FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Debbie_FTNT
Staff
Staff
Article Id 191892

Description
This article explains why under some circumstances, FortiGate can show successful (or failed) logins from 127.0.0.1 when logging to a FortiAnalyzer.

Solution
When FortiGates are configured to log to FortiAnalyzer, under some circumstances there can be logs regarding admin logins (or failed attempts) from 127.0.0.1.

FortiAnalyzer not only shows information based on FortiGate logs, but can retrieve additional information from the FortiGate directly.
This is done by FortiAnalyzer triggering a login from the miglogd daemon running on FortiGate and then querying the FortiGate API.


Due to FortiAnalyzer communicating with the miglogd daemon in FortiGate and triggering the login from there, FortiGate can report an admin login from 127.0.0.1 (as the login comes from a local daemon).
If FortiAnalyzer does not have correct credentials for FortiGate, then the login can fail and a log message regarding a failed login from 127.0.0.1 will be generated.

Note:
Login credentials to be used by FortiAnalyzer can be set from the GUI under Device Manager , select 'FortiGate' and then ‘Edit’.


Comments
JianWu
Staff
Staff

Another possible cause for this symptom is that the FGT never Acked on FAZ connection.

To check this, in the config, you would see the FortiAnalyzer IP but not the serial number.

If so, putting the command "set serial" in would also address the issue. 

Scripting via FortiManager is a better approach when you have to deal with large number of FortiGate.

 

config log fortianalyzer setting
set status enable
set server "10.200.13.10"      # IP of the FAZ
set serial "FAZ-VMxxxxxx"    #actual s/n of the FAZ
end

Contributors