|
In versions affected by known issue 1045253, FortiGate will not send logs if FortiGate Cloud/FortiAnalyzer stops confirming log receipt.
In v7.2.11, v7.4.7, v7.6.1, and later, this is optimized and FortiGate will still send logs to FortiGate Cloud/FortiAnalyzer even if there is a full queue of unacknowledged log confirmations.
Diagnosing the issue:
- FortiGate Cloud shows no recent logs from the FortiGate in question, but the FortiGate diagnostic command 'diagnose test application fgtlogd 20' shows the logging connection is up:
MOCKUP_FGT # diagnose test application fgtlogd 20
Home log server:
Address: 173.243.132.195:514
Alternative log server:
Address: 173.243.132.100:514
FazCloud log server:
Address:
oftp status: connected
Debug zone info:
Server IP: 173.243.132.195
Server port: 514
Server status: up
Server log status: enabled
Log quota: 500000000MB
Log used: 1193772MB
Daily volume: 1000000MB
FDS arch pause: 0
fams archive pause: 0
- FortiOS diagnostic command 'diagnose test application fgtlogd 30' shows no logs in-memory queue, and the confirm queue size is close to the maximum:
MOCKUP_FGT # diagnose test application fgtlogd 30
VDOM:root
Memory queue for: fds
queue:
num:0 size:0(0MB) total size:20110925(19MB) max:20111073(19MB)
'total log count':0, 'total data len':0
Confirm queue for: fds
queue:
num:7900 size:20110925(19MB) total size:20110925(19MB) max:20111073(19MB)
type:3, cat=10, log_count=3, seq_no=73343, data len=1584 size:1660
type:3, cat=0, log_count=2, seq_no=73344, data len=1320 size:1396
type:3, cat=0, log_count=3, seq_no=73345, data len=1292 size:1368
type:3, cat=0, log_count=3, seq_no=73346, data len=1412 size:1488
<additional output omitted>
- Repeated instances of 'Failed to allocate memory for log queue' in fgtlogd debug output:
MOCKUP_FGT # diagnose debug reset
MOCKUP_FGT # diagnose debug application fgtlogd -1
Debug messages will be on for 30 minutes.
MOCKUP_FGT # diagnose debug enable
<709> _enqueue_lz4()-684: Failed to allocate memory for log queue.
<709> _enqueue_lz4()-684: Failed to allocate memory for log queue.
<709> _enqueue_lz4()-684: Failed to allocate memory for log queue.
<709> _enqueue_lz4()-684: Failed to allocate memory for log queue.
<additional output omitted>
Resolving the issue:
Upgrade the device to v7.2.11, v7.4.7, v7.6.1 or later.
In these versions, FortiGate will still send logs to FortiGate Cloud even if unacknowledged logging events are pending in the confirm queue.
If upgrade is not possible, the logging issue can be temporarily cleared by restarting fgtlogd, but it may occur again. Note that the fgtlogd daemon is responsible for sending logs to both FortiGate Cloud and FortiAnalyzer.
MOCKUP_FGT # fnsysctl killall fgtlogd
MOCKUP_FGT #
Up-to-date firmware is required to maintain FortiGate Cloud logging access for devices without a paid subscription:
If the device has no FortiGate Cloud subscription, verify that it is running a latest-patch firmware release.
As of February 28, 2025, a FortiGate without a paid FortiGate Cloud subscription must upgrade to maintain the latest patch version of an in-support FortiOS firmware branch, or access FortiGate Cloud features. These features include logging to FortiGate Cloud.
For example, in March 2025 the latest v7.4 GA release was v7.4.7. After a 7-day grace period, a v7.4.6 FortiGate without a paid FortiGate Cloud subscription would not be able to send logs to FortiGate Cloud and an administrator would need to upgrade to the latest v7.4 release to maintain access.
This is a change from the previous FortiGate Cloud mandatory application of the 'latest-patch' firmware profile.
Automatic upgrade by FortiGate Cloud of a FortiGate without a paid FortiGate Cloud subscription will no longer be enforced.
Related articles:
|
