Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ycho
Staff
Staff

Created on ‎10-05-2021 03:19 AM

Technical Tip: How to stop generating log-forward event logs

Description
This article describes how to stop generating the log-forward event logs that are continuously output every 10 minutes even when log forwarding settings are not set.

Solution
When 'Log-forward 'ld-_siem_@localhost' lag behind 99.94%, discarded 173825724379bytes' log outputs every 10 minutes in system event logs of the FortiAnalyzer , check the following steps:

1) Check the log forwarding settings on the FortiAnalyzer.
If disabled, go to next steps.

2) Running process of FortiSIEM agent daemon(siemagentd.wkrx).
9542 root 20 0 266.5m 114.6m 0.7 0.4 134:38.92 S siemagentd.wkr0
9731 root 20 0 395.8m 119.7m 0.7 0.4 85:10.76 S siemagentd.wkr1
9824 root 20 0 396.0m 119.3m 0.7 0.4 85:05.22 S siemagentd.wkr2
9944 root 20 0 395.8m 119.4m 0.7 0.4 84:43.93 S siemagentd.wkr4
9882 root 20 0 395.8m 118.6m 0.3 0.4 85:27.23 S siemagentd.wkr3
3) Check if FortiAnalyzer FortiSIEM status is active.
# diagnose test app siemagentd 2,3 and 4
FAZ SIEM: up [status enabled]
siemagentd:
uptime: 16 day 12:52:05, shm-ver: 36, shm-fazid-max: 0
conf-ver: 1630607216 (refresh in 7 sec)
total: #msg=16861, #msgpack=11550, #logs(in)=1274557, #logs(out)=1258844, #logs(skipped)=0
last-5-sec: msg/s=0.0, msgpack/s=0.0, logs/s(in)=0.0, logs/s(out)=0.0
wkr-status: init=5, fini=31, orphan=0, kill=0, signal=31, crash=0, stuck=0
Workers (total: 5):
If so, disable the siem module.
# config system global
    get 
    disable-module siem
Check if FortiSIEM is included in 'disable-module' settings.
If not, FortiSIEM is added to prevent the event from being continuously output.

Labels:
846
0 Kudos
Contributors

Contact Us