FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 197436

This article describes how to disassociate Fortigate High Availability clusters without the loss of logs when added under a different FortiGate HA cluster because of the same HA group-name in their configurations.



In this example, two FortiGate HA clusters (FortiGate-Cluster-A and FortiGate-Cluster-B) are present, each containing one Slave.
But because there are the same HA configurations, it gets added in FortiAnalyzer as a Single HA cluster.
FortiGate-A and FortiGate-B:

To make FortiGate-cluster-A appears as a separate unit in FortiAnalyzer:

1) Disable HA Auto-grouping from CLI of the FortiAnalyzer.
# config system global
    set ha-member-auto-grouping disable
2) Now remove/delete the serial number of the FortiGate-Cluster-A.
3) Now if that removed serial number is continuously logging to FortiAnalyzer then it should show up under unauthorized devices in Root ADOM.
This can be again added as a new unit.

Or this FortiGate can be added as a new unit manually.
- Once this unit is added, add the Slave serial number in it. The Slave serial number is automatically removed from the FortiGate-cluster-B.
- Make Sure the HA Cluster option is selected.

Now the two FortiGates in Cluster are showing up individually.