Description
This article provides basic troubleshooting when the logs are not displayed in FortiView.
Useful links:
Logging FortiGate traffic
Logging FortiGate traffic and using FortiView
Scope
FortiGate, FortiView.
Solution
Log traffic must be enabled in firewall policies:
config firewall policy
edit <Policy_id>
set logtraffic all/utm
end
Check the log settings and select from the following:
config log setting
set
resolve-ip Add resolved domain name into traffic log if possible.
resolve-port Add resolved service name into traffic log if possible.
log-user-in-upper Enable/disable collect log with user-in-upper.
fwpolicy-implicit-log Enable/disable collect firewall implicit policy log.
fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log.
log-invalid-packet Enable/disable collect invalid packet traffic log.
local-in-allow Enable/disable collect local-in-allow log.
local-in-deny-unicast Enable/disable collect local-in-deny-unicast log.
local-in-deny-broadcast Enable/disable collect local-in-deny-broadcast log.
local-out Enable/disable collect local-out log.
daemon-log Enable/disable collect daemon log.
neighbor-event Enable/disable collect neighbor event log.
brief-traffic-format Enable/disable use of brief format for traffic log.
user-anonymize Enable/disable anonymize log user name.
expolicy-implicit-log Enable/disable collect explicit proxy firewall implicit policy log.
log-policy-comment Enable/disable insertion of policy comment in to traffic log.
end
Example:
set resolve-ip enable
Configure where the logs will be sent:
config log memory/disk/fortianalyzer/syslog setting
set status enable
end
Select the source of the log information in FortiView:
config log gui-display
set location
memory Display memory log.
disk Display disk log.
fortianalyzer Display FortiAnalyzer log.
forticloud Display FortiCloud log.
end
Check that the severity is set to information, to view ALL the logs from the lowest severity level:
config log memory/disk/fortianalyzer/syslog filter
set severity information
set
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
anomaly : enable
voip : enable
dns : enable
filter :
filter-type : include
Execute the following to restart the miglogd process:
diag sys top 2 50
Wait some seconds to verify the PID of miglog, in this example is '55'.
newcli 2151 R 1.4 1.0
sshd 2149 S 0.4 0.7
httpsd 147 S 0.0 1.6
pyfcgid 2147 S 0.0 1.5
miglogd 55 S 0.0 1.4
Note: Since v6.2, it is possible to find the process ID via:
diag sys process pidof miglogd
diag sys kill 11 <PID> --> #diag sys kill 11 55
As an alternative, it is as well possible to use the following command to restart all miglogd processes at once:
fnsysctl killall miglogd
Run a log test:
diag log test
To view the logs in FortiView from the FortiGate GUI either:
- Log off & and log on again.
- Refresh the page.
The logs will be shown under Log & Report.
Related article:
Technical Note : Logs not displayed because of corrupted flash memory
