FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 277214
Description This article describes how FortiAnalyzer allows the forwarding of logs to an external syslog server, Common Event Format (CEF) server, or another FortiAnalyzer via Log Forwarding. This article illustrates the configuration and some troubleshooting steps for Log Forwarding on FortiAnalyzer.
Scope FortiAnalyzer.


  1. On the FortiAnalyzer GUI, configure Log Forwarding Settings under System Settings -> Log Forwarding -> Create New.


1. Log Forwarding GUI.png


  1. The configuration can be done through the FortiAnalyzer CLI as follows:


    config system log-forward

        edit 1

            set mode forwarding

            set fwd-max-delay realtime

            set server-name "ABC"

            set server-addr ""

            set fwd-server-type syslog

                config device-filter

                    edit 1

                        set adom "root"

                        set device "FGVM02TM19005470"



            set log-filter-status enable

                config log-filter

                    edit 1

                        set value "event"


                    edit 2

                        set field level

                        set oper >=

                        set value "information"



            set signature 175067477637460517





  2. Run the following debug commands to check the log forwarding status via the CLI as follows:


    diagnose test application logfwd 2 -> shows the thread pool status.

    diagnose test application logfwd 3 -> shows the log forwarding configurations.

    diagnose test application logfwd 4 -> shows the log forwarding status.

    diagnose test application logfwd 7  -> shows the runtime logs.



  3. Lastly, it is also possible to check the Receive Rate versus the Forwarding Graph under System Settings -> Dashboard. The graph displays the log forwarding rate (logs/second) to the server.


    2. Receive Rate vs Forwarding Rate.png


Note: In Log Forwarding Filters > Device Filters by default not selecting any device means all devices in the ADOM are forwarding the logs


Related articles: