Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpoluri
Staff
Staff

Created on ‎12-04-2017 03:07 PM Edited on ‎08-17-2025 08:13 AM By Moderator

Article Id 194193

Troubleshooting Tip: FortiGate - Logs are not displayed in FortiView

Description


This article provides basic troubleshooting when the logs are not displayed in FortiView.

Related documents:
Logging FortiGate traffic
Logging FortiGate traffic and using FortiView

 

Scope

 

FortiGate


Solution

 

FortiView is a GUI section in FortiGates that presents an overview of traffic happening on the FortiGate. It relies on the session table (for the period 'Now') and traffic logs (stored locally or on FortiAnalyzer or FortiGate Cloud) for historic displays.

This means that for FortiView to display any information, the following conditions must be met:

  1. Logging traffic must be enabled in policies.
  2. Historic FortiView must be enabled.
  3. The logs must be stored in an accessible place.

 

image.png

 

Logs should be visible under Log & Report.

To verify that traffic logging is enabled in policies:
 
Via CLI:
 
config firewall policy
    edit <Policy_id>
        set logtraffic all/utm
end
 
Via GUI, check if 'Log Allowed Traffic' is enabled under the firewall policy. 
 
logging.jpg
 
By default, UTM logging (Security Events) is enabled.
Additional log settings are accessible via CLI and may make more information visible in FortiView:
 
config log setting
   set <> enable
resolve-ip                Add resolved domain name into traffic log if possible.
resolve-port              Add resolved service name into traffic log if possible.
log-user-in-upper         Enable/disable collect log with user-in-upper.
fwpolicy-implicit-log     Enable/disable collect firewall implicit policy log.
fwpolicy6-implicit-log    Enable/disable collect firewall implicit policy6 log.
log-invalid-packet        Enable/disable collect invalid packet traffic log.
local-in-allow            Enable/disable collect local-in-allow log.
local-in-deny-unicast     Enable/disable collect local-in-deny-unicast log.
local-in-deny-broadcast   Enable/disable collect local-in-deny-broadcast log.
local-out                 Enable/disable collect local-out log.
daemon-log                Enable/disable collect daemon log.
neighbor-event            Enable/disable collect neighbor event log.
brief-traffic-format      Enable/disable use of brief format for traffic log.
user-anonymize            Enable/disable anonymize log user name.
expolicy-implicit-log     Enable/disable collect explicit proxy firewall implicit policy log.
log-policy-comment        Enable/disable insertion of policy comment in to traffic log.
end
 
Note:  
Make sure that the below option is disabled, otherwise Historical logs in FortiView Source/Destination will not be visible.

config log settings
    set brief-traffic-format disable     <----- By default disabled.
end
 
Check where the logs are sent:
 
config log memory/disk/fortianalyzer/syslog setting
    set status enable
end 
 
Note:
Syslog cannot be used as a source for FortiView.
 
Select the source of the log information in FortiView:
 
config log gui-display
   set location 
memory           Display memory log.
disk             Display disk log.
fortianalyzer    Display FortiAnalyzer log.
forticloud       Display FortiCloud log.
end
 
Check that the severity is set to information, to ensure all relevant information is logged (and can be displayed):
 
config log memory/disk/fortianalyzer/syslog filter
    set severity information
    set
forward-traffic     : enable
local-traffic       : enable
multicast-traffic   : enable
sniffer-traffic     : enable
anomaly             : enable
voip                : enable
dns                 : enable
filter              :
filter-type         : include
 
It can help to restart the logging daemon if display issues persist after verifying the above.
Execute the following to restart the miglogd process:
 
diagnose sys top 2 50
 
Wait some seconds to verify the process ID (PID) of miglogd, in this example is '55'.
 
         newcli      2151      R       1.4     1.0
         sshd        2149      S       0.4     0.7
         httpsd       147      S       0.0     1.6
         pyfcgid     2147      S       0.0     1.5
         miglogd       55      S       0.0     1.4
 

Type 'q' to end the 'diagnose sys top' output, then use this command to forcibly end the process (it will restart):

 

diagnose sys kill 11 <PID>

 

Note:
Since v6.2, it is possible to find the process ID via below command, instead of checking 'diagnose sys top' output:
 
diagnose sys process pidof miglogd
 
If this returns more than one process ID, the first (smallest) ID is the parent process and killing it will also restart all children processes.
As an alternative, it is also possible to use the following command to restart all miglogd processes at once:
 
fnsysctl killall miglogd

 

Execute the following commands to clear up any irregularities: it will clear and rebuild the FortiView Reports Database:

 

execute report flush-cache
execute report recreate-db

 
To generate test log messages:
 
diagnose log test

 

Related article:

Technical Tip: Logs not displayed because of corrupted flash memory

75170
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.