FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
chall_FTNT
Staff
Staff
Article Id 192220

Description

 

When configuring Log Storage Policy, it is common to keep Archive data longer than Analytic data. 
 
This article describes what happens when running a report for a time period which is older than the oldest Analytic data.
 
Scope
 
FortiAnalyzer.


Solution


Reports can only be run on analytic data, which is log data that has been inserted into the SQL database and can be viewed in Log View.

To insert older data back into the SQL database, rebuild the entire database from an earlier date:
 
  1. 1) Configure the data to start the rebuild from, see FortiAnalyzer SQL database rebuild start-time
  2. 2) Make sure that Log Storage Policy is adjusted to allow for more Analytic data.  Otherwise, the FortiAnalyzer will immediately start trimming back analytic data again.
  3. 3) Start the rebuild for that ADOM: exec sql-local rebuild-adom <ADOM name> (or alternatively, rebuild the entire FortiAnalyzer using 'exec sql-local rebuild-db')
 
Rebuilding the SQL database can take some time (several hours to several days) depending on the amount of log data to be inserted. During the rebuild, logging and reporting functionality will be limited but logs will continue to be received.
 
Alternatives to rebuilding the database:
 
  1. Reimport log files which have been exported.  The import automatically triggers insertion  of those logs into the SQL database, essentially adding them to the existing database.  As with the SQL rebuild, make sure the Log Retention Policy has been adjusted to extend back far enough to include these newly imported logs.

    Note: If this data was previously exported from the same FortiAnalyzer, this may result in duplicate log entries in the Archive logs (unless care was taken to delete those logs after exporting).

  2. If another FortiAnalyzer VM is available, use Log Fetch, which is ideally suited to pulling older log data which meets filtered criteria. This is the most elegant solution since it avoids log duplication and avoids the need to change the Log Retention Policy repeatedly on the production FortiAnalyzer.
Contributors