Skip to main content
A
Anonymous_User
New Contributor III
September 27, 2016

Technical Tip: How to retrieve logs from FortiSIEM VA and deliver them to support

  • September 27, 2016
  • 0 replies
  • 39714 views

Description

 
This article describes how to package the FortiSIEM logs to deliver them to Support
 
Scope
 
FortiSIEM v6.1.0 and later.


Solution

 

This is a step-by-step guide on how to collect log files over a certain period and send them to a FortiSIEM support team. 
 
  1. Extract and Compress Logs:
    1. SSH into the Supervisor, Worker/ or Collector as root.
    2. Enter the following commands:

       

get-fsm-health.py --local -o /tmp/fsm-health.log

journalctl -k --no-pager > /tmp/journlctl.log

cat /proc/interrupts > /tmp/interrupts.txt

cat /etc/hosts > /tmp/hosts.txt

env > /tmp/root_env

su admin -c env > /tmp/admin_env

fips-mode-setup --check > /tmp/fips_state
psql -U phoenix -d phoenixdb -c "select * from pg_stat_activity" > /tmp/pg_stat_activity.out
psql -U phoenix -d phoenixdb -c "select property,value,data from ph_sys_conf;" > /tmp/sys_conf.out
psql -U phoenix -d phoenixdb -c "select * from ph_health_status" > /tmp/health.out
psql -U phoenix -d phoenixdb -c "select * from ph_collector_status" > /tmp/collector_health.out
psql -U phoenix -d phoenixdb -c "select * from ph_health_replication" > /tmp/replication_health.out

tar -czvf /tmp/keeper_logs.tar.gz /data-clickhouse-*/clickhouse-keeper/app_logs > /dev/null 2>&1

tar -czvf /tmp/keeper_conf.tar.gz /data-clickhouse-*/clickhouse-keeper/conf > /dev/null 2>&1

echo mntr | nc localhost 2181 > /tmp/keeper-stats.txt

tar -czvf /tmp/content_update.tar.gz /opt/phoenix/cache/content > /dev/null 2>&1

phziplogs /tmp/<ticket_number> <number_of_days>

 
This will create a directory with a ticket number as well as collect logs for the number of days to go back.
Being able to pick up historical events will be critical if an issue occurs in the past. Make sure to know how many days are necessary. For example: phziplogs /tmp/12345.
 
The log name will appear as AOLogs.tar, in /tmp/<ticket number>/.
 
    1. Change the filename of AOLogs.tar to a more unique name (e.g., FortiSIEMLogs-SP-20181119.tar for Supervisor Logs on November 19th, 2018).

       

cd /tmp/1234

tar --append --file=AOLogs.tar /tmp/fsm-health.log

tar --append --file=AOLogs.tar /tmp/journlctl.log

tar --append --file=AOLogs.tar /tmp/interrupts.txt

tar --append --file=AOLogs.tar /tmp/hosts.txt

tar --append --file=AOLogs.tar /tmp/root_env

tar --append --file=AOLogs.tar /tmp/admin_env

tar --append --file=AOLogs.tar /tmp/fips_state

tar --append --file=AOLogs.tar /tmp/pg_stat_activity.out

tar --append --file=AOLogs.tar /tmp/sys_conf.out

tar --append --file=AOLogs.tar /tmp/health.out

tar --append --file=AOLogs.tar /tmp/collector_health.out

tar --append --file=AOLogs.tar /tmp/replication_health.out

tar --append --file=AOLogs.tar /tmp/keeper_logs.tar.gz

tar --append --file=AOLogs.tar /tmp/keeper_conf.tar.gz

tar --append --file=AOLogs.tar /tmp/keeper-stats.txt

tar --append --file=AOLogs.tar /tmp/content_update.tar.gz

mv AoLogs.tar <new file name>

    1. Repeat steps 1.a through 1.c for all Collectors, Workers, and Supervisors.

 

  1. From the FortiSIEM appliance, directly SCP the log to the desktop.

    1. For Windows users, use WinSCP to pull the logs from the /tmp directory of the FortiSIEM appliance.

    2. For Linux users, use SCP from the FortiSIEM bash prompt to copy it out to the local desktop: $ scp -r <local directory> username@<host_ip>:<remote directory>.

    3. For Linux users, us Upload the file to the support ticket at Support.

 

  1. Log in to the Fortinet support account.

    1. Find the ticket associated with the log request upload. 

    2. Upload the attachment to the ticket with a response (Note that the upload limit is 500MB per attachment). If required, the support engineer may ask to provide the files through the SCP server to transfer the file.

    Terms & ConditionsAccessibility statement