Log caching enhancement

Copy Link

Copy Doc ID 7d55ae6f-8e83-11ec-9fd1-fa163e15d75b:594699

Download PDF

Log caching enhancement

FortiAnalyzer log caching mechanism in reliable mode is enhanced to prevent Fortigate log loss during connection interruptions.

Log sync logic guarantees that no logs are lost due to connection issues when reliable mode is enabled on the FortiGate device. If connection is lost between the FortiAnalyzer and FortiGate device, logs will be cached and sent to FortiAnalyzer once the connection resumes.

Reliable mode is disabled by default on FortiGate devices.

To configure the FortiGate device:

Configure the FortiGate device to send logs to FortiAnalyzer.
In the FortiGate CLI, enter the following commands to confirm reliable is enabled:
config log fortianalyzer2 setting
show
For example:
config log fortianalyzer2 setting
show
config log fortianalyzer2 setting
set status enable
set server "10.2.169.54"
set serial "FAZ-VM0000000001"
set upload-option realtime
set reliable enable
end
In the FortiGate CLI, enter the following commands to confirm the value of logsync_enabled is 1:
diagnose test application fgtlogd 1
For example:
diagnose test application fgtlogd 1

faz2: global , enabled
server=10.2.169.54, realtime=1, ssl=1, state=connected
server_log_status=Log is allowed.,
src=, mgmt_name=FGh_Log_root_10.2.169.54, reliable=1, sni_prefix_type=none,
required_entitlement=none, region=ca-west-1,
logsync_enabled:1, logsync_conn_id:131071, seq_no:257
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
SNs: last sn update:2097 seconds ago.
Sn list:
(FAZ-VM0000000001,age=2097s) (FAZ-VMJY00000004,age=2097s)
queue: qlen=0.
filter: severity=6, sz_exclude_list=0

To confirm cached logs are sent when connection is lost/resumed between FortiGate and FortiAnalyzer:

In this example, the FortiGate device has already been configured according to the steps above. When connection is lost between the FortiGate and FortiAnalyzer device, logs are cached on the FortiGate until connection resumes. Once connection resumes, the cached logs are sent to the FortiAnalyzer.

While connection between the FortiGate and FortiAnalyzer is established, check the log sequence number on the OFTP connection.
In the FortiAnalyzer CLI, enter the following command:
diagnose test application oftpd 3
# DEVICE CONN HOSTNAME IP UPTIME IDLETIME #PKTS
----------------------------------------------------------------------------------------
1 FGT40FTK20025663 131071: 257 FortiGate-40F 10.3.169.1 31m14s 4s 620
The CONN column has been added to record the connection ID and log sequence number. In this example, the connection ID is 131071 and the sequence number is 257.
When the connection between the FortiGate and FortiAnalyzer is lost, check the log sequence number on the OFTP connection.
In the FortiAnalyzer CLI, enter the following command:
diagnose test application oftpd 3
# DEVICE CONN HOSTNAME IP UPTIME IDLETIME #PKTS
----------------------------------------------------------------------------------------
1 FGT40FTK20025663 131071: 257 FortiGate-40F 10.3.169.1 35m14s 244s 620
While the connection is lost, logs generated on the FortiGate device will be stored in its memory queue. The log sequence number on the OFTP connection will not increase. In this example, the log sequence number has remained at 257.
When the connection between the FortiGate and FortiAnalyzer device resumes, check logs on the FortiGate device.
In the FortiGate CLI, enter the following command:
diagnose test application fgtlogd 41

cache maximum: 100573388(95MB) objects: 37 used: 25788(0MB) allocated: 29440(0MB)

VDOM:root
Memory queue for: global-faz
queue:
num:0 size:0(0MB) total size:25788(0MB) max:100573388(95MB) logs:0
Confirm queue for: global-faz
queue:
num:25 size:17382(0MB) total size:25788(0MB) max:100573388(95MB) logs:81
Memory queue for: global-faz2
queue:
num:0 size:0(0MB) total size:25788(0MB) max:100573388(95MB) logs:0
Confirm queue for: global-faz2
queue:
num:12 size:8406(0MB) total size:25788(0MB) max:100573388(95MB) logs:40
The confirm queue on the FortiGate device shows all the logs that are waiting to be confirmed and cleared. Once the confirm queue displays 0, all of the cached logs have been sent to the FortiAnalyzer device.
Once the logs have been confirmed and cleared from the FortiGate device, check the log sequence number on the OFTP connection.
In the FortiAnalyzer CLI, enter the following command:
diagnose test application oftpd 3
# DEVICE CONN HOSTNAME IP UPTIME IDLETIME #PKTS
----------------------------------------------------------------------------------------
1 FGT40FTK20025663 131071: 308 FortiGate-40F 10.3.169.1 36m23s 6s 635
Once the cached logs have been sent to the FortiAnalyzer device, the log sequence number increases. In this example, the log sequence number has increased to 308.

