Description
Solution
This article describes how to merge logs of already merged standalone FortiGate devices on FortiAnalyzer.
Solution
The following procedure can be used to migrate logs to an HA Cluster on FortiAnalyzer when FortiGates have been already merged without using the auto migrate function.
Refer to the related KB article below for information about the auto migrate function.
When an HA Cluster is created on a FortiAnalyzer the logs are not automatically merged. It can be spotted after some time that some logs are not displayed in FortiView.
Prerequisites
Device and log store status before merge:
In the GUI go to Device Manager > All FortiGates, select (right click) and edit one FortiGate device. Enable the option "HA Cluster" and pick up the second FortiGate device. This device may be renamed. With this step the system will merge logs from both devices to the cluster automatically.
The quota limit of cluster mode must be at least the sum of the standalone limits of each FortiGate device.
Device and log store status after merge:
On the example above there two "zombie" log stores for former standalone devices. The logs are kept here until manually moved. Run the following commands to move the logs:
The log stores are now moved to the HA Cluster store:
The former standalone FortiGate device left in ADOM after migration can now be deleted.
As last step, rebuild the SQL database in proper ADOM:
1) Review the device list and log store list before any changes to know the initial status and status after the change
Refer to the related KB article below for information about the auto migrate function.
When an HA Cluster is created on a FortiAnalyzer the logs are not automatically merged. It can be spotted after some time that some logs are not displayed in FortiView.
Prerequisites
- Two FortiGate devices are registered as standalone on FortiAnalyzer with own logs
- Both devices were put to the HA cluster (FortiGate configuration)
- On the FortiAnalyzer they are still both as standalone devices
Device and log store status before merge:
# diagnose dvm device listTYPE OID SN HA IP NAME ADOM FIRMWARE
faz enabled 401 FGVM0100000xxxxx - 10.108.16.150 FGVMDH-40 lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
faz enabled 413 FGVM0100000yyyyy - 10.108.16.150 FGVMDH-42 lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
# execute log device logstore list Device ID logfiles archive files status
==================================================================
(1) FGVM0100000xxxxx 0MB 0MB active.
(2) FGVM0100000yyyyy 0MB 0MB active.
faz enabled 401 FGVM0100000xxxxx - 10.108.16.150 FGVMDH-40 lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
faz enabled 413 FGVM0100000yyyyy - 10.108.16.150 FGVMDH-42 lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
# execute log device logstore list Device ID logfiles archive files status
==================================================================
(1) FGVM0100000xxxxx 0MB 0MB active.
(2) FGVM0100000yyyyy 0MB 0MB active.
In the GUI go to Device Manager > All FortiGates, select (right click) and edit one FortiGate device. Enable the option "HA Cluster" and pick up the second FortiGate device. This device may be renamed. With this step the system will merge logs from both devices to the cluster automatically.
The quota limit of cluster mode must be at least the sum of the standalone limits of each FortiGate device.
Device and log store status after merge:
# diagnose dvm device list
TYPE OID SN HA IP NAME ADOM FIRMWARE
faz enabled 413 FGVM0100000yyyyy - 10.108.16.150 FGVMDH-42 lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
faz enabled 401 FGVM0100000xxxxx a-p 10.108.16.150 lab-ha lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
HA cluster member: FGVM0100000xxxxx (slave 0)
HA cluster member: FGVM0100000yyyyy (slave 1)
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
# execute log device logstore list
Device ID logfiles archive files status
==================================================================
(1) FGVM0100000xxxxx N/A N/A zombie
(2) FGVM0100000yyyyy N/A N/A zombie
(3) FGHA000999185129_CID 0MB 0MB active.
TYPE OID SN HA IP NAME ADOM FIRMWARE
faz enabled 413 FGVM0100000yyyyy - 10.108.16.150 FGVMDH-42 lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
faz enabled 401 FGVM0100000xxxxx a-p 10.108.16.150 lab-ha lab 5.0 MR2 (727)
|- STATUS: db: unknown; conf: unknown; cond: unknown; dm: none; conn: unknown
HA cluster member: FGVM0100000xxxxx (slave 0)
HA cluster member: FGVM0100000yyyyy (slave 1)
|- vdom:[3]root flags:0 adom:lab pkg:[never-installed]
# execute log device logstore list
Device ID logfiles archive files status
==================================================================
(1) FGVM0100000xxxxx N/A N/A zombie
(2) FGVM0100000yyyyy N/A N/A zombie
(3) FGHA000999185129_CID 0MB 0MB active.
On the example above there two "zombie" log stores for former standalone devices. The logs are kept here until manually moved. Run the following commands to move the logs:
# execute log device logstore move FGVM0100000yyyyy FGHA000999185129_CID
# execute log device logstore move FGVM0100000xxxxx FGHA000999185129_CID
The log stores are now moved to the HA Cluster store:
# execute log device logstore list
Device ID logfiles archive files status
==================================================================
(1) FGHA000999185129_CID 0MB 0MB active.
Device ID logfiles archive files status
==================================================================
(1) FGHA000999185129_CID 0MB 0MB active.
The former standalone FortiGate device left in ADOM after migration can now be deleted.
As last step, rebuild the SQL database in proper ADOM:
# execute sql-local rebuild-adom labNotes
1) Review the device list and log store list before any changes to know the initial status and status after the change
Related Articles
