FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
chall_FTNT
Staff
Staff
Description
When configuring Log Storage Policy, it is common to keep Archive data longer than Analytic data. 

But what happens when you want to run a report for a time period which is older than your oldest Analytic data?

Solution
Reports can only be run on analytic data, which is log data that has been inserted into the SQL database and can be viewed in Log View.

To insert older data back into the SQL database, you can rebuild the entire database from an earlier date:

1) Configure the data to start the rebuild from, see FortiAnalyzer SQL database rebuild start-time
2) Make sure that Log Storage Policy is adjusted to allow for more Analytic data.  Otherwise, the FortiAnalyzer will immediately start trimming back analytic data again.
3) Start the rebuild for that ADOM: exec sql-local rebuild-adom <ADOM name>
(or alternatively rebuild the entire FortiAnalyzer using "exec sql-local rebuild-db")

Rebuilding the SQL database can take some time (several hours to several days) depending on the amount of log data to be inserted.  During the rebuild, logging and reporting functionality will be limited but logs will continue to be received.

Alternatives to rebuilding the database:

1) Reimport log files which have been exported.  The import automatically triggers insertion
of those logs into the SQL database, essentially adding them to the existing database. 

Note: If you had previously exported this data from the same FortiAnalyzer, you could end up with duplicate log entries in Archive logs (unless you took care to delete those logs after export).


2) If you have another FortiAnalyzer VM, you can use Log Fetch which is ideally suited to pulling older log data which meets filtered criteria.  This is the most elegant solution.

Contributors