- Check firmware FortiOS Compatibility Tool between FortiGate and FortiAnalyzer: FortiAnalyzer Support for FortiOS.
- Check the FortiAnalyzer log setting on FortiGate.
From FortiGate CLI:
config log fortianalyzer setting
get
end
- Restart the miglogd daemon using fnsysctl killall miglogd.
- From FortiOS v7.2.4 and above 'fgtlogd' daemon is also responsible for logging to FortiAnalyzer and FortiGate Cloud. If the issue persists, try to restart the fgtlogd demon using fnsysctl killall fgtlogd.
- Test for log sending from FortiGate to FortiAnalyzer.
From FortiGate CLI:
execute log fortianalyzer test-connectivity
-
Get the TAC report from FortiAnalyzer.
execute tac report
Analyze all information/logs obtained.
If FortiGate is sending a log to FortiAnalyzer successfully, check for any abnormal logs on the FortiAnalyzer TAC report.
If this output on the FortiAnalyzer TAC report is found/observed, this shows that the FortiAnalyzer is constantly out of memory.
<3>[97484.603631] Out of memory: Kill process 21679 (sqllogd) score 93 or sacrifice child
<3>[10818.372025] Out of memory: Kill process 3214 (sqllogd) score 98 or sacrifice child
<3>[10903.445266] Out of memory: Kill process 18473 (sqllogd) score 101 or sacrifice child
<3>[192634.804437] Out of memory: Kill process 31040 (java) score 89 or sacrifice child
<3>[192636.709845] Out of memory: Kill process 31040 (java) score 89 or sacrifice child
Suggest to the user to increase the memory allocation for FortiAnalyzer.
After FortiGate was upgraded, the FortiAnalyzer had an issue receiving a log from FortiGate when FortiGate Cloud was enabled. When running the 'exe log fortianalyzer test-connectivity', it is possible to see from Log: Tx & Rx that the FortiAnalyzer is only receiving 2 logs from FortiGate:
Ertiga-kvm30 # execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: Tiara-kvm09
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM02TMXXXXXXXXX
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 26318669B/53687091200B
Analytics Usage (Used/Allocated): 16933992B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days
Archive Usage (Used/Allocated): 9384677B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 0/365 Days
Log: Tx & Rx (2 logs received since 09:46:24 02/26/25)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Check the 'diagnose test application fgtlogd 41', if there is any queue log to be sent to FortiAnalyzer.
Ertiga-kvm30 # diagnose test application fgtlogd 41
cache maximum: 20892672(19MB) objects: 14 used: 12782(0MB) allocated: 13888(0MB)VDOM:root
Memory queue for: global-faz ( FortiAnalyzer )
queue:
num:0 size:0(0MB) total size:12782(0MB) max:20892672(19MB) logs:0
Confirm queue for: global-faz
queue:
num:0 size:0(0MB) total size:12782(0MB) max:20892672(19MB) logs:300
Memory queue for: fds ( FortiGate Cloud )
queue:
num:0 size:0(0MB) total size:12782(0MB) max:20892672(19MB) logs:0
Confirm queue for: fds
queue:
num:14 size:12782(0MB) total size:12782(0MB) max:20892672(19MB) logs:0
As the log has been queued to send to FortiAnalyzer, restart the fgtlogd daemon process for the daemon process to be able to send the log to FortiAnalyzer
fnsysctl killall fgtlogd --> Until it mentioned 'killall: fgtlogd: no process killed'.
Then run again 'exe log fortianalyzer test-connectivity' if the Tx and Rx have been increased.
If there is no log has been queued, restart the miglogd process on FortiGate.
fnsysctl killall miglogd --> Until it mentioned 'killall: miglogd: no process killed'.
Related articles:
Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity
Troubleshooting Tip: FortiGate Logging debugs
|
