Fortinet black logo

Administration Guide

Log-related diagnostic commands

Log-related diagnostic commands

This topic contains examples of commonly used log-related diagnostic commands. Local logging is handled by the locallogd daemon, and remote logging is handled by the fgtlogd daemon.

Log search debugging

The diagnose debug application miglogd 0x1000 command is used is to show log filter strings used by the log search backend. It also shows which log files are searched.

To run log search debugging:
# diagnose debug application miglogd 0x1000
Debug messages will be on for 28 minutes.
# diagnose debug enable 

# Files to be searched:
file_no=65422, start line=0, end_line=805
file_no=65423, start line=0, end_line=221
session ID=2, total logs=1028
back ground search. process ID=2913, session_id=2 
 start line=1 view line=10 pre-fetch-pages=2

back ground search. next log file roll number is: 65422
ID=2, total=1028, checked=806, found=806
on-demand back ground search exit. process ID=2913, session_id=2, status=process_on-demand_pending

Log filtering

The execute log filter command can be used to define and display specific log messages based on the parameters entered.

To display all login system event logs:
# execute log filter device disk
# execute log filter category event
# execute log filter field action login
# execute log display

Files to be searched:
file_no=65523, start line=0, end_line=237
file_no=65524, start line=0, end_line=429
file_no=65525, start line=0, end_line=411
file_no=65526, start line=0, end_line=381
file_no=65527, start line=0, end_line=395
file_no=65528, start line=0, end_line=458
file_no=65529, start line=0, end_line=604
file_no=65530, start line=0, end_line=389
file_no=65531, start line=0, end_line=384
session ID=1, total logs=3697
back ground search. process ID=26240, session_id=1
 start line=1  view line=10
( action "login" )
ID=1, total=3697, checked=238, found=5
ID=1, total=3697, checked=668, found=13
ID=1, total=3697, checked=1080, found=23
ID=1, total=3697, checked=1462, found=23
ID=1, total=3697, checked=1858, found=23
ID=1, total=3697, checked=2317, found=54
ID=1, total=3697, checked=2922, found=106
ID=1, total=3697, checked=3312, found=111
ID=1, total=3697, checked=3697, found=114

Checking the FortiGate to FortiAnalyzer connection

To check the FortiGate to FortiAnalyzer connection status:
# diagnose test application fgtlogd 1
faz: global , enabled
        server=172.16.200.251, realtime=3, ssl=1, state=connected
        server_log_status=Log is allowed.,
        src=, mgmt_name=FGh_Log_vdom1_172.16.200.251, reliable=0, sni_prefix_type=none,
        required_entitlement=none, region=ca-west-1,
        logsync_enabled:1, logsync_conn_id:65535, seq_no:0
                status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                SNs: last sn update:56 seconds ago.
                        Sn list:
                        (FAZ-VMTM2200****,age=56s)
                queue: qlen=0.
filter: severity=6, sz_exclude_list=0
         traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-f
ilter
subcategory:
        traffic: forward local multicast sniffer ztna
        virus:all subcategories are enabled.
        webfilter:all subcategories are enabled.
        ips:all subcategories are enabled.
        emailfilter:all subcategories are enabled.
        anomaly:all subcategories are enabled.
        voip:all subcategories are enabled.
        dlp:all subcategories are enabled.
        app-ctrl:all subcategories are enabled.
        waf:all subcategories are enabled.
        dns:all subcategories are enabled.
        ssh:all subcategories are enabled.
        ssl:all subcategories are enabled.
        file-filter:all subcategories are enabled.
        icap:all subcategories are enabled.
        sctp-filter:all subcategories are enabled.

        server: global, id=0, ready=1, name=172.16.200.251 addr=172.16.200.251:514
        oftp-state=connected
To collect debug information when FortiAnalyzer is enabled:
# diagnose debug application fgtlogd 0x100
			
