Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff & Editor
Staff & Editor

Created on ‎10-16-2025 10:05 PM Edited on ‎10-16-2025 10:06 PM By Community Manager

Article Id 415159

Troubleshooting Tip: Syslog buffer cache getting full

Description This article describes what happens when the syslog buffer of the FortiGate becomes full, the common causes of this issue, and how to troubleshoot it.
Scope FortiOS v7.x or above.
Solution

Use 'diagnose test application syslogd 1' to view syslogd statistics, including the syslog cache and buffer usage.

 

FG2K2E-1 # diagnose test application syslogd 1
vdom-admin=0
mgmt=root

syslog:
syslog: global , enabled
server=10.47.1.116:514, format=default, mode=reliable fac=184, src=
connection state:null
filter: severity=6, sz_exclude_list=0
traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter forti-switch virtual-patch casb
free-style filters: sz_filters=0
subcategory:
traffic: forward local multicast sniffer ztna
virus:all subcategories are enabled.
webfilter:all subcategories are enabled.
ips:all subcategories are enabled.
emailfilter:all subcategories are enabled.
anomaly:all subcategories are enabled.
voip:all subcategories are enabled.
dlp:all subcategories are enabled.
app-ctrl:all subcategories are enabled.
waf:all subcategories are enabled.
dns:all subcategories are enabled.
ssh:all subcategories are enabled.
ssl:all subcategories are enabled.
file-filter:all subcategories are enabled.
icap:all subcategories are enabled.
sctp-filter:all subcategories are enabled.
forti-switch:all subcategories are enabled.
virtual-patch:all subcategories are enabled.
casb:all subcategories are enabled.

server: global, id=0, ready=1, name=10.47.1.116 addr=10.47.1.116:514

cache maximum: 16777216(16MB) objects: 24588 used: 16506757(15MB) allocated: 17260736(16MB)


memory queue:
num:24588 size:16506757(15MB)
count:24588, failed:39, dropped:48433

 

The output above it shows that the buffer is full (used ≈ 15MB) and many log entries have been dropped (dropped: 48433). Re-running the command over time helps confirm whether counters (used, dropped, failed) are increasing.

 

This behavior often occurs when FortiGate is sending logs over TCP (reliable mode/legacy-reliable). With TCP, the FortiGate waits for acknowledgments from the syslog server. If the server is slow to receive or acknowledge data, the FortiGate’s cache can fill up, which could result for the older log entries being discarded.

 

If FortiGate cannot establish a TCP connection, there will be no active sessions in the output of 'diagnose test application syslogd 9':

 

FG2K2E-1 # diagnose test application syslogd 9
total:0

 

FG2K2E-1 # diagnose sniffer packet any "port 514" 4 0 l
interfaces=[any]
filters=[port 514]
2025-10-15 17:11:42.225326 port1 out 10.47.0.158.21734 -> 10.47.1.116.514: syn 2930481299
2025-10-15 17:11:42.225816 port1 in 10.47.1.116.514 -> 10.47.0.158.21734: rst 0 ack 2930481300

 

If the FortiGate can establish a connection, 'diagnose test application syslogd 9will show an active session:

 

FG2K2E-1 # diagnose test application syslogd 9
total:1
0. vdom:root name:syslog-glob-1 status:connected service:tcp server:10.47.1.116:514 source: socklocal:10.47.0.158:21737
ha_relay:0 ha_primary:1 ha_direct:0
readbyte:0 sentbyte:17533908
sendlen:0 sendoff:0 recvlen:65538 recvoff:0 readlen:0 readoff:0

 

After a successful connection and transmission, the cache can be cleared:


FG2K2E-1 # diagnose test application syslogd 1
vdom-admin=0
mgmt=root

syslog:
syslog: global , enabled
server=10.47.1.116:514, format=default, mode=reliable fac=184, src=
connection state:connected
filter: severity=6, sz_exclude_list=0
traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter forti-switch virtual-patch casb
free-style filters: sz_filters=0
subcategory:
traffic: forward local multicast sniffer ztna
virus:all subcategories are enabled.
webfilter:all subcategories are enabled.
ips:all subcategories are enabled.
emailfilter:all subcategories are enabled.
anomaly:all subcategories are enabled.
voip:all subcategories are enabled.
dlp:all subcategories are enabled.
app-ctrl:all subcategories are enabled.
waf:all subcategories are enabled.
dns:all subcategories are enabled.
ssh:all subcategories are enabled.
ssl:all subcategories are enabled.
file-filter:all subcategories are enabled.
icap:all subcategories are enabled.
sctp-filter:all subcategories are enabled.
forti-switch:all subcategories are enabled.
virtual-patch:all subcategories are enabled.
casb:all subcategories are enabled.

server: global, id=0, ready=1, name=10.47.1.116 addr=10.47.1.116:514

cache maximum: 16777216(16MB) objects: 0 used: 0(0MB) allocated: 0(0MB)


memory queue:
num:0 size:0(0MB)
count:0, failed:40, dropped:49684

 

Note:

This issue may still occur even when the FortiGate successfully establishes a TCP connection with the syslog server. In such cases, performing a packet capture analysis is recommended.

In the packet capture example below, TCP retransmissions can be observed from the FortiGate, indicating that it was not receiving ACK responses from the syslog server. In this case, verification should be performed on the syslog server to confirm whether it is actually receiving the logs.

 

retransmission.png
201
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.