FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jalejoFTNT
Staff
Staff
Article Id 338133
Description This article describes a tip to take in mind to know what happening when filtering logs on FortiGate from FortiAnalyzer.
Scope FortiGate, FortiAnalyzer.
Solution

When FortiGate sends logs to FortiAnalyzer, these can be consulted and filtered on the FortiGate logs section.

When a filter is configured, FortiGate must wait for a response from FortiAnalyzer with the results matching criteria. During this process, the GUI log viewer waits for 500 log entries before displaying any result or if it has exhausted searching through all logs. The way this process is being carried out is by polling log API.


In cases where there are too many logs, it is possible to not show 500 logs immediately, especially in cases where there is a filter. Without filters, it is easy to collect the required amount. While polling the log API and waiting to get the expected amount, it is possible to get some returned data, but the GUI will not show anything yet. This is where the partial results come in.

 

After about 10 seconds, if GUI has not received the required amount from FortiAnalyzer, but received some entries, it will ask the user if willing to dismiss the search and just show the data that has been recollected.

There is also a case where after about 10s still no data/logs were acquired. In this scenario instead of the prompt to show partial data (since there is no partial data) a notification is shown mentioning that the log source is slow and there could be something else wrong.

 

To collect the process, it is possible to use the FortiGate Support Tool Chrome plugin.

 

Related article:
Troubleshooting Tip: Collect GUI slowness and errors debugs via FortiGate Support Tool