Hello Fortigurus,
Last week we upgraded our FAZ 4000B to 5.2.1 and after the database got done rebuilding a few days later we don't see any UTM logs on the FAZ. The Fortigate is a 3600C and is running 5.0.9 at the moment. The UTM logs are necessary for troubleshooting and reporting. Have any of you experienced this problem or know what can be done to resolve it? Please advise.
Thank you,
JB.KALM
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi jb, I am not a fgt expert, but I remember there was a bug in FOS5.0.5 or 5.0.6: sometime FGT do not send utm log, this issue can be fixed after reboot. Give it a try?
By the way, one FAZ side, you can reset fortilogd under cli:
dia test app fortilogd 99
Regards,
hz
Hi, do you mean no utm log in log view or log browse? From FAZ5.0.7, we write all utm logs into tlog.log, but you should be able to see utm logs in log view.
Regards,
hz
Hi hz,
No UTM logs in the log view. We see the Traffic logs but UTM logs are blank/empty. As a result our reports (which use the UTM fields like "hostname" or "category") are also empty. I have the "extended_UTM_logs enable" feature enabled on all of my security profiles/sensors etc but still no UTM logs.
Thank you,
jb
Hi jb,
According to QA engineer of log view:
For 5.0 Fortigate, default is UTM log off in each UTM profile. Better to check FGT local first whether it has UTM log, if no, enable UTM log in its active UTM profile.
Regards, hz
Hey hz,
Under the security profiles we have the "extended_utm_log" option enabled. We have it enabled under our main webfilter and app-control profiles/sensors. The UTM logging was working great before we upgraded the FAZ to 5.2.1 though. Do you think it could be a issue with the database on the FAZ itself? I might shoot off a rebuild on Friday evening before I leave work. That way it has all weekend to rebuild.
Thank you,
jb
Hi hz,
I followed that procedure but after searching for countapp=*, I don't get any results: "No records found".
Is there a way to restart the logging daemon? I got as far as "diag test application miglogd" but what's the test level to restart it? It doesn't show the test levels and what they do as it does for other daemons. Or am I even in the correct place? :)
Thanks,
jb
Hi jb, no need to restart miglogd if you have enabled extended_utm_log. Do you have plan to upgrade FGT recently?
hz
Hi hz,
We were planning to upgrade last night but decided to hold off until 5.2.3 is released. There is a bug 0263428 that affects IPSEC tunnels that would not be fixed until 5.0.12 or 5.2.3. But it seems 5.2.3 will be released before 5.0.12 so we might just go to 5.2.3 when it is available. Is there anything I can do while we wait for 5.2.3?
Thank you,
jb
Hi jb, I am not a fgt expert, but I remember there was a bug in FOS5.0.5 or 5.0.6: sometime FGT do not send utm log, this issue can be fixed after reboot. Give it a try?
By the way, one FAZ side, you can reset fortilogd under cli:
dia test app fortilogd 99
Regards,
hz
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.