I have few Fortigates logging directly and real time to FortiAnalyzer. All of them doing fine except one HA setup. I added the device in to the FAZ and while it's connected and registered it just not sending any logs. From the FGT I can ping and telnet the FAZ on port 514. The device is also registered :
Registration: registered Connection: allow Adom Disk Space (Used/Allocated): 43299899634B/53687091200B Analytics Usage (Used/Allocated): 33557392016B/37580963840B Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days Archive Usage (Used/Allocated): 9742507618B/16106127360B Archive Usage (Data Policy Days Actual/Configured): 6/180 Days Log: Tx & Rx (log not received) IPS Packet Log: Tx & Rx Content Archive: Tx & Rx Quarantine: Tx & Rx
I did some debugging and see the following on FAZ:
diagnose test application oftpd 50
2022-03-01 12:11:30 FGXXXXX root 0 retrieve from cache failed: key not found 2022-03-01 12:11:30 FG2XXXX root 0 retrieve from cache failed: key not found
This is from the device that just won't send any log.
-> On FortiGate side, it is the miglogd process sending logs to FAZ
@ZafirFX the steps would restart the miglogd daemon, which can help a lot with logging issues
-> oftpd is the process on FAZ receiving the logs
If the issue remains after restarting miglogd, you can check the following: - does the HA setup have ha-direct enabled?
#show system ha
-> if yes, that means each FortiGate unit is trying to send the logs via HA management interface instead of whatever other route it should take based on routing table
- packet capture on the FortiGate to confirm it is actually trying to send on port 514 (and out the correct interface)
- diag sniffer on FortiAnalyzer to confirm the traffic is actually arriving
- miglogd debug on FortiGate #dia de app miglogd -1
#dia de en
- oftpd debug on FortiAnalyzer
#dia de app oftpd 255 <FortiGate IP>
Depending on FortiGate and FortiAnalyzer firmware version, there can be issues specific to HA deployments and FortiAnalyzer not trusting the FortiGate certificate or vice versa; you should see this in miglogd debug or oftpd debug.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.