Log-related diagnose commands

Leave a reply

Log-related diagnose commands

This topic shows commonly used examples of log-related diagnose commands.

Use the following diagnose commands to identify log issues:

  • The following commands enable debugging log daemon (miglogd) at the proper debug level:

diagnose debug application miglogd x diagnose debug enable

  • The following commands display different status/stats of miglogd at the proper level:

diagnose test application miglogd x diagnose debug enable

To get the list of available levels, press Enter after diagnose test/debug application miglogd. The following are some examples of commonly use levels.

If the debug log display does not return correct entries when log filter is set:

diagnose debug application miglogd 0x1000

For example, use the following command to display all login system event log:

exe log filter device disk exe log filter category event exe log filter field action login exe log display

Files to be searched: file_no=65523, start line=0, end_line=237 file_no=65524, start line=0, end_line=429 file_no=65525, start line=0, end_line=411 file_no=65526, start line=0, end_line=381 file_no=65527, start line=0, end_line=395 file_no=65528, start line=0, end_line=458 file_no=65529, start line=0, end_line=604 file_no=65530, start line=0, end_line=389 file_no=65531, start line=0, end_line=384 session ID=1, total logs=3697

back ground search. process ID=26240, session_id=1

start line=1 view line=10

( action “login” )

ID=1, total=3697, checked=238, found=5

ID=1, total=3697, checked=668, found=13

ID=1, total=3697, checked=1080, found=23

ID=1, total=3697, checked=1462, found=23

ID=1, total=3697, checked=1858, found=23

ID=1, total=3697, checked=2317, found=54

ID=1, total=3697, checked=2922, found=106

ID=1, total=3697, checked=3312, found=111

ID=1, total=3697, checked=3697, found=114

You can check and/or debug FortiGate to FortiAnalyzer connection status.

To show connect status with detailed information:

diagnose test application miglogd 1

faz: global , enabled server=172.18.64.234, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ vdom1_172.18.64.234, reliable=0, sni_prefix_type=none, required_entitlement=none status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:107 seconds ago.

Sn list:

(FL-8HFT718900132,age=107s) queue: qlen=0.

filter: severity=6, sz_exclude_list=0

voip dns ssh ssl cifs subcategory:

traffic: forward local multicast sniffer anomaly: anomaly

server: global, id=0, fd=132, ready=1, ipv6=0, 172.18.64.234/514 oftp-state=5

To collect debug information when FortiAnalyzer is enabled: diagnose debug application miglogd 0x100

FGT-B-LOG (global) # <16208> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7fc364e125e0 to _rmt_connect

<16209> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7f72647715e0 to _rmt_connect <16206> miglog_start_rmt_conn()-1552: setting epoll_hd:0x141f69e0 to _rmt_connect <16209> _rmt_connect()-1433: oftp is ready.

<16209> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16209> _rmt_connect()-1439: setting epoll_hd:0x7f72647715e0 to _rmt_recv

<16209> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16209> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16209> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16209> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16209> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16209> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16209> _oftp_send()-487: opt=253, opt_len=10 <16209> _oftp_send()-487: opt=81, opt_len=12 <16208> _rmt_connect()-1433: oftp is ready.

<16208> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16208> _rmt_connect()-1439: setting epoll_hd:0x7fc364e125e0 to _rmt_recv

<16208> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16208> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16208> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16208> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16208> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16208> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16208> _oftp_send()-487: opt=253, opt_len=10

<16209> _oftp_recv()-1348: opt=252, opt_len=996

<16208> _oftp_send()-487: opt=81, opt_len=12

<16209> _process_response()-960: checking opt code=252

<16209> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16209> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16209> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16208> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008

<16208> _oftp_recv()-1348: opt=252, opt_len=996

<16208> _process_response()-960: checking opt code=252

<16208> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16208> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16208> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16206> _rmt_connect()-1433: oftp is ready.

<16206> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16206> _rmt_connect()-1439: setting epoll_hd:0x141f69e0 to _rmt_recv

<16206> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16206> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16206> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16206> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16206> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16206> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16206> _oftp_send()-487: opt=253, opt_len=10

<16206> _oftp_send()-487: opt=81, opt_len=12

<16206> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008

<16206> _oftp_recv()-1348: opt=252, opt_len=996

<16206> _process_response()-960: checking opt code=252

<16206> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16206> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16206> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16209> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=985

<16209> _oftp_recv()-1348: opt=12, opt_len=16 ……

<16209> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz <16209> _process_response()-960: checking opt code=81 ……

<16209> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16209> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16209> _oftp_send()-487: opt=1, opt_len=12

<16209> _send_queue_item()-523: type=7, cat=0, logcount=0, len=988

<16209> _oftp_send()-487: dev=global-faz type=252 pkt_len=1008

<16209> _oftp_send()-487: opt=252, opt_len=996

<16208> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=58

<16208> _oftp_recv()-1348: opt=12, opt_len=16

<16208> _oftp_recv()-1348: opt=51, opt_len=9

<16208> _oftp_recv()-1348: opt=49, opt_len=12

<16208> _oftp_recv()-1348: opt=52, opt_len=9

<16208> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz

<16208> _process_response()-960: checking opt code=52

<16208> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16208> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16208> _oftp_send()-487: opt=1, opt_len=12

