FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 191892

This article explains why under some circumstances, FortiGate can show successful (or failed) logins from when logging to a FortiAnalyzer.

When FortiGates are configured to log to FortiAnalyzer, under some circumstances there can be logs regarding admin logins (or failed attempts) from

FortiAnalyzer not only shows information based on FortiGate logs, but can retrieve additional information from the FortiGate directly.
This is done by FortiAnalyzer triggering a login from the miglogd daemon running on FortiGate and then querying the FortiGate API.

Due to FortiAnalyzer communicating with the miglogd daemon in FortiGate and triggering the login from there, FortiGate can report an admin login from (as the login comes from a local daemon).
If FortiAnalyzer does not have correct credentials for FortiGate, then the login can fail and a log message regarding a failed login from will be generated.

Login credentials to be used by FortiAnalyzer can be set from the GUI under Device Manager , select 'FortiGate' and then ‘Edit’.


Another possible cause for this symptom is that the FGT never Acked on FAZ connection.

To check this, in the config, you would see the FortiAnalyzer IP but not the serial number.

If so, putting the command "set serial" in would also address the issue. 

Scripting via FortiManager is a better approach when you have to deal with large number of FortiGate.


config log fortianalyzer setting
set status enable
set server ""      # IP of the FAZ
set serial "FAZ-VMxxxxxx"    #actual s/n of the FAZ