Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
pragyasharma
Staff
Staff

Created on ‎12-23-2020 08:19 AM Edited on ‎12-21-2023 05:59 AM By Moderator

Article Id 197350

Troubleshooting Tip: How to investigate log visibility after integration of EMS and FortiClient in the FortiAnalyzer

Description


This article describes how to investigate log visibility after integration of EMS and FortiClient in the FortiAnalyzer.

Solution

 

  1. Verify the compatibility of the EMS server and FortiClient with the FortiAnalyzer. This can be found on the FortiClient release note, on the EMS release note, and on the FortiAnalyzer release note.

  2. While adding EMS to Fortianalyzer make sure that the EMS firmware version is correct on Fortianalyzer, also the ADOM version is suitable accordingly:


 
  1. Execute the ping command on the command prompt from the Endpoint, and the sniffer command given below on Fortianalyzer to test reachability, as to receive the logs from FortiClient, there must be connectivity not only from EMS but also from the Endpoints to FortiAnalyzer as well.

    diag sniffer packet any “host <FCLT IP> “ 3 0 a

  2. If logs are visible on FortiAnalyzer in Log View but the information is not available in the report, first check logs must not be 0 bytes in sent/received columns, which either can be checked on Log View or FortiView for better visibility.
     
     
  3. However, to check raw logs from FortiClient, change the log settings to debug in the profile on EMS by enabling Advanced mode in the profile:
      

     
    Once FortiClient receives the update, generate some traffic and run diagnostic tool for collecting the debug logs.
     
     
    From the FortiClient diagnostic cab file, the logs can be checked after unzipping the folder by following the below path:

    \Diagnostic_Result.cab\FCDiagData\general\Log.txt

    Example of the raw log from FortiClient:

    12/14/2020 12:10:26 PM Information Other date=2020-12-14 time=12:10:26 logver=2 id=96900 type=traffic subtype=system eventtype=traffic level=info uid=22813327505946CD9701333E94692F37 devid=FCT8001520596323 hostname=Abc-IT01 pcdomain=abc.com deviceip=192.168.18.14 devicemac=d8-f2-ca-0d-5b-tt vd=default fctver=6.4.1.1519 fgtserial=N/A emsserial=FCTEMSTA20001 usingpolicy=Default os="Microsoft Windows 10 Professional Edition, 64-bit (build 17134)" user=xyz@abc msg="Traffic log" sessionid=295896597 srcname=svchost.exe srcproduct="Microsoft® Windows® Operating System" srcip=192.168.18.14 srcport=53785 direction=outbound dstip=8.8.8.8 dstport=53 proto=17 rcvdbyte=0 sentbyte=0 utmaction=passthrough utmevent=appfirewall threat=DNS service=domain userinitiated=0 browsetime=0If the raw logs from FortiClient are showing rcvdbyte=0 sentbyte=0 issue needs to be addressed on FortiClient side, where it is possible to open a ticket to support using EMS SN.
     
Related documents: 
2879
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.