|
FortiGate fails to send logs to the FortiGate Cloud Log Server, and the following errors appear in the fgtlogd debug output:
diagnose debug application fgtlogd -1
diagnose debug enable
2024-06-14 11:02:27 <15003> _enqueue_lz4()-684: Failed to allocate memory for log queue.
2024-06-14 11:02:27 <15003> _enqueue_lz4()-684: Failed to allocate memory for log queue.
2024-06-14 11:02:27 <15003> _enqueue_lz4()-684: Failed to allocate memory for log queue.
2024-06-14 11:02:27 <15003> _enqueue_lz4()-684: Failed to allocate memory for log queue.
2024-06-14 11:02:27 <15003> _enqueue_lz4()-684: Failed to allocate memory for log queue.
Additionally, FDS counters are not increasing despite running the diag log test command multiple times.
Before running the 'diagnose log test':
diagnose test application fgtlogd 4
Queues in all miglogds: cur:8651 total-so-far:12223382
global log dev statistics:
faz=0, faz_cloud=0, fds_log=433622518
fds: sent=254424574, failed=0, cached=0, dropped=7186529
Num of REST URLs: 0
After running the 'diagnose log test':
diagnose test application fgtlogd 4
Queues in all miglogds: cur:8651 total-so-far:12223382
global log dev statistics:
faz=0, faz_cloud=0, fds_log=433693241
fds: sent=254424574, failed=0, cached=0, dropped=7186529
Num of REST URLs: 0
Logs are queued in the Confirm Queue for FortiCloud but are not being sent:
diagnose test application fgtlogd 30
2024-11-27 14:26:26 VDOM:root
2024-11-27 14:26:26 Memory queue for: fds
2024-11-27 14:26:26 queue:
num:0 size:0(0MB) total size:52428780(49MB) max:52428800(50MB)
2024-11-27 14:26:26 'total log count':0, 'total data len':0
2024-11-27 14:26:26 Confirm queue for: fds
2024-11-27 14:26:26 queue:
num:11894 size:52428780(49MB) total size:52428780(49MB) max:52428800(50MB) <-----
2024-11-27 14:26:26 type:3, 2024-11-27 14:26:26 cat=0, log_count=41, seq_no=7773051, 2024-11-27 14:26:26 data len=7659 size:7743
This issue has been resolved in FortiOS versions 7.2.11, 7.4.7, 7.4.8, 7.6.1.
Refer to this KB article below for instructions on downloading the firmware from the Fortinet Support portal: Technical Tip: How to manually download Firmware of FortiGate and how to upload it on FortiGate
Workaround:
Restarting fgtlogd process may resolve the issue temporarily:
fnsysctl killall fgtlogd
General debug information required by FortiGate TAC for investigation:
- Debugs:
diagnose debug application fgtlogd -1
diagnose debug console timestamp enable
diagnose debug enable
<wait for a 2-3 minutes>
diagnose test application fgtlogd 3
diagnose test application fgtlogd 4
diagnose test application fgtlogd 30
diagnose test application fgtlogd 41
diagnose test application fgtlogd 20
- Restart fgtlogd and Collect Further Debugs:
fnsysctl killall fgtlogd
Run the following command until it shows '_enqueue_lz4()-684: Failed to allocate memory for log queue.', and capture additional outputs:
diagnose sniffer migsock filter name=fds
diagnose sniffer migsock start
<collect the output for at least 10 minutes>
diagnose debug reset
- TAC Report:
execute tac report
- Configuration file of the FortiGate.
Important note: If all of the settings above are checked and still not receiving the logs on FortiGate Cloud, make sure that FortiGate is running the latest firmware in cases with a Free Subscription to FortiGate Cloud.
Starting from February 28, 2025, a FortiGate without an active FortiGate Cloud subscription is required to upgrade to the latest firmware patch within 7 days of a new GA patch release, or FortiGate Cloud services will be paused for that device.
This will affect the cloud retention service, where logs will not be forwarded to FortiCloud until the device is updated to the latest firmware patch if using a Free FortiGate Cloud account. More information can be found in Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act....
Related article:
FortiGate Cloud subscription types - FortiGate Cloud documentation
|
