FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mdeparisse_FTNT
Article Id 196888

Description


This article describes how to migrate logs and the configuration from one FortiAnalyzer to another. This is useful for replacing FortiAnalyzer or FortiAnalyzer platform upgrade or replacement (RMA).

 

Scope

 

Any supported version of FortiAnalyzer.

Solution

 

Note:
This is a guide on how to migrate from FortiAnalyzer to another FortiAnalyzer of the same type or model. To transfer the config to a different HW or VM type, use the exe migrate all-settings CLI command or contact customer support.
When migrating VM FortiAnalyzer data, two valid VM-licensed instances are needed. (Alternatively, use the same VM license within the 24-hour grace period duplicate license detection period).
Regardless of the destination, the destination FortiAnalyzer must have at least the same ADOM quota allocated as the source FortiAnalyzer (the 'diag log device' CLI command can be used for verification).

 

  1. FortiAnalyzer replacement.

    Note:
    This article focuses only on operational FortiAnalyzer units that need to be migrated due to a platform upgrade or other reasons.
    If the FortiAnalyzer replacement is linked to hardware issues, backing up of the system configuration and logs should be done before the issue arises. Setting up an automatic backup is recommended for each FortiAnalyzer unit, but that topic is beyond the scope of this article.

    FortiAnalyzer hardware replacement must be done using the same kind of hardware and software. The first step is to prepare the new FortiAnalyzer with the same configuration as the old one by performing a config backup and restore process.

    If the user
    needs to perform a hardware migration, this section may be skipped. Relevant information can be found in the following article for exporting devices:
    Log data migration from an old FortiAnalyzer to a new FortiAnalyzer - FortiAnalyzer Cookbook.

  2. Config backup and restore process.

    Go to System Settings -> System Configuration -> Backup.

 
Disable the Encryption option as follows:

 


 

Using the CLI:
This example shows how to back up allFortiAnalyzer unit system settings to a file named faz.cfg on a server at IP address 10.5.50.40 using the ftpuser username and a password of 12345678:

 

exe backup all-settings ftp 10.5.50.40 /ftpbackup/allsetting/faz.dat ftpuser 12345678

 

Validate the config integrity:

Modify the config file extension format from *.dat to *.tgz:

 
Check whether the file can be decompressed without issue.


Install the config file on a new FortiAnalyzer after renaming it back to *.dat format. 


Uncheck the Overwite current IP and routing settings option to avoid any duplicate IP conflict with the old system.

Once the new FortiAnalyzer is ready to receive the logs from the FortiGate, all the senders need to be configured so that the new IP address is used to receive logs.


To do this, use the following CLI command:

 

config log fortianalyzer2

 

Log in to each FortiGate CLI and configure the new FortiAnalyzer.
This can be done with a FortiManager script.

Once both FortiAnalyzers are running the same config and receive logs from all FortiGates, the old archive logs can be transferred to the new server. Multiple methods can be used:

  • Log backup and restore (Requires an external storage server, such as an FTP server, for saving archives).
  • Log Backup and import. (Requires an external storage server, such as an FTP server, for saving archives).
  • Log aggregation and log fetching. (DOES NOT require an external storage server such as an FTP server for saving archives: aggregation is the preferred choice, but it is only possible if the old FortiAnalyzer and new FortiAnalyzer are both up and running).

 

Log Backup from the old FortiAnalyzer.
This example shows how to back up all FortiAnalyzer logs to an FTP server with the IP address 10.5.50.40. In this case, the username is ftpuser and the password is 12345678.

 

exe backup logs all ftp 10.5.50.40 ftpuser 12345678 /

 

To quit the backup process, Press 'Q/q' then <Enter>.

 

Uploading for device FGT1KC0000000000(FGT1KC0000000000[root])...
  Backup logs: 1/12 file(s).
  Backup logs: 10/12 file(s).
  Backup logs: 12/12 file(s).
Uploading for device FGT1KC0000000000(FGT1KC0000000000[vd1])...
  Backup logs: 1/3 file(s).
  Backup logs: 3/3 file(s).

Uploading for device FortiGate-VM64-KVM(FGVMEVIGJ13JWW8D[root])...
  Backup logs: 1/1 file(s).

Successfully uploaded log file(s) to ftp server 10.5.50.40 under /.

 

The size of the archive log on the destination FTP server can be checked witha diag log device to make sure it matches the size of the old one.

 

Output:

 

Total usage: 16 ADOMs, logs=1.5GB


To restore log file(s), execute the following command:

 

execute restore logs all ftp 10.5.50.40 <user_name> <password> /


Log restoration.

 

Log backup restoration is the recommended method to use if the FortiAnalyzer instance is replaced while the old FortiAnalyzer instance is not reachable.

This example shows how to restore FortiAnalyzer logs from an FTP server using the address and credentials of the previous example:

 

exe restore logs all ftp 10.5.50.40 ftpuser 12345678 /
Note: This command restores all logs from a specified server which
      were backed up prior to changing the RAID level or formatting
      the disks. Executing it frequently is not recommended!

Do you want to continue? (y/n)y


The restore operation will overwrite any logs already on the FortiAnalyzer.
Do you want to continue? (y/n)y

Stopping processes.

Downloading files for device FGT1KC0000000000(FGT1KC0000000000[*])...
  Restore log file: FGT1KC0000000000[root].elog.log.gz
  Restore log file: FGT1KC0000000000[root].tlog.log.gz
  Restore log file: FGT1KC0000000000[root][1529872384].elog.1530700808.log.gz
….
  Restore log file: FGT1KC0000000000[vd1][1529872384].tlog.1530706428.log.gz

Update device FGT1KC0000000000 log files disk usage...
Downloading files for device FortiGate-VM64-KVM(FGVMEVIGJ13JWW8D[*])...
  Restore log file: FGVMEVIGJ13JWW8D[root].elog.log.gz

Update device FGVMEVIGJ13JWW8D log files disk usage...

Restoration completed successfully.

Restarting processes.
Recommend to rebuild log database by 'exec sql-local rebuild-db'.

 

Note: Restoring logs will overwrite existing logs.

Log importing.

 

Log importing is used only to import logs for one specific log client. See the example below:

 

exe log import ftp 10.5.50.40 ftpuser 12345678 /FGT1KC0000000000/
Do you want to continue? (y/n)y


Log Import Info: Connect to ftp server 10.5.50.40 ...
Log Import Info: Found 15 .log or .csv files in remote folder : /FGT1KC0000000123 .
Log Import Info: 15 log files found in remote folder, MAX import file setting is 10000, so 15 files will be imported.

Log Import Info: Downloading files from 10.5.50.40 ...###############
Log Import Info: Log file FGT1KC0000000000[root].elog.log.gz was successfully imported to FGT1KC0000000000/root/elog.1530711686.log.
…..
Log Import Info: Log file FGT1KC0000000000[vd1][1529872384].tlog.1530706428.log.gz was successfully imported to FGT1KC0000000000/vd1/tlog.1530706428.log.
Log Import Info: 15 log files are imported.
Log Import Info:
15 files are processed, 0 files remain.


Log fetching example (only available in FortiAnalyzer 5.4 and higher).

 

The fetching function is only available if the old FortiAnalyzer instance is still reachable and operational.

Set up a fetch_account on the old FAZ:

 

config system admin user

edit "fetchadmin"

set password password

set profileid "Super_User

set adom "all_adoms"


Configuration of the Fetch request on the new FortiAnalyzer:

 

 

 


Accept the fetching request on the old FortiAnalyzer:

 


One advantage of log fetching is the ability to filter out unwanted logs based on time. However, if multiple ADOMs are present, fetching must be configured for each individual.

Log aggregation.

 

Aggregation is only available if the old FortiAnalyzer is still reachable and operational.
Note: Some low-end FortiAnalyzer models may not be able to act as aggregation servers.


Client side (on the old FortiAnalyzer):

 

config system log-forward
  edit 1
    set mode aggregation
    set agg-user aggradmin
    set agg-password password
    set agg-time 1
    set server-ip           [new FortiAnalyzer IP address].
  next
end

 

Server-side (on the new FortiAnalyzer):

 

config system admin user
  edit "aggradmin"
    set password password
    set profileid "Super_User"
    set adom "all_adoms"
end
config system log-forward-service
  set accept-aggregation enable
end

 

  1. Debugging.

If a migration failure occurs, the following config will be requested for troubleshooting.

FTP transfer debug.

 

The FTP transfer has limited troubleshooting capability. However, the output of the following CLI commands will be requested as well as the system event log and the FTP event log:

 

Exe tac report
Diag sniffer packet any “host <Ip of the FTP server> and port 21” 3 0 a

 

 


Log aggregation debug commands:

 

exe tac report
diagnose debug application log-aggregate 8
diag debug enable
exec log-aggregation
diag sniffer packet any ”port 3000” 3 0 a


Log fetching debug commands:

 

Exe tac report
diag debug app log-fecth 8
diag debug enable


Launch the fetching and record the output on both the sender and receiver:

 

diag test application log-fetch
diag test application log-fecth 2
diag test application log-fecth 3

 

Related articles:

Technical Note: Backup and restore of FortiAnalyzer settings, logs and reports.

Technical Note: FortiAnalyzer SQL database rebuild start-time.

Technical Tip: FortiAnalyzer SQL database delete and rebuild.

Restarting SQL rebuilds.

Technical Note: Using 'exec migrate' to migrate to a new FortiAnalyzer / FortiManager model.

Technical Tip: How to change the IP Address of the FortiManager/FortiAnalyzer VM License file.

Technical Tip: FortiManager/FortiAnalyzer-VM License Duplication