Description
This article describes how to migrate logs and the configuration from one FortiAnalyzer to another. This is useful for replacing FortiAnalyzer or FortiAnalyzer platform upgrade or replacement (RMA).
Scope
Any supported version of FortiAnalyzer.
Solution
Note:
This is a guide on how to migrate from FortiAnalyzer to another FortiAnalyzer of the same type or model. To transfer the config to a different HW or VM type, use the exe migrate all-settings CLI command or contact customer support.
When migrating VM FortiAnalyzer data, two valid VM licensed instances are needed. (Alternatively, use the same VM license within the 24 hours grace period duplicate license detection period.)
Regardless of destination, the destination FortiAnalyzer must have at least the same ADOM quota allocated as the source FortiAnalyzer (the 'diag log device' CLI command can be used for verification.)
1. FortiAnalyzer replacement
Note: This article focuses only on operational FortiAnalyzer units that need to be migrated due to a platform upgrade or other reasons.
If the FortiAnalyzer replacement is linked to hardware issues, backing up of the system configuration and logs should be done prior to the issue arising. Setting up an automatic backup is recommended for each FortiAnalyzer unit, but that topic is beyond the scope of this article.
FortiAnalyzer hardware replacement must be done using the same kind of hardware and software. The first step is to prepare the new FortiAnalyzer with the same configuration as the old one by performing a config backup and restore process.
If the user needs to perform a hardware migration, this section may be skipped. Relevant information can be found in the following article for exporting devices:
Log data migration from an old FortiAnalyzer to a new FortiAnalyzer - FortiAnalyzer Cookbook.
2. Config backup and restore process
Go to System Settings -> System Configuration -> Backup.
Disable the Encryption option as follows:
Using the CLI:
This example shows how to back up allFortiAnalyzer unit system settings to a file named faz.cfg on a server at IP address 10.5.50.40 using the ftpuser username and a password of 12345678:
exe backup all-settings ftp 10.5.50.40 /ftpbackup/allsetting/faz.dat ftpuser 12345678
Validate the config integrity:
Modify the config file extension format from *.dat to *.tgz:
Check whether the file can be decompressed without issue.
Install the config file on a new FortiAnalyzer after renaming it back to *.dat format.
Uncheck the Overwite current IP and routing settings option to avoid any duplicate IP conflict with the old system.
Once the new FortiAnalyzer is ready to receive the logs from the FortiGate, all the senders needs to be configured so that the new IP address is used to receive logs.
To do this, use the following CLI command:
config log fortianalyzer2
Log in to each FortiGate CLI and configure the new FortiAnalyzer.
This can be done with a FortiManager script.
Once both FortiAnalyzers are running the same config and receive logs from all FortiGates, the old archive logs can be transferred to the new server. Multiple methods can be used:
- Log backup and restore (Requires an external storage server, such as an FTP server, for saving archives.)
- Log Backup and import. (Requires an external storage server, such as an FTP server, for saving archives.)
- Log aggregation and log fetching. (DOES NOT require an external storage server such as an FTP server for saving archives: aggregation is the preferred choice, but it is only possible if the old FortiAnalyzer and new FortiAnalyzer are both up and running.)
Log Backup from the old FortiAnalyzer
This example shows how to backup all FortiAnalyzer logs to an FTP server with the IP address 10.5.50.40. In this case, the username is ftpuser and password is 12345678.
exe backup logs all ftp 10.5.50.40 ftpuser 12345678 /
To quit the backup process, Press 'Q/q' then <Enter>.
Uploading for device FGT1KC0000000000(FGT1KC0000000000[root])...
Backup logs: 1/12 file(s).
Backup logs: 10/12 file(s).
Backup logs: 12/12 file(s).
Uploading for device FGT1KC0000000000(FGT1KC0000000000[vd1])...
Backup logs: 1/3 file(s).
Backup logs: 3/3 file(s).
Uploading for device FortiGate-VM64-KVM(FGVMEVIGJ13JWW8D[root])...
Backup logs: 1/1 file(s).
Successfully uploaded log file(s) to ftp server 10.5.50.40 under /.
The size of the archive log on the destination FTP server can be checked with diag log device to make sure it matches the size of the old one.
Output:
Total usage: 16 ADOMs, logs=1.5GB
To restore log file(s), execute the following command:
execute restore logs all ftp 10.5.50.40 <user_name> <password> /
Log restoration
Log backup restoration is the recommended method to use if the FortiAnalyzer instance is replaced while the old FortiAnalyzer instance is not reachable.
This example shows how to restore FortiAnalyzer logs from an FTP server using the address and credentials of the previous example:
exe restore logs all ftp 10.5.50.40 ftpuser 12345678 /
Note: This command restores all logs from a specified server which
were backed up prior to changing the RAID level or formatting
the disks. Executing it frequently is not recommended!
Do you want to continue? (y/n)y
The restore operation will overwrite any logs already on the FortiAnalyzer.
Do you want to continue? (y/n)y
Stopping processes.
