FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ESCHAN_FTNT
Staff
Staff

Description


This article describe how it is necessary to delete a VDOM from a FortiAnalyzer using the CLI and not the GUI.

Solution

 

The VDOM cannot be deleted completely just by deleting it from FortiAnalyzer GUI.
 
1) Delete VDOM 'test' from the FortiGate.
# conf vdom

(vdom)delete test

(vdom)end   

 
2) Delete VDOM "test" from the FortiAnalyzer GUI.
 
kb_jp.jpg
deleted.

# exec log device vdom list 1500D

Device name:1500D.

|-------id:0, name:root  (*** can not be deleted ***)

|-------id:1, name:tester1

|-------id:2, name:tester2

|-------id:3, name:vdom_lag                <----- 'Test' is gone.

 
kb_deleted.jpg
But the VDOM reappears minutes later. 
This is as designed because the underlying logs still exist.
# exec log device vdom list 1500D

Device name:1500D.

|-------id:0, name:root  (*** can not be deleted ***)

|-------id:1, name:tester1

|-------id:2, name:tester2

|-------id:3, name:vdom_lag

|-------id:4, name:test                     <----- Reappeared.

 
KB_reappear.jpg
 
Solution: Delete the VDOM from the CLI.

Deleting the VDOM from the CLI (starting in FortiAnalyzer 5.4.3 & 5.6.0) will also delete the log files associated with that VDOM.

execute below command to delete log files uploaded from VDOM 'test'.

# exec log device vdom delete 1500D test                    <----- '1500D' is unitname,and 'test' is VDOM name.

This command will delete Vdom:'test' and its log files from device '1500D'.

Do you want to continue? (y/n)y

Vdom:'test' and its log files were deleted from unit 'FG1K5D3I15-----3' successfully.

 

Result: VDOM "test" doesn't reappear again.

 

Starting from firmware 6.0.5 onwards, deletion of VDOM has been implemented to support GUI.