Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Created on ‎03-17-2022 10:09 PM

FortiAnalyzer is not Inserting Logs

Hi,

 

We have a FortiAnalyzer VM deployed on ESXi last year at our customer's place. Everything was working fine but since a week we were not able to see any logs on "Log View". When we checked the dashboard, we can see that the FortiAnalyzer is receiving logs from the FortiGate but it is not Inserting them into the database.

 

The logs are still present in Log Browse (Compressed). FortiAnalyzer is in Analyzer mode and not Collector mode.

 

How do we fix this ? 

 

chethan_0-1647579737533.png

 

Thank you.

 

FortiAnalyzer FortiGate 

Chethan
NSE 4
ChethanNSE 4
Labels:
4062
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff

Created on ‎03-18-2022 02:09 AM

Hey chethan,

first thing you can try is rebuilding the database.

exe sql-local rebuild-db

That shouldn't impact anything; while rebuilding the DB there is limited access to Log View/FortiView and Reporting, but you don't have those functions working anyway.

You can also refer to this KB for the rebuild command: https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-FortiAnalyzer-SQL-database-delete-and-...

 

If, after the rebuild is completed, the issue still persists, you can try deleting and rebuilding to have the database recreated from scratch. Other than that, I can only suggest digging into the sql daemons:

 

For example:

#dia de app sqllogd 8

#dia de en

 

You can also check the release notes for your Analyzer's firmware version to see if there are reported issues, check the Analyzer's own event logs and the crashlog (dia de crashlog read, I believe) to see if there are any obvious errors.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

4051
5 REPLIES 5
Debbie_FTNT
Staff
Staff

Created on ‎03-18-2022 02:09 AM

Hey chethan,

first thing you can try is rebuilding the database.

exe sql-local rebuild-db

That shouldn't impact anything; while rebuilding the DB there is limited access to Log View/FortiView and Reporting, but you don't have those functions working anyway.

You can also refer to this KB for the rebuild command: https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-FortiAnalyzer-SQL-database-delete-and-...

 

If, after the rebuild is completed, the issue still persists, you can try deleting and rebuilding to have the database recreated from scratch. Other than that, I can only suggest digging into the sql daemons:

 

For example:

#dia de app sqllogd 8

#dia de en

 

You can also check the release notes for your Analyzer's firmware version to see if there are reported issues, check the Analyzer's own event logs and the crashlog (dia de crashlog read, I believe) to see if there are any obvious errors.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
4052
chethan
Contributor
In response to Debbie_FTNT

Created on ‎03-18-2022 05:39 AM Edited on ‎03-18-2022 05:51 AM

Hey Debbie,

 

I ran the diagnose debug crashlog read command and the below is the following output.

Signal 11 (Segmentation Fault) ?

 

 

Firmware FAZVM64 v6.4.7-build2412 210902 (GA)
2022-03-04 09:58:25 Application ddmd
2022-03-04 09:58:25 Signal 11 (Segmentation fault)
2022-03-04 09:58:25 Pid 6207 ppid 6201 backtrace:
2022-03-04 09:58:25 [0x7fd5eded42e8] libsegfault.so print_trace+0x23/0x138
2022-03-04 09:58:25 [0x7fd5eded4497] libsegfault.so catch_segfault+0x9a/0xfb
2022-03-04 09:58:25 [0x7fd5ec8ff90f] libc.so.6 +0x3890f
2022-03-04 09:58:25 [0x7fd5ecabc16f] libmonitor.so monitorDbSetCustomFuncs+0x6f/0x80
2022-03-04 09:58:25 [0x7fd5ecabc289] libmonitor.so +0xd289
2022-03-04 09:58:25 [0x7fd5ecabc309] libmonitor.so monitorDbStartTransaction+0x5/0x42
2022-03-04 09:58:25 [0x7fd5ecabc92e] libmonitor.so +0xd92e
2022-03-04 09:58:25 [0x7fd5ecabc3b5] libmonitor.so monitorDbBuild+0x6f/0x133
2022-03-04 09:58:25 [ 0x414b94] ddmd main+0x3b/0xd1
2022-03-04 09:58:25 [0x7fd5ec8eadea] libc.so.6 __libc_start_main+0xea/0x1be
2022-03-04 09:58:25 [ 0x4024f9] ddmd +0x24f9

 

I'm yet to rebuild the database.

 

 

UPDATE:

I ran the rebuild command and the process is still in progress.

But I've started to see logs in "Log View" now.

 

Will update again after the rebuilt process is complete.

 

Thank you

Chethan
NSE 4
ChethanNSE 4
3998
0 Kudos
Debbie_FTNT
Staff
Staff
In response to chethan

Created on ‎03-18-2022 06:14 AM

Hey Chetan,

the ddmd process is something with device manager if I remember correctly; and the crash was some two weeks ago, so I'm not sure if it would be relevant.
If you see that same segmentation fault repeatedly, or if the logs stop showing and you see the crash again, I would suggest reaching out to FortiAnalzyer Technical Support; it could be a bug or something else going on that needs some in-depth troubleshooting.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3992
chethan
Contributor
In response to Debbie_FTNT

Created on ‎03-18-2022 07:23 AM

Hi Debbie,

 

Thank you so much for your responses.

 

Now the database is rebuilt.

I'll monitor the crash logs and raise a support ticket if required. 

 

chethan_0-1647613288823.png

 

Chethan
NSE 4
ChethanNSE 4
3986
0 Kudos
Debbie_FTNT
Staff
Staff
In response to chethan

Created on ‎03-21-2022 02:44 AM

Hey Chethan,

no problem, happy I was able to help :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3962
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.