# <2026> __fgtlog_parse_featset()-1680: No featset data in login packet,init the device with default value
<2026> __on_connect()-1620: oftp is ready.
<2026> __on_connect()-1621: status connected for global-faz.
<2026> _check_oftp_certificate()-206: checking sn:FAZVMSTM2200**** vs cert sn:FAZVMSTM2200****
<2026> _check_oftp_certificate()-208: Verified the certificate of peer (10.100.88.2) to match sn=FAZVMSTM2200****
<2026> _faz_post_connection()-249: Certificate verification:enabled, Faz verified:1
<2026> _send_queue_item()-549: Disconnect global-faz until receiving disk usage response.
<2026> _send_queue_item()-555: type=0, cat=0, logcount=0, len=0
<2026> __on_pkt_recv()-1590: dev=global-faz type=252 pkt_len=1099
<2026> __on_pkt_recv()-1590: opt=204, opt_len=91
<2026> __on_pkt_recv()-1590: opt=252, opt_len=996
<2026> _process_hainfo_response()-1206: hainfo opt code=204
<2026> _faz_process_oftp_resp_hainfo_json()-447: ha mode: standalone
<2026> __is_sn_known()-315: MATCHED: idx:0 sn:FAZVMSTM2200****
<2026> _faz_process_oftp_resp_hainfo_json()-481: Received SN:FAZVMSTM2200**** should update:0
<2026> _process_hainfo_response()-1206: hainfo opt code=252
<2026> _faz_process_oftp_resp_hainfo_struct()-553: ha nmember:1 nvcluster:0 mode:1
<2026> __is_sn_known()-315: MATCHED: idx:0 sn:FAZVMSTM2200****
<2026> _faz_process_oftp_resp_hainfo_struct()-559: Received SN:FAZVMSTM2200**** should update:0
<2026> __on_pkt_recv()-1590: dev=global-faz type=1 pkt_len=1356
<2026> __on_pkt_recv()-1590: opt=12, opt_len=16
<2026> __on_pkt_recv()-1590: opt=51, opt_len=9
...
<2026> _build_ack()-867: global-faz ready to send data.
<2026> _process_response()-1152: checking opt code=81
<2026> _process_response()-1152: checking opt code=81
<2026> _process_response()-1152: checking opt code=81
...
<2026> _send_queue_item()-555: type=1, cat=0, logcount=0, len=0
<2026> _send_queue_item()-555: type=7, cat=0, logcount=0, len=58
<2026> _send_queue_item()-555: type=3, cat=10, logcount=1, len=790
<2026> _send_queue_item()-555: type=3, cat=10, logcount=1, len=807
<2026> __on_pkt_recv()-1590: dev=global-faz type=60 pkt_len=474
...
<2026> __on_pkt_recv()-1590: opt=80, opt_len=16
<2026> __on_pkt_recv()-1590: opt=7, opt_len=446
<2026> __on_pkt_recv()-1590: dev=global-faz type=11 pkt_len=37
...
<2026> _send_queue_item()-555: type=3, cat=0, logcount=1, len=1037
<2026> _send_queue_item()-555: type=3, cat=0, logcount=1, len=1033
To check the FortiGate to FortiGate Cloud connection status:
# diagnose test application fgtlogd 20
Home log server:
    Address: 173.243.132.57:514
Alternative log server:
    Address: 173.243.132.121:514
FazCloud log server:
    Address:
    oftp status: connected
Debug zone info:
    Server IP:          173.243.132.57
    Server port:        514
    Server status:      up
    Server log status:  enabled
    Log quota:          500000000MB
    Log used:           599MB
    Daily volume:       1000000MB
    FDS arch pause:     0
    fams archive pause: 0

locallogd diagnostics

To check real-time log statistics by log type since the locallogd daemon start:
# diagnose test application locallogd 3
info for vdom: root
memory
traffic: logs=18289 len=15921725, Sun=0 Mon=18289 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0
event: logs=286 len=115729, Sun=0 Mon=286 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0
app-ctrl: logs=10018 len=7051278, Sun=0 Mon=10018 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0

disk
traffic: logs=18289 len=15921725, Sun=0 Mon=18289 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0 compressed=1620003
event: logs=280 len=112390, Sun=0 Mon=280 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0 compressed=13157
app-ctrl: logs=10018 len=7051278, Sun=0 Mon=10018 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0 compressed=836906

fgtlogd diagnostics

To check real-time log statistics by log type since the fgtlogd daemon start:
# diagnose test application fgtlogd 3
info for vdom: root
faz
traffic: logs=11763 len=6528820, Sun=2698 Mon=3738 Tue=0 Wed=0 Thu=0 Fri=2523 Sat=2804 compressed=1851354
event: logs=2190 len=891772, Sun=500 Mon=400 Tue=0 Wed=0 Thu=0 Fri=786 Sat=504 compressed=713129
app-ctrl: logs=1 len=692, Sun=0 Mon=0 Tue=0 Wed=0 Thu=0 Fri=1 Sat=0 compressed=384

