Technical Tip: How to filter FortiAnalyzer-BigData logs for export

tsimeonov_FTNT · ‎04-17-2024

Description

This article describes how to use the 'filter' option in fazbd-log-export init.
This article serves as an extension of the knowledge explained in the CLI Reference guide.

Scope

FortiAnalyzer-BigData, CLI, controller.

Solution

The 'filter' option is only available through .json and not available in interactive mode.
As a result, it is necessary to pass initialization session configuration from a file.

For example:

Using vi, create a session configuration file:

vi filter.json

Type or copy/paste session parameters and include the filter option:

{"adom": "root",

"start_date": "2024-04-07",

"end_date": "2024-04-09",

"log_type": "traffic",

"device_ids": ["FGTXXXXXXXXXXXXX"],

"filter": "user='ceco2024'",

"format": "csv"}

Note the parameter filter is included and set to filter for the user ceco2024.

Start initialization and pass the configuration file:

fazbd-log-export init -f filter.json

Successful configuration initialization should have lines like the following:

✔ validate input
✔ validate table existence
✔ validate the filter
✔ validate device_ids
✔ estimate the size
WARN: The estimated size of the export is *.**GB. Please ensure the cluster has free space available. Do you want to continue? [Y]es/[N]o/[C]ancel : Y
✔ acquire the session
✔ persist the task
✔ create temp table
log export session created. Session ID: xxxxxxxxxxxxxxxxxxxxxxx

To start the session, run the following:

fazbd-log-export start xxxxxxxxxxxxxxxxxxxxxxx

To check status:

fazbd-log-export status xxxxxxxxxxxxxxxxxxxxxxx

And/or to send to the SCP server:

fazbd-log-export push xxxxxxxxxxxxxxxxxxxxxxx

To close the session:

fazbd-log-export close xxxxxxxxxxxxxxxxxxxxxxx

Technical Tip: How to filter FortiAnalyzer-BigData logs for export

You are leaving our website