FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
tsimeonov_FTNT
Article Id 308987
Description This article describes how to use the 'filter' option in fazbd-log-export init.
This article serves as an extension of the knowledge explained in the CLI Reference guide.
Scope FortiAnalyzer-BigData, CLI, controller.
Solution

The 'filter' option is only available through .json and not available in interactive mode.
As a result, it is necessary to pass initialization session configuration from a file.

For example:

 

  1. Using vi, create a session configuration file:

vi filter.json

  1. Type or copy/paste session parameters and include the filter option:

 

{"adom": "root",

"start_date": "2024-04-07",

"end_date": "2024-04-09",

"log_type": "traffic",

"device_ids": ["FGTXXXXXXXXXXXXX"],

"filter": "user='ceco2024'",

"format": "csv"}


Note the parameter filter is included and set to filter for the user ceco2024.

 

  1. Start initialization and pass the configuration file:

fazbd-log-export init -f filter.json

 

Successful configuration initialization should have lines like the following:

 

✔ validate input
✔ validate table existence
✔ validate the filter
✔ validate device_ids
✔ estimate the size
WARN: The estimated size of the export is *.**GB. Please ensure the cluster has free space available. Do you want to continue? [Y]es/[N]o/[C]ancel : Y
✔ acquire the session
✔ persist the task
✔ create temp table
log export session created. Session ID: xxxxxxxxxxxxxxxxxxxxxxx

 

 

  1. To start the session, run the following:

 

fazbd-log-export start xxxxxxxxxxxxxxxxxxxxxxx

 

To check status:

 

fazbd-log-export status xxxxxxxxxxxxxxxxxxxxxxx

 

And/or to send to the SCP server:

 

fazbd-log-export push xxxxxxxxxxxxxxxxxxxxxxx


To close the session:

 

fazbd-log-export close xxxxxxxxxxxxxxxxxxxxxxx