<16206> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=985

……

<16208> _send_queue_item()-523: type=3, cat=1, logcount=1, len=301 <16206> _oftp_recv()-1348: opt=78, opt_len=55 ……

<16206> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz <16206> _process_response()-960: checking opt code=81 ……

<16206> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16206> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16206> _oftp_send()-487: opt=1, opt_len=12

<16206> _send_queue_item()-523: type=7, cat=0, logcount=0, len=988

<16206> _oftp_send()-487: dev=global-faz type=252 pkt_len=1008

<16206> _oftp_send()-487: opt=252, opt_len=996

<16206> _add_change_notice_queue_item()-269: Change notice packect added to queue. len=145 ……

<16206> _send_queue_item()-523: type=2, cat=0, logcount=0, len=300 <16206> _oftp_send()-487: dev=global-faz type=37 pkt_len=300

……

<16206> _oftp_send()-487: opt=152, opt_len=40

<16206> _oftp_send()-487: opt=74, opt_len=40

<16206> _oftp_send()-487: opt=82, opt_len=93

<16206> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=24

<16206> _oftp_recv()-1348: opt=1, opt_len=12

<16206> _process_response()-960: checking opt code=1 To check FortiGate to FortiGateCloud log server connection status:

diagnose test application miglogd 20

FGT-B-LOG# diagnose test application miglogd 20 Home log server:

Address: 172.16.95.92:514 Alternative log server: Address: 172.16.95.26:514 oftp status: established Debug zone info:

Server IP:     172.16.95.92

Server port: 514

Server status: up

Log quota:     102400MB

Log used:       673MB

Daily volume: 20480MB FDS arch pause: 0 fams archive pause: 0

To check real-time log statistics by log type since miglogd daemon start: diagnose test application miglogd 4

FGT-B-LOG (global) # diagnose test application miglogd 4 info for vdom: root disk

event: logs=1238 len=262534, Sun=246 Mon=247 Tue=197 Wed=0 Thu=55 Fri=246 Sat=247 compressed=163038 dns: logs=4 len=1734, Sun=0 Mon=0 Tue=0 Wed=0 Thu=4 Fri=0 Sat=0 compressed=453

report event: logs=1244 len=225453, Sun=246 Mon=247 Tue=197 Wed=0 Thu=61 Fri=246 Sat=247

faz event: logs=6 len=1548, Sun=0 Mon=0 Tue=6 Wed=0 Thu=0 Fri=0 Sat=0 compressed=5446 info for vdom: vdom1

memory traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 event: logs=3724 len=1170237, Sun=670 Mon=700 Tue=531 Wed=0 Thu=392 Fri=747 Sat=684 app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0

disk

traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 compressed=134638

event: logs=2262 len=550957, Sun=382 Mon=412 Tue=307 Wed=0 Thu=306 Fri=459 Sat=396 compressed=244606 app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=3966 dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0 compressed=1499

report traffic: logs=462 len=375326, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 event: logs=3733 len=1057123, Sun=670 Mon=700 Tue=531 Wed=0 Thu=401 Fri=747 Sat=684 app-ctrl: logs=16 len=9117, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2

faz

traffic: logs=462 len=411362, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 compressed=307610

event: logs=3733 len=1348297, Sun=670 Mon=700 Tue=531 Wed=0 Thu=401 Fri=747 Sat=684 compressed=816636 app-ctrl: logs=16 len=10365, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=8193 dns: logs=71 len=33170, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0 compressed=0

To check log statistics to local/remote log device since the miglogd daemon start:

diagnose test app miglogd 6 1     <<< 1 means the first child daemon diagnose test app miglogd 6 2     <<<  2 means the second child daemon

FGT-B-LOG (global) # diagnose test application miglogd 6 1 mem=4288, disk=4070, alert=0, alarm=0, sys=5513, faz=4307, webt=0, fds=0 interface-missed=208

Queues in all miglogds: cur:0 total-so-far:36974 global log dev statistics: syslog 0: sent=6585, failed=152, relayed=0 faz 0: sent=13, failed=0, cached=0, dropped=0 , relayed=0 To check miglogd daemon number and increase/decrease miglogd daemon:

diagnose test app miglogd 15     <<<  Show miglog ID diagnose test app miglogd 13     <<<  Increase one miglogd child diagnose test app miglogd 14     <<<  Decrease one miglogd child

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=2, active-children=2 ID=1, duration=70465.

ID=2, duration=70465.

FGT-B-LOG (global) # diagnose test application miglogd 13

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=3, active-children=3 ID=1, duration=70486.

ID=2, duration=70486. ID=3, duration=1.

FGT-B-LOG (global) # diagnose test application miglogd 14

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=2, active-children=2 ID=1, duration=70604.

ID=2, duration=70604.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.