Skip to main content
ymasaki
Staff
ymasaki
Staff
December 9, 2021

Technical Tip: How to collect FortiEDR Collector log

  • December 9, 2021
  • 0 replies
  • 22180 views
Description

This article describes how to retrieve the collector logs for troubleshooting.
Scope

FortiEDR Windows, Linux, and macOS Collectors.
Solution

If the collector is currently connected to FortiEDR Central Manager, it is possible to retrieve the collector logs via the management console:

  1. Go to INVENTORY -> Collectors.
  2. Select the checkbox of the Collector.
  3. Select Export -> Collector Logs.
  4.  Select 'Download'.
  5. The Collector log archive should then be provided to Fortinet TAC.

 

ymasaki_0-1639040961128.png

 

If the Collector is disconnected from the FortiEDR Central Manager, it is possible to collect logs from the local Collector machine:

 

Windows:

  1. Run the following command as Administrator in CMD:"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --support.
  2. Gather the log files from %TEMP%\program_data_archive_support.zip. *%TEMP% is at 'C:\Users\[username]\AppData\Local\Temp.

 

If this procedure fails, follow these steps:

 

  1. Open the Command Prompt as Administrator and run the following command: "C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --stop.

 

The registration password would be prompted, which can be found in the Management Console.

In the Console, select Administration -> Tools -> Display.

 

  1. Zip the following directory C:\ProgramData\FortiEDR\.
  2.  Run the following Command to start the Collector Service: "C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --start.

 

macOS:

  1. Open Terminal and execute the command: sudo /Applications/FortiEDR.app/FortiEDRCollector --support.

For v6.0+, execute the command

 

sudo /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --support

 

  1. This will output a zipped directory containing all appropriate log files.

If the script does not work, zip/tar the directory /Library/Application Support/FortiEDR/Logs/.

 

Linux:

To gather support information, one of the following options may be used:

 

Option 1:
Open a terminal and run:

 

/opt/FortiEDRCollector/bin/FortiEDRCollector --support

 

Option 2:
Open a terminal and create a compressed archive of the directory:

 

tar -zcvf <archive>.tar.gz /opt/FortiEDRCollector/
    Terms & ConditionsAccessibility statement