Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msingh_FTNT
Staff
Staff

Created on ‎11-10-2022 07:22 AM Edited on ‎12-16-2024 10:08 PM By Community Manager

Article Id 229508

Troubleshooting Tip: FortiGate Logging debugs

Description This article describes how to capture the debug logs for logging issues.
Scope FortiGate v6.2, v6.4, v7.0 and v7.2
Solution

Daemon(s):

 

/bin/miglogd <- The miglogd process is responsible for logging locally to the unit.

 

Miglogd logs use port 514. In Reliable mode, Miglogd uses TCP/514. When Reliable is disabled, it uses UDP port 514.

 

Logging daemon (Miglogd).
 
The number of logging daemon child processes has been made available for editing.
A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.
If performance issues occur, consider altering the number of logging daemon child processes from 0 to 15 by using the following configuration.
The default is 8.
 
config system global
    set miglogd-children <integer>
end
 

General debug commands:

 

diagnose debug application miglogd 255 <- Leave it on for a much longer time to see what is printed out.
diagnose debug enable


diagnose test application miglogd 1 <- Have_disk= 1 shows the disk status.
diagnose test application miglogd 4 <- Will show number of active log devices.
diagnose test application miglogd 6 <- Will show log dev statistics.
diagnose test application miglogd 15 <- Duration.
diagnose test application miglogd 20 <- Will show if OFTP status is established [ OFPD, this process is used to upload Logs ].
diagnose test app miglogd 26 1 <- Enable/disable log dumping.
diagnose log kernel-stats <- Query logging statistics.
execute log fortiguard test-connectivity

 

FortiOS 7.2.4 and above use "fgtlogd" daemon to check logging to FortiAnalyzer and Fortigate Cloud:
Log-related diagnostic commands

 

diagnose test application fgtlogd <Test Level>

 

Note: Logs are generally sent to FortiAnalyzer/Syslog devices using UDP port 514. To use sniffer, run the following commands:

 

       diag sniffer packet any 'udp port 514' 4 0 l

diag sniffer packet any 'udp port 514' 6 0 a

 

Note: If logs are sent to FortiAnalyzer and 'set reliable' is enabled under config log fortianalyzer settings, logs will be sent using TCP port 514 and for sniffer.

 

It is possible to run the following:

 

diag sniffer packet any 'tcp port 514' 4 0 l

diag sniffer packet any 'tcp port 514' 6 0 a

 

Note: FortiGate sends logs to FortiCloud on TCP port 514 and makes sure to use the sniffer:

 

       diagnose sniffer packet any 'tcp port 514' 4 0 l

diagnose sniffer packet any 'tcp port 514' 6 0 a
7948
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.