Help
FortiSIEM Discussions
adem_netsys
Contributor II

Created on ‎10-11-2025 05:22 AM

Reporting Device does not appear in CMDB

Hi Guys,

 

We are collecting logs from FortiProxy products to SIEM. We can see that these logs are arriving and can be parsed in Analytics, but they are not visible as devices in the CMDB. What could be the reason for this? Version 7.2.6.

70
0 Kudos
4 REPLIES 4
Secusaurus
Contributor III

Created on ‎10-12-2025 11:15 PM Edited on ‎10-12-2025 11:15 PM

Hi @adem_netsys,

 

If you are on a multi-tenant deployment, I am sure you made sure you selected the correct organization, correct? ;)

 

When receiving logs from a device, a new CMDB entry only pops up if this IP (seen from the Collector which receives this event) is not already existing in the CMDB. This is a common "issue", we have when we add all the devices of a new customer to the CMDB already, but only collect their logs several months later.

This is especially irritating when there's NAT or event forwarding happening somewhere on the way to the Collector.

 

Check your "Reporting IP" of the logs against the CMDB (in all organizations). If you still don't see the device there, then probably the CMDB has an internal error and I'd recommend opening a ticket.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
46
adem_netsys
Contributor II
In response to Secusaurus

Created on ‎10-12-2025 11:24 PM

Hi @Secusaurus 

 

We are in an Enterprise setup, and as I mentioned, we can see these logs in Analytics, and they are even being parsed. There is no NAT in between. Even if there were, if we can see these logs arriving in the SIEM and the assigned Collector, I believe we should be able to see them in the CMDB.

41
0 Kudos
Secusaurus
Contributor III
In response to adem_netsys

Created on ‎10-12-2025 11:45 PM

Yes, for any log you receive in Analytics (historical, not live), you should see a matching CMDB entry which is matched against the IP-address you find as "Reporting IP" in your logs.

If this is not the case, you could configure it manually. But since the CMDB-entry still might not be connected to the logs, I'd rather think that's something for the TAC to investigate.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
34
0 Kudos
cbrandt
New Contributor
In response to Secusaurus

Created on ‎10-13-2025 10:08 AM

I have a similar problem. Due to the "unique" way we ingest syslog, the Reporting Device has multiple "Reporting Device" names, but the same Reporting IP, which is the syslog collector. We need to get each individual Reporting Device into the CMDB.

22
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.