Hi community,
I have few Fortigates logging directly and real time to FortiAnalyzer. All of them doing fine except one HA setup. I added the device in to the FAZ and while it's connected and registered it just not sending any logs. From the FGT I can ping and telnet the FAZ on port 514. The device is also registered :
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 43299899634B/53687091200B
Analytics Usage (Used/Allocated): 33557392016B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days
Archive Usage (Used/Allocated): 9742507618B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 6/180 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
I did some debugging and see the following on FAZ:
diagnose test application oftpd 50
2022-03-01 12:11:30 FGXXXXX root 0 retrieve from cache failed: key not found
2022-03-01 12:11:30 FG2XXXX root 0 retrieve from cache failed: key not found
This is from the device that just won't send any log.
Any idea whats going on here?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Quick question: did you reboot the FortiGate? Did you reboot the FAZ?
A reboot may generally solve a lot of problems or confirm certain aspects.
Without reboot, try to restart the oftpd on FortiGate:
> Step:1 -First run this command and identify the OFTPD Process ID (PID)
# diag system process list
or, if newer:
# diag sys process pidof oftpd
> Step:2 -Then kill the OFTPD process running using the command:
# diagnose system process kill 11 <pid> <<--- PID is the process ID listed above
I think you mean miglogd :)
-> On FortiGate side, it is the miglogd process sending logs to FAZ
@ZafirFX the steps would restart the miglogd daemon, which can help a lot with logging issues
-> oftpd is the process on FAZ receiving the logs
If the issue remains after restarting miglogd, you can check the following:
- does the HA setup have ha-direct enabled?
#show system ha
-> if yes, that means each FortiGate unit is trying to send the logs via HA management interface instead of whatever other route it should take based on routing table
- packet capture on the FortiGate to confirm it is actually trying to send on port 514 (and out the correct interface)
- diag sniffer on FortiAnalyzer to confirm the traffic is actually arriving
- miglogd debug on FortiGate
#dia de app miglogd -1
#dia de en
- oftpd debug on FortiAnalyzer
#dia de app oftpd 255 <FortiGate IP>
Depending on FortiGate and FortiAnalyzer firmware version, there can be issues specific to HA deployments and FortiAnalyzer not trusting the FortiGate certificate or vice versa; you should see this in miglogd debug or oftpd debug.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.