faz-cloud
traffic: logs=11763 len=6528820, Sun=2698 Mon=3738 Tue=0 Wed=0 Thu=0 Fri=2523 Sat=2804
event: logs=2190 len=891772, Sun=500 Mon=400 Tue=0 Wed=0 Thu=0 Fri=786 Sat=504
app-ctrl: logs=1 len=692, Sun=0 Mon=0 Tue=0 Wed=0 Thu=0 Fri=1 Sat=0
To check the remote queue and see the maximum buffered memory size:
# diagnose test application fgtlogd 41
cache maximum: 19569745(18MB) objects: 0 used: 0(0MB) allocated: 0(0MB)
VDOM:root
Memory queue for: global-faz
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0
Confirm queue for: global-faz
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0
Memory queue for: fds
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0
Confirm queue for: fds
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0

miglogd diagnostics

The miglogd daemon includes a publisher/subscriber framework that separates functions into different daemons. The miglogd daemon is responsible for building and publishing logs, while device-related details are managed by subscriber daemons.

To enable debugging the miglogd (log daemon) at the proper debug level:
# diagnose debug application miglogd <integer>
# diagnose debug enable
To display the status or statistics at the proper debug level:
# diagnose test application miglogd <integer>
# diagnose debug enable
Note

When using the preceding commands, press Enter after diagnose debug application miglogd or diagnose test application miglogd to view the list of available levels.

To check log statistics to the local/remote log device since the miglogd daemon start:
# diagnose test application miglogd 6 
mem=4288, disk=4070, alert=0, alarm=0, sys=5513, faz=4307, webt=0, fds=0
interface-missed=208
To check the miglogd daemon number:
# diagnose test application miglogd 15
Main miglogd: ID=0, children=2, active-children=2
        ID=1, duration=70465.
        ID=2, duration=70465.
To increase one miglogd child:
# diagnose test application miglogd 13
# diagnose test application miglogd 15
Main miglogd: ID=0, children=3, active-children=3
        ID=1, duration=70486.
        ID=2, duration=70486.
        ID=3, duration=1.
To decrease one miglogd child:
# diagnose test application miglogd 14
# diagnose test application miglogd 15
Main miglogd: ID=0, children=2, active-children=2
        ID=1, duration=70604.
        ID=2, duration=70604.

Log-related diagnostic commands

This topic contains examples of commonly used log-related diagnostic commands. Local logging is handled by the locallogd daemon, and remote logging is handled by the fgtlogd daemon.

Log search debugging

The diagnose debug application miglogd 0x1000 command is used is to show log filter strings used by the log search backend. It also shows which log files are searched.

To run log search debugging:
# diagnose debug application miglogd 0x1000
Debug messages will be on for 28 minutes.
# diagnose debug enable 

# Files to be searched:
file_no=65422, start line=0, end_line=805
file_no=65423, start line=0, end_line=221
session ID=2, total logs=1028
back ground search. process ID=2913, session_id=2 
 start line=1 view line=10 pre-fetch-pages=2

back ground search. next log file roll number is: 65422
ID=2, total=1028, checked=806, found=806
on-demand back ground search exit. process ID=2913, session_id=2, status=process_on-demand_pending

Log filtering

The execute log filter command can be used to define and display specific log messages based on the parameters entered.

To display all login system event logs:
# execute log filter device disk
# execute log filter category event
# execute log filter field action login
# execute log display

Files to be searched:
file_no=65523, start line=0, end_line=237
file_no=65524, start line=0, end_line=429
file_no=65525, start line=0, end_line=411
file_no=65526, start line=0, end_line=381
file_no=65527, start line=0, end_line=395
file_no=65528, start line=0, end_line=458
file_no=65529, start line=0, end_line=604
file_no=65530, start line=0, end_line=389
file_no=65531, start line=0, end_line=384
session ID=1, total logs=3697
back ground search. process ID=26240, session_id=1
 start line=1  view line=10
( action "login" )
ID=1, total=3697, checked=238, found=5
ID=1, total=3697, checked=668, found=13
ID=1, total=3697, checked=1080, found=23
ID=1, total=3697, checked=1462, found=23
ID=1, total=3697, checked=1858, found=23
ID=1, total=3697, checked=2317, found=54
ID=1, total=3697, checked=2922, found=106
ID=1, total=3697, checked=3312, found=111
ID=1, total=3697, checked=3697, found=114

