Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cashbuddy
New Contributor

Created on ‎07-03-2017 03:55 AM

Fortigate 200D - logging to syslog broken after firmware upgrade

Hi

Our Fortigate is not logging to syslog after firmware upgrade from "5.4.4" to "5.6.0, Build 1449"

 

Configuration:

IE-SV-For01-TC # config log syslogd setting

IE-SV-For01-TC (setting) # show full-configuration
config log syslogd setting
    set status enable
    set server "192.168.1.160"
    set reliable disable
    set port 9998
    set facility local0
    set source-ip "192.168.1.150"
    set format default
end

IE-SV-For01-TC (setting) # end

 

IE-SV-For01-TC # config log syslogd filter

IE-SV-For01-TC (filter) # show full-configuration
config log syslogd filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set filter ''
    set filter-type include
end

 

By looking at datasources in Splunk i can see that almost all of them but fgt_log stopped working (see file attached)

 

I was checking fortigate-whats-new-56.pdf and i didn't see any major changes in logging system.

Already tried to "set status disabled" and re-enable it but it didn't make any difference

 

Capture.JPG
Preview file
27 KB
8442
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎07-03-2017 07:28 AM

Why don't you try to disable the server and re-enable. At the same time run cli cmd  diag sniffer packet any "dst port 9998" and in a 2nd  window execute a cli cmd "diag log  test", do you see any packets outbound? Does the  syslog-target have an active listener on tcp.port 9998 ( e.g netstat -an | grep 9998  )

 

Also use the  "diag test  application  miglogd  4" and look at your active log device and the log statistics for syslogd

 

diag test  application  miglogd  6

 

Reference my previous post  for  some cool trips

http://socpuppet.blogspot.com/2014/07/how-to-diagnostic-forticloud-issues-52ga.html

 

ALSO TO EDIt, make sure you have no  strange severity filters enabled like emergency only

 

e.g

 

SOCPUP01 (global) # show log  syslogd filter   config log syslogd filter     set severity emergency end Even with the test command, a severity of "emergency" will not trigger. I hope this helps.

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3592
0 Kudos
cashbuddy
New Contributor
In response to emnoc

Created on ‎07-04-2017 12:59 AM

emnoc wrote:
Why don't you try to disable the server and re-enable.

I already ran following:

 

config log syslogd setting
set status disable
end

config log syslogd setting
set status enabled
end

And it didn't make any difference

 

emnoc wrote:
At the same time run cli cmd  diag sniffer packet any "dst port 9998" and in a 2nd  window execute a cli cmd "diag log  test", do you see any packets outbound?

Yes i see packets (around 300 per minute) going to fgt_log datasource only. Sample packet:

Jul  4 08:50:34 192.168.1.150 date=2017-07-04 time=08:50:34 devname=Forti01 devid=FG200D********** logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.160 srcport=53826 srcintf="port1" dstip=xxx.xxx.xxx.xxx dstport=443 dstintf="wan1" poluuid="ce6733d8-a837-51e6-af07-3a30e8bbd8e8" sessionid=180385418 proto=6 action="server-rst" policyid=197 policytype="policy" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=213.168.224.167 transport=53826 service="HTTPS" duration=5 sentbyte=1157 rcvdbyte=5029 sentpkt=10 rcvdpkt=10 appcat="unscanned" wanin=4617 wanout=629 lanin=629 lanout=629

but fgt_event, fgt_traffic, and fgt_utm is still not working (nothing is logged into datasources).

 

emnoc wrote:
Does the  syslog-target have an active listener on tcp.port 9998 ( e.g netstat -an | grep 9998  )

Yes, becasue there's data logged in into fgt_log datasource.

 

I will try to troubleshoot it with the commands you gave me at the end in the previous post.

 

3592
0 Kudos
cashbuddy
New Contributor
In response to cashbuddy

Created on ‎07-04-2017 02:58 AM

Oops...

 

It seems everything is fine with Fortigate... I use "Fortinet Fortigate app for Splunk" and it converts all data from fgt_log to other data sources.

By querying Splunk with sourcetype="fgt_log" type="event" i can see they started to appear in Splunk on the day we upgraded Firmware on Fortigate.

So something changed on the Fortigate itself but i guess changes has to be made in Splunk App rather than on the fortigate itself.

 

Thank You for your help @emnoc commands you have provided were very helpful for me

3592
0 Kudos
MariusClaudiu
New Contributor

Created on ‎02-24-2024 12:52 PM

hi

i need firmware for 200d rev.2

5.4.8.i think was last one , whithout licence i can get it ,a n i can t upgrade

if somebody can help me

thank s a lot

 

1936
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.