rate.png

 

Note: Log forwarding may also be optimized in terms of bandwidth by using compression (only when sending to FortiAnalyzer):

 

config system log-forward

    edit "x"

        set fwd-compression enable

end

 

Troubleshooting:

 

Enable debug on logfwd process and restart logfwd:

 

diagnose debug application logfwd 8

diagnose debug en

diagnose test application logfwd 99

 

Let it run for a few minutes and disable debug:

 

diagnose debug disable

 

Note:

By default, not selecting any device in Log Forwarding Filters -> Device Filters means all devices in the ADOM are forwarding the logs.

 

Note:

There is no feature for FortiAnalyzer to create reports for its system events. It has to be a device other than the FortiAnalyzer itself.

 

Related articles and documents:
Labels:
10378
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.