Log caching enhancement

FortiAnalyzer log caching mechanism in reliable mode is enhanced to prevent Fortigate log loss during connection interruptions.

Reliable mode is disabled by default on FortiGate devices.

To configure the FortiGate device:

Configure the FortiGate device to send logs to FortiAnalyzer.

In the FortiGate CLI, enter the following commands to confirm reliable is enabled:

config log fortianalyzer2 setting

show

For example:

config log fortianalyzer2 setting

show

config log fortianalyzer2 setting

set status enable

set server "10.2.169.54"

set serial "FAZ-VM0000000001"

set upload-option realtime

set reliable enable

end

In the FortiGate CLI, enter the following commands to confirm the value of logsync_enabled is 1:

diagnose test application fgtlogd 1

For example:

diagnose test application fgtlogd 1

faz2: global , enabled

server=10.2.169.54, realtime=1, ssl=1, state=connected

server_log_status=Log is allowed.,

src=, mgmt_name=FGh_Log_root_10.2.169.54, reliable=1, sni_prefix_type=none,

required_entitlement=none, region=ca-west-1,

logsync_enabled:1, logsync_conn_id:131071, seq_no:257

status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y

SNs: last sn update:2097 seconds ago.

Sn list:

(FAZ-VM0000000001,age=2097s) (FAZ-VMJY00000004,age=2097s)

queue: qlen=0.

filter: severity=6, sz_exclude_list=0

To confirm cached logs are sent when connection is lost/resumed between FortiGate and FortiAnalyzer:

While connection between the FortiGate and FortiAnalyzer is established, check the log sequence number on the OFTP connection.

In the FortiAnalyzer CLI, enter the following command:

diagnose test application oftpd 3

# DEVICE CONN HOSTNAME IP UPTIME IDLETIME #PKTS

----------------------------------------------------------------------------------------

1 FGT40FTK20025663 131071: 257 FortiGate-40F 10.3.169.1 31m14s 4s 620

The CONN column has been added to record the connection ID and log sequence number. In this example, the connection ID is 131071 and the sequence number is 257.

When the connection between the FortiGate and FortiAnalyzer is lost, check the log sequence number on the OFTP connection.

In the FortiAnalyzer CLI, enter the following command:

diagnose test application oftpd 3

# DEVICE CONN HOSTNAME IP UPTIME IDLETIME #PKTS

----------------------------------------------------------------------------------------

1 FGT40FTK20025663 131071: 257 FortiGate-40F 10.3.169.1 35m14s 244s 620

While the connection is lost, logs generated on the FortiGate device will be stored in its memory queue. The log sequence number on the OFTP connection will not increase. In this example, the log sequence number has remained at 257.

When the connection between the FortiGate and FortiAnalyzer device resumes, check logs on the FortiGate device.

In the FortiGate CLI, enter the following command:

diagnose test application fgtlogd 41

cache maximum: 100573388(95MB) objects: 37 used: 25788(0MB) allocated: 29440(0MB)

VDOM:root

Memory queue for: global-faz

queue:

num:0 size:0(0MB) total size:25788(0MB) max:100573388(95MB) logs:0

Confirm queue for: global-faz

queue:

num:25 size:17382(0MB) total size:25788(0MB) max:100573388(95MB) logs:81

Memory queue for: global-faz2

queue:

num:0 size:0(0MB) total size:25788(0MB) max:100573388(95MB) logs:0

Confirm queue for: global-faz2

queue:

num:12 size:8406(0MB) total size:25788(0MB) max:100573388(95MB) logs:40

The confirm queue on the FortiGate device shows all the logs that are waiting to be confirmed and cleared. Once the confirm queue displays 0, all of the cached logs have been sent to the FortiAnalyzer device.

Once the logs have been confirmed and cleared from the FortiGate device, check the log sequence number on the OFTP connection.

In the FortiAnalyzer CLI, enter the following command:

diagnose test application oftpd 3

# DEVICE CONN HOSTNAME IP UPTIME IDLETIME #PKTS

----------------------------------------------------------------------------------------

1 FGT40FTK20025663 131071: 308 FortiGate-40F 10.3.169.1 36m23s 6s 635

Once the cached logs have been sent to the FortiAnalyzer device, the log sequence number increases. In this example, the log sequence number has increased to 308.

New Features

Log caching enhancement

Log caching enhancement

To configure the FortiGate device:

To confirm cached logs are sent when connection is lost/resumed between FortiGate and FortiAnalyzer:

Log caching enhancement

To configure the FortiGate device:

To confirm cached logs are sent when connection is lost/resumed between FortiGate and FortiAnalyzer: