Help
FortiSIEM Discussions
adem_netsys
Contributor II

Created on ‎06-03-2025 05:17 AM

Can't see no logs from device

Hi guys,

 

I can't see the devices that don't send logs, I run cmdb report, but I don't think this is very healthy, and I couldn't get the exact output in the report in advanced search in 7.3.2. How do you solve this issue?

677
0 Kudos
8 REPLIES 8
DHNX
New Contributor II

Created on ‎06-08-2025 09:31 AM

Hey

 I’d like to help, but could you please clarify a few points to better understand the issue?

  1. When you say “can’t see devices that don’t send logs,” do you mean:

    • They are missing from CMDB entirely?

    • Or they appear in CMDB but show no logs in Log View/Search?

  2. Could you share a screenshot of:

    • The CMDB report you ran

    • Your Advanced Search configuration

This would help us visualize the issue more clearly and provide better suggestions.

DP
DP
635
0 Kudos
lbahtarliev
New Contributor III

Created on ‎06-08-2025 12:55 PM

@adem_netsys 

Hi,

I was going to ask the same question as @DHNX - Are these devices in the CMDB at all? If not, there is nothing you can do about it. 

If they managed to register to the CMDB one way or another, but currently their "Event Status" in CMDB is different than Normal (or empty - because if it's empty, this means they were registered via discovery, but no event pulling/receiving had taken place), like Warning, Critical etc. Then you can just do it like this:

  • Go to Resources > Rules > Availability > FortiSIEM
  • Search for "no logs from device". A System rule named "No logs from a device" should show. Click Edit on this rule, Go to "Step 2: Define Condition" then click the pencil icon to the subpattern to edit it. When the edit window opens, there is a button "Run as Query". Click on this one. 
  • A new browser tab will open with the subpattern definition executing in the "Analytics" module. Most probably it won't show any matching events. This is due to the fact, that the events this query looks for are System Events. And if not specified, by default FortiSIEM doesn't search in them.
  • To fix this, edit the filter in the Analytics tab query that the "Run as Query" button opened and add additional condition which should state: "System Event Category" = 3.
  • Choose the time range you want.
  • Execute.
  • Enjoy! :)
BR,
Lyuben 
URLs point to web pages, not to people.
URLs point to web pages, not to people.
625
0 Kudos
adem_netsys
Contributor II
In response to lbahtarliev

Created on ‎06-10-2025 01:02 AM

Hi @lbahtarliev @DHNX ,

I want to get the outputs of the sources that do not send logs in a healthy way, but I think the existing rules and reports do not fully meet them.

 

I've run the options I have but they all give different results. I have shared the relevant screenshots below.

CMDB Report: Device Event Collection Errors

 

Ekran görüntüsü 2025-06-10 105521.pngEkran görüntüsü 2025-06-10 105813.pngEkran görüntüsü 2025-06-10 105920.png

592
0 Kudos
lbahtarliev
New Contributor III

Created on ‎06-10-2025 02:22 PM

And why do you think the results are not OK? 

 

  • In the first screenshot you run it for just 7 days.
  • In the CMDB report, it shows devices which are not sending logs from 2024....
  • In the Advanced Search, your query is not right and equal to the one you have executed in the normal Analytics tab...

Just try to unify your conditions and requirements and all of the three approaches will work.

 

BR

URLs point to web pages, not to people.
URLs point to web pages, not to people.
577
0 Kudos
adem_netsys
Contributor II
In response to lbahtarliev

Created on ‎06-13-2025 02:40 AM

Hi @lbahtarliev

 

Yes, the time frames are different, but I sent them in different time frames as an example. I don't think the current rule is working properly. For example, now it doesn't bring the first output, and even if it does, it only brings syslog specific, whereas I know there are many devices that do not send logs. Is there a search you use?

540
0 Kudos
Secusaurus
Contributor III

Created on ‎06-10-2025 11:14 PM Edited on ‎06-11-2025 10:31 PM

Hi @adem_netsys,

 

We also had trouble finding the desired answer in the default reports.

The best solution we came up with, was to combine two reports:

  1. Analytics Report: No filter (so any log), group by "Reporting IP" (which happens by using "Reporting IP" and e.g. "COUNT(Matched Events)" as display columns)
  2. CMDB Report: with the filter "Device IP" NOT IN "Above Analytics Report : Reporting IP" and "Device Status" = 2 (which means "Approved").

If you run this for the last 24 hours, you get all the devices which are marked as "approved" but did not send any logs in that timeframe.

 

[EDIT: Obviously, at the time we were implementing that, we just followed the tip in that post here: https://community.fortinet.com/t5/FortiSIEM-Discussions/How-do-i-get-devices-not-sending-logs-in-las... ]

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
563
0 Kudos
adem_netsys
Contributor II
In response to Secusaurus

Created on ‎06-13-2025 03:00 AM

Hi @Secusaurus 

 

I tried this blog but couldn't get a proper output, do you have an example for comparison?

https://community.fortinet.com/t5/FortiSIEM-Discussions/How-do-i-get-devices-not-sending-logs-in-las... ]

537
0 Kudos
Secusaurus
Contributor III
In response to adem_netsys

Created on ‎06-24-2025 12:05 AM

Hi @adem_netsys,

Actually, our deployment of this report (currently FSM 7.2.4) looks exactly like the one in the screenshots of that post, just with small modifications in the row labels. For us, this works without any issues.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
373
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.