Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ZafirFX
New Contributor

Created on ‎03-03-2022 03:50 AM

Fortigate to Analyzer

Hi community,

 

I have few Fortigates logging directly and real time to FortiAnalyzer.  All of them doing fine except one HA setup. I added the device in to the FAZ and while it's connected and registered it just not sending any logs. From the FGT I can ping and telnet the FAZ on port 514. The device is also registered :

 

Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 43299899634B/53687091200B
Analytics Usage (Used/Allocated): 33557392016B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days
Archive Usage (Used/Allocated): 9742507618B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 6/180 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

 

I did some debugging and see the following on FAZ:

 

diagnose test application oftpd 50

2022-03-01 12:11:30 FGXXXXX  root 0 retrieve from cache failed: key not found
2022-03-01 12:11:30 FG2XXXX  root 0 retrieve from cache failed: key not found

 

This is from the device that just won't send any log.

Any idea whats going on here?

Labels:
830
0 Kudos
2 REPLIES 2
AlexC-FTNT
Staff
Staff

Created on ‎03-04-2022 04:25 AM

Quick question: did you reboot the FortiGate? Did you reboot the FAZ? 
A reboot may generally solve a lot of problems or confirm certain aspects.

 

Without reboot, try to restart the oftpd on FortiGate:

>  Step:1 -First run this command and identify the OFTPD Process ID (PID)
# diag system process list

or, if newer:

# diag sys process pidof oftpd

> Step:2 -Then kill the OFTPD process running using the command:
# diagnose system process kill 11 <pid> <<--- PID is the process ID listed above


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
777
0 Kudos
Debbie_FTNT
Staff
Staff
In response to AlexC-FTNT

Created on ‎03-04-2022 07:03 AM

I think you mean miglogd :)

-> On FortiGate side, it is the miglogd process sending logs to FAZ

@ZafirFX the steps would restart the miglogd daemon, which can help a lot with logging issues

-> oftpd is the process on FAZ receiving the logs

 

If the issue remains after restarting miglogd, you can check the following:
- does the HA setup have ha-direct enabled?

#show system ha

-> if yes, that means each FortiGate unit is trying to send the logs via HA management interface instead of whatever other route it should take based on routing table

- packet capture on the FortiGate to confirm it is actually trying to send on port 514 (and out the correct interface)

- diag sniffer on FortiAnalyzer to confirm the traffic is actually arriving

- miglogd debug on FortiGate
#dia de app miglogd -1

#dia de en

- oftpd debug on FortiAnalyzer

#dia de app oftpd 255 <FortiGate IP>

 

Depending on FortiGate and FortiAnalyzer firmware version, there can be issues specific to HA deployments and FortiAnalyzer not trusting the FortiGate certificate or vice versa; you should see this in miglogd debug or oftpd debug.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
771
Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.