Hello expertsI I have configured FortiClient EMS to apply an endpoint profile system setting to send FortiClient logs to FortiAnalyzer, but no logs are being sent. I confirmed the settings iFortiClient EMS are correct. Below are the relevant local log lines from the fazlogupload.log file from FortiClient.
20241112 07:32:48.841 TZ=-0800 [fazlogupload:INFO] log_upload:183 Uploading traffic logs
20241112 07:32:48.841 TZ=-0800 [fazlogupload:INFO] faz_comm:37 Connecting to{redacted}.ca-west-1.fortianalyzer.forticloud.com:514 (TLS: true)
20241112 07:32:49.008 TZ=-0800 [fazlogupload:DEBG] faz_comm:92 EMS serial:{redacted}
20241112 07:32:49.009 TZ=-0800 [fazlogupload:DEBG] faz_comm:93 EMS site: default
20241112 07:32:49.009 TZ=-0800 [fazlogupload:DEBG] faz_comm:94 FCT serial:{redacted}
20241112 07:32:49.010 TZ=-0800 [fazlogupload:DEBG] faz_comm:95 FCT UID:{redacted}
20241112 07:32:49.010 TZ=-0800 [fazlogupload:DEBG] faz_comm:96 Log type: traffic
20241112 07:32:49.010 TZ=-0800 [fazlogupload:DEBG] faz_comm:97 Timezone: -28800
20241112 07:32:49.010 TZ=-0800 [fazlogupload:DEBG] faz_comm:98 Username: rich
20241112 07:32:49.087 TZ=-0800 [fazlogupload:EROR] faz_comm:180 FAZ error: No privilege
20241112 07:32:49.088 TZ=-0800 [fazlogupload:EROR] faz_comm:101 Failed to send log upload request: no privilege
20241112 07:32:49.089 TZ=-0800 [fazlogupload:EROR] log_upload:208 Failed to process logs: upload failed
20241112 07:32:49.089 TZ=-0800 [fazlogupload:EROR] log_upload:101 Upload error: upload failed
20241112 07:32:49.090 TZ=-0800 [fazlogupload:DEBG] log_upload:75 Next log upload attempt in 60 seconds
The versions of FortiNet products being used are:
Hello richmyrobertsoncom,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hello,
@vraev, @iyotov, @heng Anyone of you can help @richmyrobertsoncom please?
Thanks in advance!
Hi,
FortiAnalyzer Cloud requires an additional license to allow logging from FortiClient. Please refer to
https://docs.fortinet.com/document/fortianalyzer-cloud/7.4.5/cloud-deployment/492871
https://docs.fortinet.com/document/fortianalyzer-cloud/7.4.5/cloud-deployment/216561
"Logs from non-FortiGate devices, such as FortiClient and FortiMail require additional licensing. See Licensing for more information."
With the licensing in check and updated on the FortiAnalyzer Cloud instance, you would need to manually Add Device in the FortiAnalyzer Cloud > Device Manager using the EMS serial number. It will not show up as "unauthorized" device.
Once all this is done, If the remote logging config was pushed correctly to the FortiClients, you should start seeing their logs in FortiAnalyzer Cloud. Bear in mind that this may take some time depending on the upload settings of the clients and the utilization of your FortiAnalyzer Cloud instance.
Should you have further issues, please create a Technical Support ticket.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.