Checking the FortiGate to FortiAnalyzer connection

To check the FortiGate to FortiAnalyzer connection status:
# diagnose test application fgtlogd 1
faz: global , enabled
        server=172.16.200.251, realtime=3, ssl=1, state=connected
        server_log_status=Log is allowed.,
        src=, mgmt_name=FGh_Log_vdom1_172.16.200.251, reliable=0, sni_prefix_type=none,
        required_entitlement=none, region=ca-west-1,
        logsync_enabled:1, logsync_conn_id:65535, seq_no:0
                status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                SNs: last sn update:56 seconds ago.
                        Sn list:
                        (FAZ-VMTM2200****,age=56s)
                queue: qlen=0.
filter: severity=6, sz_exclude_list=0
         traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-f
ilter
subcategory:
        traffic: forward local multicast sniffer ztna
        virus:all subcategories are enabled.
        webfilter:all subcategories are enabled.
        ips:all subcategories are enabled.
        emailfilter:all subcategories are enabled.
        anomaly:all subcategories are enabled.
        voip:all subcategories are enabled.
        dlp:all subcategories are enabled.
        app-ctrl:all subcategories are enabled.
        waf:all subcategories are enabled.
        dns:all subcategories are enabled.
        ssh:all subcategories are enabled.
        ssl:all subcategories are enabled.
        file-filter:all subcategories are enabled.
        icap:all subcategories are enabled.
        sctp-filter:all subcategories are enabled.

        server: global, id=0, ready=1, name=172.16.200.251 addr=172.16.200.251:514
        oftp-state=connected
To collect debug information when FortiAnalyzer is enabled:
# diagnose debug application fgtlogd 0x100
			
# <2026> __fgtlog_parse_featset()-1680: No featset data in login packet,init the device with default value
<2026> __on_connect()-1620: oftp is ready.
<2026> __on_connect()-1621: status connected for global-faz.
<2026> _check_oftp_certificate()-206: checking sn:FAZVMSTM2200**** vs cert sn:FAZVMSTM2200****
<2026> _check_oftp_certificate()-208: Verified the certificate of peer (10.100.88.2) to match sn=FAZVMSTM2200****
<2026> _faz_post_connection()-249: Certificate verification:enabled, Faz verified:1
<2026> _send_queue_item()-549: Disconnect global-faz until receiving disk usage response.
<2026> _send_queue_item()-555: type=0, cat=0, logcount=0, len=0
<2026> __on_pkt_recv()-1590: dev=global-faz type=252 pkt_len=1099
<2026> __on_pkt_recv()-1590: opt=204, opt_len=91
<2026> __on_pkt_recv()-1590: opt=252, opt_len=996
<2026> _process_hainfo_response()-1206: hainfo opt code=204
<2026> _faz_process_oftp_resp_hainfo_json()-447: ha mode: standalone
<2026> __is_sn_known()-315: MATCHED: idx:0 sn:FAZVMSTM2200****
<2026> _faz_process_oftp_resp_hainfo_json()-481: Received SN:FAZVMSTM2200**** should update:0
<2026> _process_hainfo_response()-1206: hainfo opt code=252
<2026> _faz_process_oftp_resp_hainfo_struct()-553: ha nmember:1 nvcluster:0 mode:1
<2026> __is_sn_known()-315: MATCHED: idx:0 sn:FAZVMSTM2200****
<2026> _faz_process_oftp_resp_hainfo_struct()-559: Received SN:FAZVMSTM2200**** should update:0
<2026> __on_pkt_recv()-1590: dev=global-faz type=1 pkt_len=1356
<2026> __on_pkt_recv()-1590: opt=12, opt_len=16
<2026> __on_pkt_recv()-1590: opt=51, opt_len=9
...
<2026> _build_ack()-867: global-faz ready to send data.
<2026> _process_response()-1152: checking opt code=81
<2026> _process_response()-1152: checking opt code=81
<2026> _process_response()-1152: checking opt code=81
...
<2026> _send_queue_item()-555: type=1, cat=0, logcount=0, len=0
<2026> _send_queue_item()-555: type=7, cat=0, logcount=0, len=58
<2026> _send_queue_item()-555: type=3, cat=10, logcount=1, len=790
<2026> _send_queue_item()-555: type=3, cat=10, logcount=1, len=807
<2026> __on_pkt_recv()-1590: dev=global-faz type=60 pkt_len=474
...
<2026> __on_pkt_recv()-1590: opt=80, opt_len=16
<2026> __on_pkt_recv()-1590: opt=7, opt_len=446
<2026> __on_pkt_recv()-1590: dev=global-faz type=11 pkt_len=37
...
<2026> _send_queue_item()-555: type=3, cat=0, logcount=1, len=1037
<2026> _send_queue_item()-555: type=3, cat=0, logcount=1, len=1033
To check the FortiGate to FortiGate Cloud connection status:
# diagnose test application fgtlogd 20
Home log server:
    Address: 173.243.132.57:514
Alternative log server:
    Address: 173.243.132.121:514
FazCloud log server:
    Address:
    oftp status: connected
Debug zone info:
    Server IP:          173.243.132.57
    Server port:        514
    Server status:      up
    Server log status:  enabled
    Log quota:          500000000MB
    Log used:           599MB
    Daily volume:       1000000MB
    FDS arch pause:     0
    fams archive pause: 0

