Troubleshooting Tip: FortiGate: Logs are not displayed in FortiView

vpoluri · ‎12-04-2017

Description

This article provides basic troubleshooting when the logs are not displayed in FortiView.

Related documents:
Logging FortiGate traffic
Logging FortiGate traffic and using FortiView

Scope

FortiGate, FortiView.

Solution

Log traffic must be enabled in firewall policies:

config firewall policy

edit <Policy_id>

set logtraffic all/utm

end

Check the log settings and select from the following:

config log setting

set

resolve-ip Add resolved domain name into traffic log if possible.

resolve-port Add resolved service name into traffic log if possible.

log-user-in-upper Enable/disable collect log with user-in-upper.

fwpolicy-implicit-log Enable/disable collect firewall implicit policy log.

fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log.

log-invalid-packet Enable/disable collect invalid packet traffic log.

local-in-allow Enable/disable collect local-in-allow log.

local-in-deny-unicast Enable/disable collect local-in-deny-unicast log.

local-in-deny-broadcast Enable/disable collect local-in-deny-broadcast log.

local-out Enable/disable collect local-out log.

daemon-log Enable/disable collect daemon log.

neighbor-event Enable/disable collect neighbor event log.

brief-traffic-format Enable/disable use of brief format for traffic log.

user-anonymize Enable/disable anonymize log user name.

expolicy-implicit-log Enable/disable collect explicit proxy firewall implicit policy log.

log-policy-comment Enable/disable insertion of policy comment in to traffic log.

end

Note:

Make sure that the below option is disabled, otherwise Historical logs in FortiView Source/Destination will not be visible.

config log settings
set brief-traffic-format disable <----- By default disabled.

end

Example:

set resolve-ip enable

Configure where the logs will be sent:

config log memory/disk/fortianalyzer/syslog setting

set status enable

end

Select the source of the log information in FortiView:

config log gui-display

set location

memory Display memory log.

disk Display disk log.

fortianalyzer Display FortiAnalyzer log.

forticloud Display FortiCloud log.

end

Check that the severity is set to information, to view ALL the logs from the lowest severity level:

config log memory/disk/fortianalyzer/syslog filter

set severity information

set

forward-traffic : enable

local-traffic : enable

multicast-traffic : enable

sniffer-traffic : enable

anomaly : enable

voip : enable

dns : enable

filter :

filter-type : include

Execute the following to restart the miglogd process:

diagnose sys top 2 50

Wait some seconds to verify the PID of miglog, in this example is '55'.

newcli 2151 R 1.4 1.0

sshd 2149 S 0.4 0.7

httpsd 147 S 0.0 1.6

pyfcgid 2147 S 0.0 1.5

miglogd 55 S 0.0 1.4

Execute the following commands to clear up any irregularities: it will clear and rebuild the FortiView Reports Database.

execute report flush-cache
execute report recreate-db

Note:

In some versions as 7.2, it is no longer available. Verify any config errors in the file:

diagnose debug config-error-log

Note:

Since v6.2, it is possible to find the process ID via:

diagnose sys process pidof miglogd

diagnose sys kill 11 <PID> --> diag sys kill 11 55

As an alternative, it is also possible to use the following command to restart all miglogd processes at once:

fnsysctl killall miglogd

Run a log test:

diagnose log test

To view the logs in FortiView from the FortiGate GUI either:

Log off & and log on again.
Refresh the page.

The logs will be shown under Log & Report.

Related article:

Technical Note: Logs not displayed because of corrupted flash memory

Troubleshooting Tip: FortiGate: Logs are not displayed in FortiView

You are leaving our website