Description

This article describes Historical and Realtime Debug Logs for determining RCA.

Scope

FortiGate.

Solution

Historical Logs:

• Stored data about past system events.
• Covers a wide array of incidents to understand general trends about the system health, network, etc.
• Helps establish a baseline for environment normalcy, and also understand any changes to it over time.
• May not contain sufficient or detailed information for specific incidents, and therefore needs to run real-time debugging.
• Logs fetched from Device Disk/FortiAnalyzer, Syslog, etc: System Event logs, HA Event logs, IPS logs, Traffic Logs, etc.

Realtime Debug Logs:

• Captures live data from a running system, application, or service, and helps quickly understand what that is happening in the environment.
• Useful for identifying transient or intermittent problems.
• Records data to capture specific issue(s) in detail.
• Logs may sometimes be too verbose, therefore requiring applicable filters to be set before issuance.
• A few debug logs are fetched from the CLI in realtime:

diagnose debug report

diagnose debug application <> -1

diagnose debug enable

diagnose debug kernel level <>

diagnose debug enable

• Serial console logs by issuing NMI (NMI Button for Troubleshooting Kernel Iss... - Fortinet Community)
• To stop the debug processes in the end defined in above point, press 'Ctrl+C' and enter 'diagnose debug disable'.

For effective RCA, the best approach would be to gather a combination of both real-time debug logs and historical logs for analysis.