Technical Tip: Collect FortiSIEM backend and AppServer internal logs

Description

This article describes how to extract FortiSIEM backend and app server logs for any kind of model and role (Supervisor, Worker or Collector). This procedure allows generating FortiSIEM logs on a .tar file, which is possible to download and then perform further troubleshooting and analysis with.

Scope

All supported versions of FortiSIEM.

Solution

1. Connect to a FortiSIEM node through SSH or a console port for hardware appliances.

2. Create a directory on which logs will be stored:

mkdir /tmp/FSM_Logs

3. Execute the next script available on all firmware versions to generate a compressed log file:

phziplogs /tmp/FSM_Logs 5

4. Wait until the script has finished. Output should be similar to the following:

Collecting backend logs ...
gzip: /opt/phoenix/log/phoenix.log: file size changed while zipping
Collecting bin Minidumps ...
Collecting app server logs ...
Collecting postgres logs ...
Collecting system logs ...
Collecting upgrade files ...
Collecting logs from /tmp directory ...
Packaging ...
/opt/FSM_Logs/AOLogs.tar created

5. Once the script has finished running, connect to FortiSIEM node through WinSCP or a similar application. Navigate to the created path and download the file AOLogs.tar

Notes:

• Make sure to create the directory on a mount point with enough free storage, typically 5 GB or more. Depending on the environment, the AOLogs.tar file size may be measured in MB or even GB.

• The AOLogs.tar file contains only FortiSIEM system internal logs and no event logs from integrated log sources.