No UTM Logs - FAZ 5.2.1 with Fortigate 5.0.9

jb_kalm · ‎02-03-2015

Hello Fortigurus,

Last week we upgraded our FAZ 4000B to 5.2.1 and after the database got done rebuilding a few days later we don't see any UTM logs on the FAZ. The Fortigate is a 3600C and is running 5.0.9 at the moment. The UTM logs are necessary for troubleshooting and reporting. Have any of you experienced this problem or know what can be done to resolve it? Please advise.

Thank you,

JB.KALM

hzhao_FTNT · ‎02-05-2015

Hi jb, I am not a fgt expert, but I remember there was a bug in FOS5.0.5 or 5.0.6: sometime FGT do not send utm log, this issue can be fixed after reboot. Give it a try?

By the way, one FAZ side, you can reset fortilogd under cli:

dia test app fortilogd 99

Regards,

hz

View solution in original post

hzhao_FTNT · ‎02-04-2015

Hi, do you mean no utm log in log view or log browse? From FAZ5.0.7, we write all utm logs into tlog.log, but you should be able to see utm logs in log view.

Regards,

hz

jb_kalm · ‎02-04-2015

Hi hz,

No UTM logs in the log view. We see the Traffic logs but UTM logs are blank/empty. As a result our reports (which use the UTM fields like "hostname" or "category") are also empty. I have the "extended_UTM_logs enable" feature enabled on all of my security profiles/sensors etc but still no UTM logs.

Thank you,

jb

hzhao_FTNT · ‎02-04-2015

Hi jb,

According to QA engineer of log view:

For 5.0 Fortigate, default is UTM log off in each UTM profile. Better to check FGT local first whether it has UTM log, if no, enable UTM log in its active UTM profile.

Regards, hz

jb_kalm · ‎02-05-2015

Hey hz,

Under the security profiles we have the "extended_utm_log" option enabled. We have it enabled under our main webfilter and app-control profiles/sensors. The UTM logging was working great before we upgraded the FAZ to 5.2.1 though. Do you think it could be a issue with the database on the FAZ itself? I might shoot off a rebuild on Friday evening before I leave work. That way it has all weekend to rebuild.

Thank you,

jb

hzhao_FTNT · ‎02-05-2015

Hi jb,

Please go to log browse, select a tlog.log and "Display", search countapp=*, if empty, then the problem could be still on FGT side. Otherwise, please do a rebuild DB.

Regards,

hz

jb_kalm · ‎02-05-2015

Hi hz,

I followed that procedure but after searching for countapp=*, I don't get any results: "No records found".

Is there a way to restart the logging daemon? I got as far as "diag test application miglogd" but what's the test level to restart it? It doesn't show the test levels and what they do as it does for other daemons. Or am I even in the correct place? :)

Thanks,

jb

hzhao_FTNT · ‎02-05-2015

Hi jb, no need to restart miglogd if you have enabled extended_utm_log. Do you have plan to upgrade FGT recently?

hz

jb_kalm · ‎02-05-2015

Hi hz,

We were planning to upgrade last night but decided to hold off until 5.2.3 is released. There is a bug 0263428 that affects IPSEC tunnels that would not be fixed until 5.0.12 or 5.2.3. But it seems 5.2.3 will be released before 5.0.12 so we might just go to 5.2.3 when it is available. Is there anything I can do while we wait for 5.2.3?

Thank you,

jb

hzhao_FTNT · ‎02-05-2015

Hi jb, I am not a fgt expert, but I remember there was a bug in FOS5.0.5 or 5.0.6: sometime FGT do not send utm log, this issue can be fixed after reboot. Give it a try?

By the way, one FAZ side, you can reset fortilogd under cli:

dia test app fortilogd 99

Regards,

hz