Log-related diagnose commands

Leave a reply

Log-related diagnose commands

This topic shows commonly used examples of log-related diagnose commands.

Use the following diagnose commands to identify log issues:

  • The following commands enable debugging log daemon (miglogd) at the proper debug level:

diagnose debug application miglogd x diagnose debug enable

  • The following commands display different status/stats of miglogd at the proper level:

diagnose test application miglogd x diagnose debug enable

To get the list of available levels, press Enter after diagnose test/debug application miglogd. The following are some examples of commonly use levels.

If the debug log display does not return correct entries when log filter is set:

diagnose debug application miglogd 0x1000

For example, use the following command to display all login system event log:

exe log filter device disk exe log filter category event exe log filter field action login exe log display

Files to be searched: file_no=65523, start line=0, end_line=237 file_no=65524, start line=0, end_line=429 file_no=65525, start line=0, end_line=411 file_no=65526, start line=0, end_line=381 file_no=65527, start line=0, end_line=395 file_no=65528, start line=0, end_line=458 file_no=65529, start line=0, end_line=604 file_no=65530, start line=0, end_line=389 file_no=65531, start line=0, end_line=384 session ID=1, total logs=3697

back ground search. process ID=26240, session_id=1

start line=1 view line=10

( action “login” )

ID=1, total=3697, checked=238, found=5

ID=1, total=3697, checked=668, found=13

ID=1, total=3697, checked=1080, found=23

ID=1, total=3697, checked=1462, found=23

ID=1, total=3697, checked=1858, found=23

ID=1, total=3697, checked=2317, found=54

ID=1, total=3697, checked=2922, found=106

ID=1, total=3697, checked=3312, found=111

ID=1, total=3697, checked=3697, found=114

You can check and/or debug FortiGate to FortiAnalyzer connection status.

To show connect status with detailed information:

diagnose test application miglogd 1

faz: global , enabled server=172.18.64.234, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ vdom1_172.18.64.234, reliable=0, sni_prefix_type=none, required_entitlement=none status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:107 seconds ago.

Sn list:

(FL-8HFT718900132,age=107s) queue: qlen=0.

filter: severity=6, sz_exclude_list=0

voip dns ssh ssl cifs subcategory:

traffic: forward local multicast sniffer anomaly: anomaly

server: global, id=0, fd=132, ready=1, ipv6=0, 172.18.64.234/514 oftp-state=5

To collect debug information when FortiAnalyzer is enabled: diagnose debug application miglogd 0x100

FGT-B-LOG (global) # <16208> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7fc364e125e0 to _rmt_connect

<16209> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7f72647715e0 to _rmt_connect <16206> miglog_start_rmt_conn()-1552: setting epoll_hd:0x141f69e0 to _rmt_connect <16209> _rmt_connect()-1433: oftp is ready.

<16209> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16209> _rmt_connect()-1439: setting epoll_hd:0x7f72647715e0 to _rmt_recv

<16209> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16209> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16209> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16209> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16209> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16209> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16209> _oftp_send()-487: opt=253, opt_len=10 <16209> _oftp_send()-487: opt=81, opt_len=12 <16208> _rmt_connect()-1433: oftp is ready.

<16208> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16208> _rmt_connect()-1439: setting epoll_hd:0x7fc364e125e0 to _rmt_recv

<16208> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16208> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16208> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16208> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16208> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16208> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16208> _oftp_send()-487: opt=253, opt_len=10

<16209> _oftp_recv()-1348: opt=252, opt_len=996

<16208> _oftp_send()-487: opt=81, opt_len=12

<16209> _process_response()-960: checking opt code=252

<16209> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16209> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16209> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16208> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008

<16208> _oftp_recv()-1348: opt=252, opt_len=996

<16208> _process_response()-960: checking opt code=252

<16208> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16208> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16208> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16206> _rmt_connect()-1433: oftp is ready.

<16206> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16206> _rmt_connect()-1439: setting epoll_hd:0x141f69e0 to _rmt_recv

<16206> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16206> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16206> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16206> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16206> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16206> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16206> _oftp_send()-487: opt=253, opt_len=10

<16206> _oftp_send()-487: opt=81, opt_len=12

<16206> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008

<16206> _oftp_recv()-1348: opt=252, opt_len=996

<16206> _process_response()-960: checking opt code=252

<16206> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16206> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16206> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16209> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=985

<16209> _oftp_recv()-1348: opt=12, opt_len=16 ……

<16209> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz <16209> _process_response()-960: checking opt code=81 ……

<16209> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16209> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16209> _oftp_send()-487: opt=1, opt_len=12

<16209> _send_queue_item()-523: type=7, cat=0, logcount=0, len=988

<16209> _oftp_send()-487: dev=global-faz type=252 pkt_len=1008

<16209> _oftp_send()-487: opt=252, opt_len=996

<16208> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=58

<16208> _oftp_recv()-1348: opt=12, opt_len=16

<16208> _oftp_recv()-1348: opt=51, opt_len=9

<16208> _oftp_recv()-1348: opt=49, opt_len=12

<16208> _oftp_recv()-1348: opt=52, opt_len=9

<16208> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz

<16208> _process_response()-960: checking opt code=52

<16208> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16208> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16208> _oftp_send()-487: opt=1, opt_len=12

