FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 308987
Description This article describes how to use the 'filter' option in fazbd-log-export init.
This article serves as an extension of the knowledge explained in the CLI Reference guide.
Scope FortiAnalyzer-BigData, CLI, controller.

The 'filter' option is only available through .json and not available in interactive mode.
As a result, it is necessary to pass initialization session configuration from a file.

For example:


  1. Using vi, create a session configuration file:

vi filter.json

  1. Type or copy/paste session parameters and include the filter option:


{"adom": "root",

"start_date": "2024-04-07",

"end_date": "2024-04-09",

"log_type": "traffic",

"device_ids": ["FGTXXXXXXXXXXXXX"],

"filter": "user='ceco2024'",

"format": "csv"}

Note the parameter filter is included and set to filter for the user ceco2024.


  1. Start initialization and pass the configuration file:

fazbd-log-export init -f filter.json


Successful configuration initialization should have lines like the following:


✔ validate input
✔ validate table existence
✔ validate the filter
✔ validate device_ids
✔ estimate the size
WARN: The estimated size of the export is *.**GB. Please ensure the cluster has free space available. Do you want to continue? [Y]es/[N]o/[C]ancel : Y
✔ acquire the session
✔ persist the task
✔ create temp table
log export session created. Session ID: xxxxxxxxxxxxxxxxxxxxxxx



  1. To start the session, run the following:


fazbd-log-export start xxxxxxxxxxxxxxxxxxxxxxx


To check status:


fazbd-log-export status xxxxxxxxxxxxxxxxxxxxxxx


And/or to send to the SCP server:


fazbd-log-export push xxxxxxxxxxxxxxxxxxxxxxx

To close the session:


fazbd-log-export close xxxxxxxxxxxxxxxxxxxxxxx