Downloading files for device FGT1KC0000000000(FGT1KC0000000000[*])...
Restore log file: FGT1KC0000000000[root].elog.log.gz
Restore log file: FGT1KC0000000000[root].tlog.log.gz
Restore log file: FGT1KC0000000000[root][1529872384].elog.1530700808.log.gz
….
Restore log file: FGT1KC0000000000[vd1][1529872384].tlog.1530706428.log.gz
Update device FGT1KC0000000000 log files disk usage...
Downloading files for device FortiGate-VM64-KVM(FGVMEVIGJ13JWW8D[*])...
Restore log file: FGVMEVIGJ13JWW8D[root].elog.log.gz
Update device FGVMEVIGJ13JWW8D log files disk usage...
Restoration completed successfully.
Restarting processes.
Recommend to rebuild log database by 'exec sql-local rebuild-db'.
Note: Restoring logs will overwrite existing logs.
Log importing
Log importing is used only to import logs for one specific log client. See the example below:
exe log import ftp 10.5.50.40 ftpuser 12345678 /FGT1KC0000000000/
Do you want to continue? (y/n)y
Log Import Info: Connect to ftp server 10.5.50.40 ...
Log Import Info: Found 15 .log or .csv files in remote folder : /FGT1KC0000000123 .
Log Import Info: 15 log files found in remote folder, MAX import file setting is 10000, so 15 files will be imported.
Log Import Info: Downloading files from 10.5.50.40 ...###############
Log Import Info: Log file FGT1KC0000000000[root].elog.log.gz was successfully imported to FGT1KC0000000000/root/elog.1530711686.log.
…..
Log Import Info: Log file FGT1KC0000000000[vd1][1529872384].tlog.1530706428.log.gz was successfully imported to FGT1KC0000000000/vd1/tlog.1530706428.log.
Log Import Info: 15 log files are imported.
Log Import Info:
15 files are processed, 0 files remain.
Log fetching example (only available in FortiAnalyzer 5.4 and higher)
The fetching function is only available if the old FortiAnalyzer instance is still reachable and operational.
Set up a fetch_account on the old FAZ:
config system admin user
edit "fetchadmin"
set password password
set profileid "Super_User
set adom "all_adoms"
Configuration of the Fetch request on the new FortiAnalyzer:
Accept the fetching request on the old FortiAnalyzer:
One advantage of log fetching is the ability to filter out unwanted logs based on time. However, if multiple ADOMs are present, fetching must be configured for each individually.
Log aggregation
Aggregation is only available if the old FortiAnalyzer is still reachable and operational.
Note: Some low-end FortiAnalyzer models, such as the FortiAnalyzer 200D, do not have aggregation available.
Log aggregation in version 5.4:
Client side example (on the old FortiAnalyzer instance):
config system aggregation-client
edit 1
set mode aggregation
set agg-user [admin user for new FortiAnalyzer]
set agg-password [password for new FortiAnalyzer]
set agg-time 1 [log aggregation start time]
set server-ip [new FortiAnalyzer IP address]
next
Server side (on the new FortiAnalyzer instance):
config system admin user
edit "aggradmin"
set password password
set profileid "Super_User"
set adom "all_adoms"
end
config system aggregation-service
set accept-aggregation enable
set aggregation-disk-quota 50000
set password “fortinet”
end
Log aggregation in version 5.6 and above:
Client side (on the old FortiAnalyzer):
config system log-forward
edit 1
set mode aggregation
set agg-user aggradmin
set agg-password password
set agg-time 1
set server-ip [new FortiAnalyzer IP address]
next
end
Server-side (on the new FortiAnalyzer):
config system admin user
edit "aggradmin"
set password password
set profileid "Super_User"
set adom "all_adoms"
end
config system log-forward-service
set accept-aggregation enable
end
3) Debugging
If a migration failure occurs, the following config will be requested for troubleshooting.
FTP transfer debug
The FTP transfer has limited troubleshooting capability. However, the output of the following CLI commands will be requested as well as the system event log and the FTP event log:
Exe tac report
Diag sniffer packet any “host <Ip of the FTP server> and port 21” 3 0 a
Log aggregation debug commands:
Exe tac report
diagnose debug application log-aggregate 8
diag debug enable
exec log-aggregation
diag sniffer packet any ”port 3000” 3 0 a
Log fetching debug commands:
Exe tac report
diag debug app log-fecth 8
diag debug enable
Launch the fetching and record the output on both the sender and receiver:
diag test application log-fetch
diag test application log-fecth 2
diag test application log-fecth 3
Related articles:
Technical Note: Backup and restore of FortiAnalyzer settings, logs and reports.
Technical Note: FortiAnalyzer SQL database rebuild start-time.
Technical Tip: FortiAnalyzer SQL database delete and rebuild.
Technical Note: Using 'exec migrate' to migrate to a new FortiAnalyzer / FortiManager model.
Technical Tip: How to change the IP Address of the FortiManager/FortiAnalyzer VM License file.
Technical Tip: FortiManager/FortiAnalyzer-VM License Duplication
