Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ATC
New Contributor

FAZ not collecting logs after moving FGT from one ADOM to another ADOM

We use FAZ in analyzer mode with ADOMs. We recently moved a FGT from one ADOM to another, and then log collection just stopped for that device. I've tried removing the FGT device in FAZ and re-registering it, and it still fails to collect logs. I have also re-built the SQL db for that ADOM and re-indexed, but still no luck.

On the FGT, if I click TEST CONNECTIVITY button, everything looks fine--it shows the name of the FAZ, status is REGISTERED, and connection status and all priviliges get a green check mark. It also shows the number of logs that it is sending to the FAZ. But I don't know where they are going once they hit the FAZ.

Any suggestions would be appreciated!

16 REPLIES 16
emnoc
Esteemed Contributor III

Does the fortigate show up in the device list? Are you  100% sure you edit the new adom and select that device? Have you  check the FAZ event logs for any clues?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
scao_FTNT
Staff
Staff

can you help provide "diag dvm device list", "diag dvm adom list" and "diag log device"?

 

Thanks

 

Simon

ATC
New Contributor

Result of "diag dvm device list"

 

TYPE            OID    SN               HA      IP              NAME                                 ADOM                                 IPS                FIRMWARE        faz enabled     260    FG100Exxxxx01629 -       172.xx.xx.250   Axxxxxxxxxxxxxx                      Axxxxxxxxx                           N/A                5.0 MR4 (5873)         |- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown         |- vdom:[3]root flags:0 adom:Axxxxxxxxx pkg:[never-installed]

ATC
New Contributor

Result of "diag log device" (removed non-essential info)

==============================================

FAZVM64-HV # diag log device Device Name          Device ID            Used Space(logs / quarantine / content / IPS) Allocated Space  Used% Axxxxxxxxxxxxxx     FG100Exxxxxx01629        0.0KB(   0.0KB/   0.0KB/   0.0KB/   0.0KB) unlimited        n/a   Total: 17 log devices, used=52.0GB quota=unlimited     AdomName         AdomOID  Type                                 Logs                                                     Database                                 [Retention   Quota   UsedSpace(logs / quarantine / content / IPS) Used%]  [Retention   Quota      Used   Used%] Axxxxxxxxx       148      FGT     365days    14.6GB   12.2GB(  12.2GB/   0.0KB/   0.0KB/   0.0KB) 83.2%      60days    34.2GB   16.1GB   47.1% Total usage: 23 ADOMs, logs=52.0GB database=112.6GB(ADOMs usage:111.9GB + Internal Usage:707.8MB)   Total Quota Summary:     Total Quota      Allocated        Available        Allocate%            884.2GB          543.0GB          341.2GB          61.4%   System Storage Summary:     Total            Used             Available        Use%                 984.2GB          171.4GB          812.8GB          17.4%   Reserved space: 100.0GB (10.2% of total space).

ATC
New Contributor

REsults of "diag dvm adom list" (removed non-essential info)

=========================================

 

FAZVM64-HV # diag dvm adom list There are currently 24 ADOMs: OID      STATE    PRODUCT OSVER MR  NAME                                 MODE    VPN MANAGEMENT        IPS                 148      enabled  FOS     5.0   2   Axxxxxxxxx                        Normal  Policy & Device VPNs  N/A                 ---End ADOM list---

 

ATC
New Contributor

To answer your questions emnoc:

-Yes, the fortigate shows up in the device list under the correct ADOM with a red dot under the LOGS column. We have another device in this ADOM and it is logging correctly.

-See event log below. This shows when I deleted and re-registering the device in lines 329-332; but 9 minutes later in line 328 it says no logs received from the device in last 4215 minutes. SO I don't think deleting the device took care of everything.

 

 

328 2017-08-26 11:50:50    warning     system                 FortiAnalyzer event  Device[FG100Exxxxx01629] did not receive any log in last 4215 minutes. 329 2017-08-26 11:41:11 information system                 FortiAnalyzer event  Added unregistered device FG100Exxxxx01629 to unregistered table 330 2017-08-26 11:41:11    information device ...             Device manager event Device FG100Exxxxx01629 add succeeded 331 2017-08-26 11:36:46    warning     system                 FortiAnalyzer event  Deleted all log files of FG100Exxxxx01629 due to device deletion. 332 2017-08-26 11:36:46    notice      admin-GUI(24.7.214.66) Device manager event Deleted device Axxxxxxxxxxxx-FGT100E (FG100Exxxxx01629)

 

 

ATC
New Contributor

See attached screen shot showing that the FGT100E is connected and sending logs to the FAZ, as well as the FAZ eventlog which shows that no logs have been received.

emnoc
Esteemed Contributor III

Okay try this

 

on the fgt 

 

execute log  filter dev  2 ( double check 2 is FAZ )

execute log  filter category 0

execute log  display

 

 

Does that show  or present any logs? And how about

 

execute log  filter category 1

execute log  display

 

Same thing do you show logs? Also what version of FAZ do you have?  v5.0.x on the FGT is very old imho.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ATC
New Contributor

We are on FAZ 5.4.3.

 

Here are the results from the fortigate, which is also on 5.4.3. I would've guessed I was having a problem with the FAZ, but this looks like a FGT problem?

 

FG100Exxxxx01629 # exec log filter dev Available devices:  0: memory  1: faz  2: fds FG100Exxxxx01629 # exec log filter dev 1 FG100Exxxxx01629 # exec log filter category 0 FG100Exxxxx01629 # exec log display 0 logs found. 0 logs returned. 0.0% of logs has been searched.   FG100Exxxxx01629 # exec log filter dev 1 FG100Exxxxx01629 # exec log filter category 1 FG100Exxxxx01629 # exec log display 0 logs found. 0 logs returned. 0.0% of logs has been searched.

Labels
Top Kudoed Authors