Skip to content

Send Logs to FortiAnalyzer

FortiAnalyzer is Fortinet's dedicated log + reporting appliance (hardware or VM). It collects logs from one or many FortiGates, indexes everything, provides search across the fleet, generates compliance reports, and stores long-term.

Before You Start

  • A FortiAnalyzer (hardware or VM) deployed and licensed.
  • FortiAnalyzer reachable from FortiGate (TCP/514 default).
  • FortiGate's serial number authorized on FortiAnalyzer side.

Steps

On FortiGate

  1. Security Fabric → Fabric Connectors → Logging & Analytics → FortiAnalyzer.
  2. Fill in:
    • Status — Enable.
    • IP/FQDN — FortiAnalyzer address.
    • Upload OptionReal Time (default) or Every X minutes.
    • EncryptionEnable for TLS.
  3. Apply.

The FortiGate sends an authentication request to FortiAnalyzer.

On FortiAnalyzer

  1. Log into FortiAnalyzer GUI.
  2. Device Manager → Unauthorized Devices — FortiGate's pending request appears.
  3. Authorize.
  4. Logs start flowing within a minute.

Verify on FortiGate

diagnose log fortianalyzer connection
get log fortianalyzer setting

# Should show:
#   FAZ status: Connected
#   Reach status: success

Filter What You Send

To reduce FortiAnalyzer load, filter at the source:

config log fortianalyzer filter
    set severity information
    set forward-traffic enable
    set local-traffic disable     # often skip — high volume, low value
    set event enable
    set anomaly enable
end

Log Caching

If FortiAnalyzer is briefly unreachable, FortiGate buffers logs:

config log fortianalyzer setting
    set reliable enable
    set max-log-rate 0     # 0 = unlimited
end

Reliable mode uses TCP with delivery confirmation; lossy mode (UDP) is faster but drops logs on connectivity blips.

📸 Screenshot needed

Fabric Connectors → FortiAnalyzer connector showing Connected status.

Common Issues

  • Connection fails. TCP/514 blocked, or FortiAnalyzer not authorizing. Check both sides.
  • Logs arrive but reports empty. FortiAnalyzer's ADOM/VDOM mapping wrong. Match.
  • Some categories missing. Filter disabled them. Check config log fortianalyzer filter.
  • Storage quickly fills. Adjust FortiAnalyzer's retention per category; archive old logs.