locallogd diagnostics

To check real-time log statistics by log type since the locallogd daemon start:
# diagnose test application locallogd 3
info for vdom: root
memory
traffic: logs=18289 len=15921725, Sun=0 Mon=18289 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0
event: logs=286 len=115729, Sun=0 Mon=286 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0
app-ctrl: logs=10018 len=7051278, Sun=0 Mon=10018 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0

disk
traffic: logs=18289 len=15921725, Sun=0 Mon=18289 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0 compressed=1620003
event: logs=280 len=112390, Sun=0 Mon=280 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0 compressed=13157
app-ctrl: logs=10018 len=7051278, Sun=0 Mon=10018 Tue=0 Wed=0 Thu=0 Fri=0 Sat=0 compressed=836906

fgtlogd diagnostics

To check real-time log statistics by log type since the fgtlogd daemon start:
# diagnose test application fgtlogd 3
info for vdom: root
faz
traffic: logs=11763 len=6528820, Sun=2698 Mon=3738 Tue=0 Wed=0 Thu=0 Fri=2523 Sat=2804 compressed=1851354
event: logs=2190 len=891772, Sun=500 Mon=400 Tue=0 Wed=0 Thu=0 Fri=786 Sat=504 compressed=713129
app-ctrl: logs=1 len=692, Sun=0 Mon=0 Tue=0 Wed=0 Thu=0 Fri=1 Sat=0 compressed=384

faz-cloud
traffic: logs=11763 len=6528820, Sun=2698 Mon=3738 Tue=0 Wed=0 Thu=0 Fri=2523 Sat=2804
event: logs=2190 len=891772, Sun=500 Mon=400 Tue=0 Wed=0 Thu=0 Fri=786 Sat=504
app-ctrl: logs=1 len=692, Sun=0 Mon=0 Tue=0 Wed=0 Thu=0 Fri=1 Sat=0
To check the remote queue and see the maximum buffered memory size:
# diagnose test application fgtlogd 41
cache maximum: 19569745(18MB) objects: 0 used: 0(0MB) allocated: 0(0MB)
VDOM:root
Memory queue for: global-faz
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0
Confirm queue for: global-faz
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0
Memory queue for: fds
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0
Confirm queue for: fds
        queue:
                num:0 size:0(0MB) total size:0(0MB) max:19569745(18MB) logs:0

miglogd diagnostics

The miglogd daemon includes a publisher/subscriber framework that separates functions into different daemons. The miglogd daemon is responsible for building and publishing logs, while device-related details are managed by subscriber daemons.

To enable debugging the miglogd (log daemon) at the proper debug level:
# diagnose debug application miglogd <integer>
# diagnose debug enable
To display the status or statistics at the proper debug level:
# diagnose test application miglogd <integer>
# diagnose debug enable
Note

When using the preceding commands, press Enter after diagnose debug application miglogd or diagnose test application miglogd to view the list of available levels.

To check log statistics to the local/remote log device since the miglogd daemon start:
# diagnose test application miglogd 6 
mem=4288, disk=4070, alert=0, alarm=0, sys=5513, faz=4307, webt=0, fds=0
interface-missed=208
To check the miglogd daemon number:
# diagnose test application miglogd 15
Main miglogd: ID=0, children=2, active-children=2
        ID=1, duration=70465.
        ID=2, duration=70465.
To increase one miglogd child:
# diagnose test application miglogd 13
# diagnose test application miglogd 15
Main miglogd: ID=0, children=3, active-children=3
        ID=1, duration=70486.
        ID=2, duration=70486.
        ID=3, duration=1.
To decrease one miglogd child:
# diagnose test application miglogd 14
# diagnose test application miglogd 15
Main miglogd: ID=0, children=2, active-children=2
        ID=1, duration=70604.
        ID=2, duration=70604.