- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate to Analyzer
Hi community,
I have few Fortigates logging directly and real time to FortiAnalyzer. All of them doing fine except one HA setup. I added the device in to the FAZ and while it's connected and registered it just not sending any logs. From the FGT I can ping and telnet the FAZ on port 514. The device is also registered :
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 43299899634B/53687091200B
Analytics Usage (Used/Allocated): 33557392016B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days
Archive Usage (Used/Allocated): 9742507618B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 6/180 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
I did some debugging and see the following on FAZ:
diagnose test application oftpd 50
2022-03-01 12:11:30 FGXXXXX root 0 retrieve from cache failed: key not found
2022-03-01 12:11:30 FG2XXXX root 0 retrieve from cache failed: key not found
This is from the device that just won't send any log.
Any idea whats going on here?
- Labels:
-
FortiAnalyzer
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick question: did you reboot the FortiGate? Did you reboot the FAZ?
A reboot may generally solve a lot of problems or confirm certain aspects.
Without reboot, try to restart the oftpd on FortiGate:
> Step:1 -First run this command and identify the OFTPD Process ID (PID)
# diag system process list
or, if newer:
# diag sys process pidof oftpd
> Step:2 -Then kill the OFTPD process running using the command:
# diagnose system process kill 11 <pid> <<--- PID is the process ID listed above
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you mean miglogd :)
-> On FortiGate side, it is the miglogd process sending logs to FAZ
@ZafirFX the steps would restart the miglogd daemon, which can help a lot with logging issues
-> oftpd is the process on FAZ receiving the logs
If the issue remains after restarting miglogd, you can check the following:
- does the HA setup have ha-direct enabled?
#show system ha
-> if yes, that means each FortiGate unit is trying to send the logs via HA management interface instead of whatever other route it should take based on routing table
- packet capture on the FortiGate to confirm it is actually trying to send on port 514 (and out the correct interface)
- diag sniffer on FortiAnalyzer to confirm the traffic is actually arriving
- miglogd debug on FortiGate
#dia de app miglogd -1
#dia de en
- oftpd debug on FortiAnalyzer
#dia de app oftpd 255 <FortiGate IP>
Depending on FortiGate and FortiAnalyzer firmware version, there can be issues specific to HA deployments and FortiAnalyzer not trusting the FortiGate certificate or vice versa; you should see this in miglogd debug or oftpd debug.
