Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
x_member
Contributor

Logged data shown in FortiCloud, not shown in GUI

On a freshly configured FG60D using the free FortiCloud subscription limit of 1GB and running 5.2.3 all my Traffic,  Event and System Logs show as empty. Logging is configured to use FortiCloud and the FortiCloud website shows up to date log entries for this firewall as expected, but they cannot be viewed from the local Fortigate UI itself (regardless of browser used). The system resources readout through FortiCloud is non functional, reading a static 0% CPU and 58% RAM.

 

This is the second Fortigate unit on the account that I'm setting up for our test network. The primary unit's logging is configured in the same manner and works correctly in both the local UI and Forticloud.

 

Any ideas on how to resolve this issue?

1 Solution
Christopher_McMullan

Long story short: suspected bug.

 

Try this workaround in the meantime:

config system global

set gui-lines-per-page 20 //--the default is 50

end

 

Then go back and refresh the log view.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

17 REPLIES 17
Mikelar

Christopher McMullan_FTNT wrote:

Long story short: suspected bug.

 

Try this workaround in the meantime:

config system global

set gui-lines-per-page 20 //--the default is 50

end

 

Then go back and refresh the log view.

Thanks heaps, this worked for me too; Fortigate 100D v5.2.2 build 642GA.

 

Almost exactly the same issue as the OP. Thought it was resolved when I played with the DNS settings on the unit, however it re-occured a few days later. As soon as I tried the above it worked fine.

 

In addition to this, before applying the fix, clicking 'Download Raw Log File' from any of the log screens in the GUI would download an empty .log file (file size 0KB). After the fix, downloading the same raw log file resulted in a .log file filled with entries (file size 1,535KB).

x_member

CodeMonkey wrote:

Since this issue occurred I've noticed that when viewing an entry in the traffic log which has an associated security event (e.g. IPS) the security event tab is displayed but has no detail in it.

 

Ok that's been replicated by support and will be dealt with by them.

 

 

The official response to the 50 logs per line has been that it's an issue on our side (either due to ISP slow down or other factors outside Fortinet's control). I guess whether it's ever tackled further depends on how many customers report the same issue.

 

x_member
Contributor

Support tell me that this is not a bug and have recategorised my ticket as Question / Misconfiguration

I'm rather unimpressed with that tbh so I'm disputing it.

At least I can see the traffic logs I suppose.

markbkk88
New Contributor

Dear Codemonkey..just to back you up.

 

I have just installed a new Fortwifi 60D configured to use Forticloud and my log files show empty too.

 

I implemented the fix suggested by Chris and this resolves the issue displaying the 20 lines...Thanks Chris!

It would be nice to see more lines but as you said 30,40,50 don't work with this fix.

 

I guess I also have this "misconfiguration" on my device......

 

cheers Mark

x_member
Contributor

I'm curious - does anyone who has this issue also have (what I believe to be) a related issue with logging?

 

Since this issue occurred I've noticed that when viewing an entry in the traffic log which has an associated security event (e.g. IPS) the security event tab is displayed but has no detail in it.

 

 

Xtreme
New Contributor

for this

config system global set gui-lines-per-page 20 //--the default is 50 end

can't solve my issue

log section shows as "log location: FortiAnalyzer" with [Total -1] pages.

For my GUI Preferences --> Display Logs From  --> FortiAnalyzer

 

how to resolve this issue?

Thank.

x_member

CodeMonkey wrote:

CodeMonkey wrote:

 

Since this issue occurred I've noticed that when viewing an entry in the traffic log which has an associated security event (e.g. IPS) the security event tab is displayed but has no detail in it.

Ok that's been replicated by support and will be dealt with by them.

 

 

Ah - my optimism of three months ago..

 

Not to resurrect a dead thread, but after 3 months of no response from engineering I've finally been relayed the following regarding IPS events no longer being linked in the traffic log.

Escalation was rejected, fix of this problem has negative side effects on other traffic. It is limitation on NP4 ASIC and won’t be fixed. This is final statement from engineering.  Only workaround for this is to route fragmented traffic to device in front of FortiGate that would do fragmentation. 

 

Very unimpressed with the delay and the response tbh but c'est la vie.

AndreaSoliva

Hi

 

some comments on my site regarding following command:

 

config system global set gui-lines-per-page 20 //--the default is 50 end

 

It is actually not important what kind of device you are using for logging meaning memory, fortiguard (cloud) or FAZ/FMG. Logging on a FortiGate is not filebased which means if a log is produced for what function ever it is written to the buffer. This buffer is defined with "gui-lines-per-page". Now if you have limits on memory, high cpu usage or slow connection to the remote logging device the buffer is overrunning meaning no space anymore FOR buffer etc. This means also if a log is showed in the gui it is actually in the buffer. If there is a resource problem and a specific size like 50 lines can not be used anymore FGT does not shown anything in the log. This is the reason it can be defined a smaller buffer which does not impact resource problems and logs are showed up again. This should happen only for small device with limited memory etc. but as said it can be also on bigger device if resources on FGT is short. After the logs are in buffer or shown in the gui they will be written to local db if local logging or to remote log location etc. All customer which I modified the "gui-lines-per-page" had resource problems on the device which means coming to there limits from CPU, Memory or remote log location (to many logs to remote location because of slow connection and FGT was not able to queque the logs locally).

 

This is my view I see the "gui-lines-per-page" or why from one day to the other a FGT does not show the logs locally on the gui but on the remote log etc.

 

hope this helps

 

have fun

 

Andrea

Labels
Top Kudoed Authors