- Check firmware compatibility between FortiGate and FortiAnalyzer: FortiAnalyzer Support for FortiOS.
- Check the FortiAnalyzer log setting on FortiGate.
From FortiGate CLI:
config log fortianalyzer setting
get
end
- Restart the miglogd daemon using fnsysctl killall miglogd .
- From vand above 'fgtlogd' daemon is also responsible for logging to FortiAnalyzer and Fortiate Cloud. If the issue persists, try to restart fgtlogd demon using fnsysctl killall fgtlogd.
- Test for log sending from FortiGate to FortiAnalyzer.
From FortiGate CLI:
execute log fortianalyzer test-connectivity
-
Get the TAC report from FortiAnalyzer.
execute tac report
Analyze all information/logs obtained.
If FortiGate is sending a log to FortiAnalyzer successfully, check for any abnormal logs on the FortiAnalyzer TAC report.
If this output on the FortiAnalyzer TAC report is found/observed, this shows that the FortiAnalyzer is constantly out of memory.
<3>[97484.603631] Out of memory: Kill process 21679 (sqllogd) score 93 or sacrifice child
<3>[10818.372025] Out of memory: Kill process 3214 (sqllogd) score 98 or sacrifice child
<3>[10903.445266] Out of memory: Kill process 18473 (sqllogd) score 101 or sacrifice child
<3>[192634.804437] Out of memory: Kill process 31040 (java) score 89 or sacrifice child
<3>[192636.709845] Out of memory: Kill process 31040 (java) score 89 or sacrifice child
Suggest to the user to increase the memory allocation for FortiAnalyzer.
After FortiGate was upgraded, the FortiAnalyzer had an issue receiving a log from FortiGate when FortiGate Cloud was enabled. When running the 'exe log fortianalyzer test-connectivity', it is possible to see from Log: Tx & Rx that the FortiAnalyzer is only receiving 2 logs from FortiGate:
Ertiga-kvm30 # exe log fortianalyzer test-connectivity
FortiAnalyzer Host Name: Tiara-kvm09
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM02TMXXXXXXXXX
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 26318669B/53687091200B
Analytics Usage (Used/Allocated): 16933992B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days
Archive Usage (Used/Allocated): 9384677B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 0/365 Days
Log: Tx & Rx (2 logs received since 09:46:24 02/26/25)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Check the 'diag test application fgtlogd 41', If there is any queue log to be sent to FortiAnalyzer.
Ertiga-kvm30 # diag test application fgtlogd 41
cache maximum: 20892672(19MB) objects: 14 used: 12782(0MB) allocated: 13888(0MB)VDOM:root
Memory queue for: global-faz ( FortiAnalyzer )
queue:
num:0 size:0(0MB) total size:12782(0MB) max:20892672(19MB) logs:0
Confirm queue for: global-faz
queue:
num:0 size:0(0MB) total size:12782(0MB) max:20892672(19MB) logs:300
Memory queue for: fds ( FortiGate Cloud )
queue:
num:0 size:0(0MB) total size:12782(0MB) max:20892672(19MB) logs:0
Confirm queue for: fds
queue:
num:14 size:12782(0MB) total size:12782(0MB) max:20892672(19MB) logs:0
As the log has been Queue to send to FortiAnalyzer, restart the fgtlogd daemon process for the daemon process to able to send the log to FortiAnalyzer
fnsysctl killall fgtlogd >> until it mentioned " killall: fgtlogd: no process killed "
Then run again 'exe log fortianalyzer test-connectivity' if the Tx and Rx have been increased.
If there is no log has been Queue, restart the miglogd process from FortiGate.
fnsysctl killall miglogd >> until it mentioned " killall: miglogd: no process killed "
Related articles:
Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity
FortiGate Logging debugs - Fortinet Community
|
