Usually this is because there are new logs arriving for that VDOM. Have you deleted that VDOM from the FortiGate as well? And is there is any other device forwarding logs from the FortiGate in question?
Yeah seen the same behavior. You can open a case with TAC. It has nothing to do with log_forward. If you craft a vdom and afterwards delete, if the FAZ picks it up it does NOT sync with FGT and delete the unused and deleted vdom
PCNSE
NSE
StrongSwan
Actually, I should add that you should delete the VDOM from the CLI in order to ensure that all related logs already on the FortiAnalyzer are deleted as well.
exec log device vdom delete Device_Name VDOM_Name
For more detail, see the KB article How to delete a VDOM from FortiAnalyzer
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1771 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.