Hello

I dont know if this post is closed but i put my doubt here.

I have similar issue than the others. I can´t see the forward traffic that is going trouhgt the fortigate (60E) in the GUI, but i have configured the syslogd to send the logs to an ELK server and i can see them getting rigth.

Here some information about the config:

FGT60E (global) # config log syslogd setting FGT60E (setting) # get status              : enable server              : 192.168.X.X reliable            : disable port                : 5514 csv                 : disable facility            : local7 source-ip           :

FGT60E (global) # config log syslogd filter FGT60E (filter) # get severity            : information forward-traffic     : enable local-traffic       : enable multicast-traffic   : enable sniffer-traffic     : enable anomaly             : enable voip                : enable filter              : filter-type         : include

The only thing i see is DNS message errors. like in this other post (https://forum.fortinet.com/tm.aspx?m=157361&high=forward+traffic+log)

@jeskudero see the post above you, what are the settings for the memory logging?

I dont have those settings. I have this one:

FGT60E (global) # config log memory global-setting

FGT60E (global-setting) # get max-size            : 65536 full-first-warning-threshold: 75 full-second-warning-threshold: 90 full-final-warning-threshold: 95

I have vdom-admin enable, it could be the reason?

Thanks

it could be, but then you have those other settings in the vdom (i.e. root) settings, did you check there?

Yes, thats the thing

I cuold change the "config log memory filter" in the target vdom and now it works

Thanks

The D & E models that do not have local storage, have logging limitations.  Unfortunately Fortinet doesn't seem to document this, but ran into this doing a POC on a FG200E and couldn't for the life of me figure out why logging wasn't working, and then remembered that it had no local storage, only option was logging to memory (or off-box).  Swapped it for a FG201E and the on-box logging all worked as expected. It would be great if Fortinet would write a blurb about this in their docs and save people a lot of wasted time trying to get logging functionality to work on their D and E series boxes that do not have local storage. 

You can confirm whether or not your FG has local storage or not by looking at the Product Matrix:  https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

Notice the 30E, 50E, 60D and 60E all lack local storage (the 51E has 32GB and the 61E have 128GB):

Model               FG/FWF-30E      FG/FWF-50E      FG-60D      FG/FWF-60E

Local Storage     —                    32 GB (51E)      —              128 GB (61E)

I did all these ..on my 200E

And destination is set to memory but  nothing and nothing ..

Target vdom.. set to memory : severity information ..

Driving me crazy

FG200E000000000 (setting) # get status              : enable diskfull            : overwrite FG200E000000000 (filter) # get severity            : information forward-traffic     : enable local-traffic       : disable multicast-traffic   : enable sniffer-traffic     : enable anomaly             : enable voip                : enable filter              : filter-type         : include FG200E000000000 (gui-display) # get resolve-hosts       : disable resolve-apps        : enable fortiview-unscanned-apps: disable fortiview-local-traffic: disable location            : memory FG200E000000000 (setting) # get resolve-ip          : disable resolve-port        : enable log-user-in-upper   : disable fwpolicy-implicit-log: disable fwpolicy6-implicit-log: disable log-invalid-packet  : disable local-in-allow      : enable local-in-deny-unicast: enable local-in-deny-broadcast: enable local-out           : enable neighbor-event      : disable brief-traffic-format: disable user-anonymize      : disable

I changed the max-size, gave a reboot and finally worked .. Pfffffff