Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pham_Phu_Cuong
New Contributor

FortiAnalyzer Downtime log missing

Hi,

 

I have several FGTs sending logs to our central FAZ (VM), all running 5.2.x firmware.

The other day our FAZ vm was down for like several hours and then we found down that the logs (traffic, event, ...) from all FGTs is missing. I thought the logs during the FAZ down time were supposed to be kept at the FGT and then sent to the FAZ later once it comes back, but apparently that was not the case.

 

My question is how should it be supposed to behave like that? You know, one cannot guarantee that FAZ will be online all the time and never be down.

And in this case, what am I supposed to do to get all the missing logs from all the FGTs (about 20 of them) and import (or send) to the FAZ. I need an effective way to do it.

 

I would appreciate any suggestions and comments.

 

Thanks.

1 REPLY 1
mbaig_FTNT
Staff
Staff

Hello Pham

 

1. miglogd will cache logs when FAZ is not reachable.

2. When max cached value reached, miglogd will drop cached log and counted by failed 3. When FAZ connection back, miglogd will send the cached log.

 

You can use below command in FortiGate to check the current log status

# diagnose test application miglogd 6

 

Example

FG # diagnose test application miglogd 6 mem=0, disk=1, alert=0, alarm=0, sys=0, faz=158, webt=0, fds=150 interface-missed=0 Queue: maxium=8482 current:366 global log dev statistics: faz 0: (logs) sent=182, failed=0, cached=1195, relayed=0 faz 0: (packets) sent=58, failed=0, cached=366, relayed=0

 

This caching is done in the memory so its pretty limited and cannot hold data for long time.

 

If you think that FAZ cannot be always available then other options for you are Disk logging or FortiCloud.

 

Kind Regards

Mirza Baig