Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ZafirFX
New Contributor

Fortigate to Analyzer

Hi community,

 

I have few Fortigates logging directly and real time to FortiAnalyzer.  All of them doing fine except one HA setup. I added the device in to the FAZ and while it's connected and registered it just not sending any logs. From the FGT I can ping and telnet the FAZ on port 514. The device is also registered :

 

Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 43299899634B/53687091200B
Analytics Usage (Used/Allocated): 33557392016B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 1/60 Days
Archive Usage (Used/Allocated): 9742507618B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 6/180 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

 

I did some debugging and see the following on FAZ:

 

diagnose test application oftpd 50

2022-03-01 12:11:30 FGXXXXX  root 0 retrieve from cache failed: key not found
2022-03-01 12:11:30 FG2XXXX  root 0 retrieve from cache failed: key not found

 

This is from the device that just won't send any log.

Any idea whats going on here?

2 REPLIES 2
AlexC-FTNT
Staff
Staff

Quick question: did you reboot the FortiGate? Did you reboot the FAZ? 
A reboot may generally solve a lot of problems or confirm certain aspects.

 

Without reboot, try to restart the oftpd on FortiGate:

>  Step:1 -First run this command and identify the OFTPD Process ID (PID)
# diag system process list

or, if newer:

# diag sys process pidof oftpd

> Step:2 -Then kill the OFTPD process running using the command:
# diagnose system process kill 11 <pid> <<--- PID is the process ID listed above


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Debbie_FTNT

I think you mean miglogd :)

-> On FortiGate side, it is the miglogd process sending logs to FAZ

@ZafirFX the steps would restart the miglogd daemon, which can help a lot with logging issues

-> oftpd is the process on FAZ receiving the logs

 

If the issue remains after restarting miglogd, you can check the following:
- does the HA setup have ha-direct enabled?

#show system ha

-> if yes, that means each FortiGate unit is trying to send the logs via HA management interface instead of whatever other route it should take based on routing table

- packet capture on the FortiGate to confirm it is actually trying to send on port 514 (and out the correct interface)

- diag sniffer on FortiAnalyzer to confirm the traffic is actually arriving

- miglogd debug on FortiGate
#dia de app miglogd -1

#dia de en

- oftpd debug on FortiAnalyzer

#dia de app oftpd 255 <FortiGate IP>

 

Depending on FortiGate and FortiAnalyzer firmware version, there can be issues specific to HA deployments and FortiAnalyzer not trusting the FortiGate certificate or vice versa; you should see this in miglogd debug or oftpd debug.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors