Technical Tip: How to monitor FortiGate connectivity via FortiAnalyzer API

bksol92 · ‎03-24-2024

Description

This article describes how to monitor FortiGate connectivity through FortiAnalyzer API.

Scope

FortiAnalyzer.

Solution

In FortiAnalyzer, a FortiGate connectivity is determined based on the last log received. This can be observed in FortiAnalyzer Manager:

Juara-kvm09 # dia de app fazsvcd 8

Juara-kvm09 # dia de en

process_jsonrpc_request:1627: request:
{
"id": "2",
"jsonrpc": "2.0",
"method": "get",
"params": [ { "apiver": 3, "url": "\/logview\/adom\/root\/logstats" } ]
}

handle_client_request:220: jsonapi response={ "jsonrpc": "2.0", "id": 2, "result": { "data": { "devs": [ { "vdoms": [ { "vdom": "root", "last-log-time": "2024-03-25 10:53:20 +0800", "last-log-timestamp": 1711335200, "lograte": 155.000000, "log-disk-size": 3224302985, "log-db-size": 478549608, "adom-quota-MB": 15360, "logstat-info": "1711335189,0" } ], "devid": "FGVM010000000001", "devname": "dev1", "is-ha": 0, "logging-mode": 0, "encrypted-logging": 0, "encrypted-forwarding": 0, "status": 0, "logstat-info": "1711335189,0,0,0,0,0" }, { "vdoms": [ { "vdom": "root", "last-log-time": "2024-03-25 10:53:19 +0800", "last-log-timestamp": 1711335199, "lograte": 324.033325, "log-disk-size": 2585871249, "log-db-size": 1041410601, "adom-quota-MB": 15360, "logstat-info": "1711335189,0" } ], "devid": "FGVM010000000002", "devname": "dev2", "is-ha": 0, "logging-mode": 0, "encrypted-logging": 1, "encrypted-forwarding": 0, "status": 2, "logstat-info": "1711335189,0,0,0,0,2" }, { "vdoms": [ { "vdom": "root", "last-log-time": "2024-03-25 10:52:33 +0800", "last-log-timestamp": 1711335153, "lograte": 0.000000, "log-disk-size": 8192, "log-db-size": 0, "adom-quota-MB": 15360, "logstat-info": "1711335153,0" } ], "devid": "FGVM010000000003", "devname": "dev3", "is-ha": 0, "logging-mode": 0, "encrypted-logging": 0, "encrypted-forwarding": 0, "status": 1, "logstat-info": "1711335153,0,0,0,1711335163,0" } ], "log-interval-dev-no-logging-realtime": 900, "log-interval-dev-no-logging-upload": 21600 } } }.

The status value for each device from the API response is as follows:

dev1 -> 0 ("Unknown")

dev2 -> 2 ("Connection Up")

dev3 -> 1 ("Connection Down")

The API response is then translated correspondingly in the GUI:

Even though FortiAnalyzer is receiving logs from dev1, it is shown as 'Unknown'; this is because it is not sending logs via the OFTP protocol.

A Python script is attached to poll the /logview/adom/root/logstats API URL for device connectivity (lograte.py).