FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rameshk_FTNT
Staff
Staff

Purpose

This article describes how to backup and restore FortiAnalyzer settings, logs and reports.


Expectations, Requirements

Periodic backup allows recovery in the event of a unit failure, unit replacement or maintenance such as disk formatting, RAID rebuilding or resetting configuration to the factory default.

 

In a planned (non-emergency) replacement or upgrade of a FortiAnalyzer, log aggregation (also known as log forwarding) from an old to new unit is an alternative to using log restore.

 

 

Configuration

A. Backing up Logs, Reports and Settings (Configuration)

To back up both logs and associated DLP archive files:

 

     execute backup logs <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

To back up logs only:

     execute backup logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

To Backup Reports:

execute backup reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

To Backup the FortiAnalyzer Unit Settings to an FTP, SFTP, or SCP server:

 

When you back up the unit settings from the vdom_admin account, the backup file contains global settings and the settings for each VDOM. When you backup the unit settings from a regular administrator account, the backup file contains the global settings and only the settings for the VDOM to which the administrator belongs to.

 

execute backup all-settings {ftp | sftp} <ip> <string> <username> <password> <crptpasswd>
execute backup all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>

 

B. Restoring Logs, Reports and Settings (Configuration)

If you want to restore FortiAnalyzer settings, it is recommended to do this before restoring logs. This is to ensure that the quotas/log retention policy are properly set prior to the logs being restored.

 

To Restore FortiAnalyzer Unit Settings:

execute restore all-settings {ftp | sftp} <ip> <string> <username> <password> <crptpasswd>
execute restore all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>
 
Icon-Light-Bulb.png

Restoring logs and reports will erase and replace all pre-existing logs and reports with the restored ones. For this reason, new logs should not be sent to the FortiAnalyzer until after the log restoral is complete.

 

 

 

To Restore All Logs:

execute restore logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

Icon-Light-Bulb.png 1. Database rebuild is required and will occur automatically after restoring logs. See attached article on checking the rebuild status. Until the rebuild is complete, FortiAnalyzer features relying upon the SQL database, such as reporting and log search, will be unavailable.

2. When restoring logs related to a FortiGate HA Cluster, the cluster ID on the FortiAnalyzer must match the cluster ID at the time the logs were backed up.

 

To Restore Reports:

execute restore reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>  

 

Related Articles

Technical Note: How to check SQL Database rebuild progress on FortiAnalyzer

Technical Note: Forwarding logs between FortiAnalyzers