<16206> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=985

……

<16208> _send_queue_item()-523: type=3, cat=1, logcount=1, len=301 <16206> _oftp_recv()-1348: opt=78, opt_len=55 ……

<16206> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz <16206> _process_response()-960: checking opt code=81 ……

<16206> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16206> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16206> _oftp_send()-487: opt=1, opt_len=12

<16206> _send_queue_item()-523: type=7, cat=0, logcount=0, len=988

<16206> _oftp_send()-487: dev=global-faz type=252 pkt_len=1008

<16206> _oftp_send()-487: opt=252, opt_len=996

<16206> _add_change_notice_queue_item()-269: Change notice packect added to queue. len=145 ……

<16206> _send_queue_item()-523: type=2, cat=0, logcount=0, len=300 <16206> _oftp_send()-487: dev=global-faz type=37 pkt_len=300

……

<16206> _oftp_send()-487: opt=152, opt_len=40

<16206> _oftp_send()-487: opt=74, opt_len=40

<16206> _oftp_send()-487: opt=82, opt_len=93

<16206> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=24

<16206> _oftp_recv()-1348: opt=1, opt_len=12

<16206> _process_response()-960: checking opt code=1 To check FortiGate to FortiGateCloud log server connection status:

diagnose test application miglogd 20

FGT-B-LOG# diagnose test application miglogd 20 Home log server:

Address: 172.16.95.92:514 Alternative log server: Address: 172.16.95.26:514 oftp status: established Debug zone info:

Server IP:     172.16.95.92

Server port: 514

Server status: up

Log quota:     102400MB

Log used:       673MB

Daily volume: 20480MB FDS arch pause: 0 fams archive pause: 0

To check real-time log statistics by log type since miglogd daemon start: diagnose test application miglogd 4

FGT-B-LOG (global) # diagnose test application miglogd 4 info for vdom: root disk

event: logs=1238 len=262534, Sun=246 Mon=247 Tue=197 Wed=0 Thu=55 Fri=246 Sat=247 compressed=163038 dns: logs=4 len=1734, Sun=0 Mon=0 Tue=0 Wed=0 Thu=4 Fri=0 Sat=0 compressed=453

report event: logs=1244 len=225453, Sun=246 Mon=247 Tue=197 Wed=0 Thu=61 Fri=246 Sat=247

faz event: logs=6 len=1548, Sun=0 Mon=0 Tue=6 Wed=0 Thu=0 Fri=0 Sat=0 compressed=5446 info for vdom: vdom1

memory traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 event: logs=3724 len=1170237, Sun=670 Mon=700 Tue=531 Wed=0 Thu=392 Fri=747 Sat=684 app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0

disk

traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 compressed=134638

event: logs=2262 len=550957, Sun=382 Mon=412 Tue=307 Wed=0 Thu=306 Fri=459 Sat=396 compressed=244606 app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=3966 dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0 compressed=1499

report traffic: logs=462 len=375326, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 event: logs=3733 len=1057123, Sun=670 Mon=700 Tue=531 Wed=0 Thu=401 Fri=747 Sat=684 app-ctrl: logs=16 len=9117, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2

faz

traffic: logs=462 len=411362, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 compressed=307610

event: logs=3733 len=1348297, Sun=670 Mon=700 Tue=531 Wed=0 Thu=401 Fri=747 Sat=684 compressed=816636 app-ctrl: logs=16 len=10365, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=8193 dns: logs=71 len=33170, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0 compressed=0

To check log statistics to local/remote log device since the miglogd daemon start:

diagnose test app miglogd 6 1     <<< 1 means the first child daemon diagnose test app miglogd 6 2     <<<  2 means the second child daemon

FGT-B-LOG (global) # diagnose test application miglogd 6 1 mem=4288, disk=4070, alert=0, alarm=0, sys=5513, faz=4307, webt=0, fds=0 interface-missed=208

Queues in all miglogds: cur:0 total-so-far:36974 global log dev statistics: syslog 0: sent=6585, failed=152, relayed=0 faz 0: sent=13, failed=0, cached=0, dropped=0 , relayed=0 To check miglogd daemon number and increase/decrease miglogd daemon:

diagnose test app miglogd 15     <<<  Show miglog ID diagnose test app miglogd 13     <<<  Increase one miglogd child diagnose test app miglogd 14     <<<  Decrease one miglogd child

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=2, active-children=2 ID=1, duration=70465.

ID=2, duration=70465.

FGT-B-LOG (global) # diagnose test application miglogd 13

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=3, active-children=3 ID=1, duration=70486.

ID=2, duration=70486. ID=3, duration=1.

FGT-B-LOG (global) # diagnose test application miglogd 14

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=2, active-children=2 ID=1, duration=70604.

ID=2, duration=70604.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.