FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mbernatek
Staff
Staff
Description
This article describes how to merge logs of already merged standalone FortiGate devices on FortiAnalyzer.

Solution
The following procedure can be used to migrate logs to an HA Cluster on FortiAnalyzer when FortiGates have been already merged without using the auto migrate function.

Refer to the related KB article below for information about the auto migrate function.

When an HA Cluster is created on a FortiAnalyzer the logs are not automatically merged.  It can be spotted after some time that some logs are not displayed in FortiView.

Prerequisites
  • Two FortiGate devices are registered as standalone on FortiAnalyzer with own logs
  • Both devices were put to the HA cluster (FortiGate configuration)
  • On the FortiAnalyzer they are still both as standalone devices

Device and log store status before merge:


# diagnose dvm device listTYPE OID      SN               HA  IP              NAME                                 ADOM                                 FIRMWARE
faz enabled 401      FGVM0100000xxxxx -   10.108.16.150   FGVMDH-40                            lab                                  5.0 MR2 (727)
        |- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
        |- vdom:[3]root flags:0 adom:lab pkg:[never-installed]

faz enabled 413      FGVM0100000yyyyy -   10.108.16.150   FGVMDH-42                            lab                                  5.0 MR2 (727)
          |- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
          |- vdom:[3]root flags:0 adom:lab pkg:[never-installed]

# execute log device logstore list        Device ID           logfiles           archive files      status
==================================================================
(1) FGVM0100000xxxxx          0MB          0MB          active.
(2) FGVM0100000yyyyy          0MB          0MB          active.



In the GUI go to Device Manager > All FortiGates, select (right click) and edit one FortiGate device. Enable the option "HA Cluster" and pick up the second FortiGate device.  This device may be renamed. With this step the system will merge logs from both devices to the cluster automatically.

The quota limit of cluster mode must be at least the sum of the standalone limits of each FortiGate device.

mbernatek_FD39316_tn_FD39316-1.jpg

Device and log store status after merge:


# diagnose dvm device list

TYPE OID      SN               HA  IP              NAME                                 ADOM                                 FIRMWARE
faz enabled 413      FGVM0100000yyyyy -   10.108.16.150   FGVMDH-42                            lab                                  5.0 MR2 (727)
          |- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
          |- vdom:[3]root flags:0 adom:lab pkg:[never-installed]

faz enabled 401      FGVM0100000xxxxx a-p 10.108.16.150   lab-ha                               lab                                  5.0 MR2 (727)
          |- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
    HA cluster member: FGVM0100000xxxxx (slave 0)
    HA cluster member: FGVM0100000yyyyy (slave 1)
          |- vdom:[3]root flags:0 adom:lab pkg:[never-installed]

# execute log device logstore list
      Device ID           logfiles           archive files      status
==================================================================
(1) FGVM0100000xxxxx        N/A        N/A    zombie
(2) FGVM0100000yyyyy        N/A        N/A    zombie
(3) FGHA000999185129_CID          0MB          0MB          active.



On the example above there two "zombie" log stores for former standalone devices.  The logs are kept here until manually moved.  Run the following commands to move the logs:
# execute log device logstore move FGVM0100000yyyyy FGHA000999185129_CID
# execute log device logstore move FGVM0100000xxxxx FGHA000999185129_CID

The log stores are now moved to the HA Cluster store:

# execute log device logstore list
       Device ID           logfiles           archive files      status
==================================================================
(1) FGHA000999185129_CID          0MB          0MB          active.


The former standalone FortiGate device left in ADOM after migration can now be deleted.

mbernatek_FD39316_tn_FD39316-2.jpg

As last step, rebuild the SQL database in proper ADOM:
# execute sql-local rebuild-adom lab
Notes

1) Review the device list and log store list before any changes to know the initial status and status after the change

Related Articles

Technical Note: Missing logs - How to migrate former standalone FortiGate devices to HA Cluster on F...

Contributors