FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mdeparisse_FTNT

Description


This article explains how to migrate logs and config from one FortiAnalyzer to another. This is useful for FortiAnalyzer replacement or FortiAnalyzer platform upgrade or replacement.

Note.
This is a guide to migrate same type of FortiAnalyzer or same model, to transfer the config to a different HW or VM type, use (exe migrate all-settings) CLI command or contact CS.
In Case of FortiAnalyzer VM migration, two valid VM licensed instances are needed. (or use the same VM license within 24 hours grace period duplicate license detection period)
In any case the destination, FortiAnalyzer must have at least he same ADOM quota allocated as the source one (diag log device CLI command can be used for verification).

Solution


1) FortiAnalyzer replacement.

Notice:
This KB focuses only on operational FortiAnalyzer units that need to be migrated due to platform upgrade or other reasons.
In case the FortiAnalyzer replacement is linked to hardware issues, backing up of the system configuration and logs should be done prior to the issue arising. Setting up automatic backup is recommended for each FortiAnalyzer unit, but it is not the subject of this KB.

FortiAnalyzer hardware replacement must be done using the same kind of hardware and software. The first thing to do is to prepare the new FortiAnalyzer with the same configuration as the old one by doing a config backup/restore process.

If user
need to perform a hardware migration, this section may be skipped. Relevant information can be found in the below KB for exporting devices:
http://cookbook.fortinet.com/fortianalyzer-log-data-migration-old-new-fortianalyzer/

2. Config Backup and restore process

Go in System Settings > System Configuration > Backup

 
Select disable Encryption:

 


 

Using CLI:
This example shows how to backup complete FortiAnalyzer unit system settings to a file named faz.cfg on a server at IP address 10.5.50.40 using the ftpuser username, a password of 12345678.

FMG-VM64# exe backup all-settings ftp 10.5.50.40 /ftpbackup/allsetting/faz.dat ftpuser 12345678

Validate the Config integrity:

Modify the config file extension format from *.dat to *.tgz

 
Check whether the file can be decompressed without issue.


Install the Config file on the new FortiAnalyzer after renaming it back to *.dat format. 


Uncheck the Overwite current IP and routing settings option to avoid any duplicate IP conflict with the old system.


Once the new FortiAnalyzer is ready to receive the logs from the FortiGate, all the senders needs to be configured so that the new IP address is used for Logs to be received.
For this the following CLI command is used:

config log fortianalyzer2

Log into each FortiGate CLI and configure the new FortiAnalyzer.
This could be done using FortiManager script.

Once both FortiAnalyzers are running the same config and receive the log from all FortiGates, the old archive logs can be transferred to the new server. There are multiple methods that can be used:
  -  Log backup and restore (require an external storage server like FTP for saving archive)
  -  Log Backup and import (require an external storage server like FTP for saving archive)
  -  Log aggregation and log fetching. (DOES NOT require an external storage server like FTP for saving archive, aggregation is the preferred choice)

Log Backup from the old FortiAnalyzer
This example shows how to backup all FortiAnalyzer logs to an FTP server with the IP address 10.5.50.40. Username is set to ftpuser and password is 12345678.

FAZVM64-KVM # exe backup logs all ftp 10.5.50.40 ftpuser 12345678 /

To quit the backup process, Press 'Q/q' then <Enter>.

Uploading for device FGT1KC0000000000(FGT1KC0000000000[root])...
  Backup logs: 1/12 file(s).
  Backup logs: 10/12 file(s).
  Backup logs: 12/12 file(s).
Uploading for device FGT1KC0000000000(FGT1KC0000000000[vd1])...
  Backup logs: 1/3 file(s).
  Backup logs: 3/3 file(s).

Uploading for device FortiGate-VM64-KVM(FGVMEVIGJ13JWW8D[root])...
  Backup logs: 1/1 file(s).

Successfully uploaded log file(s) to ftp server 10.5.50.40 under /.

The size of the archive log on the destination FTP server can be checked with diag log device to make sure it matches the size of the old one.
Output:

see the line > Total usage: 16 ADOMs, logs=1.5GB


To restore log file(s), execute the following command:

execute restore logs all ftp 10.5.50.40 <user_name> <password> /


Log restore
Log backup restore is the method used if the FortiAnalyzer is replaced while the old FortiAnalyzer is not reachable.

This example shows how to restore FortiAnalyzer logs from an FTP server using the address and credentials of the previous example:

FAZVM64-KVM # exe restore logs all ftp 10.5.50.40 ftpuser 12345678 /
Note: This command restores all logs from a specified server which
      were backed up prior to changing the RAID level or formatting
      the disks. Executing it frequently is not recommended!

Do you want to continue? (y/n)y


The restore operation will overwrite any logs already on the FortiAnalyzer.
Do you want to continue? (y/n)y

Stopping processes.

Downloading files for device FGT1KC0000000000(FGT1KC0000000000[*])...
  Restore log file: FGT1KC0000000000[root].elog.log.gz
  Restore log file: FGT1KC0000000000[root].tlog.log.gz
  Restore log file: FGT1KC0000000000[root][1529872384].elog.1530700808.log.gz
….
  Restore log file: FGT1KC0000000000[vd1][1529872384].tlog.1530706428.log.gz

Update device FGT1KC0000000000 log files disk usage...
Downloading files for device FortiGate-VM64-KVM(FGVMEVIGJ13JWW8D[*])...
  Restore log file: FGVMEVIGJ13JWW8D[root].elog.log.gz

Update device FGVMEVIGJ13JWW8D log files disk usage...

Restoration completed successfully.

Restarting processes.
Recommend to rebuild log database by 'exec sql-local rebuild-db'.

Note: Restoring logs will overwrite existing logs.

Log import
Log import is used only to import logs for one specific log client

FAZVM64-KVM # exe log import ftp 10.5.50.40 ftpuser 12345678 /FGT1KC0000000000/
Do you want to continue? (y/n)y


Log Import Info: Connect to ftp server 10.5.50.40 ...
Log Import Info: Found 15 .log or .csv files in remote folder : /FGT1KC0000000123 .
Log Import Info: 15 log files found in remote folder, MAX import file setting is 10000, so 15 files will be imported.

Log Import Info: Downloading files from 10.5.50.40 ...###############
Log Import Info: Log file FGT1KC0000000000[root].elog.log.gz was successfully imported to FGT1KC0000000000/root/elog.1530711686.log.
…..
Log Import Info: Log file FGT1KC0000000000[vd1][1529872384].tlog.1530706428.log.gz was successfully imported to FGT1KC0000000000/vd1/tlog.1530706428.log.
Log Import Info: 15 log files are imported.
Log Import Info:
15 files are processed, 0 files remain.


Log Fetching example (Only Available for FAZ 5.4 and higher)
The Fetching function is only available if the old FAZ is still reachable and operational

Setup a fetch_account on the old FAZ:

config system admin user
edit "fetchadmin"
set password password
set profileid "Super_User
set adom "all_adoms"


Configuration of the Fetch request on the new FAZ:

 

 

 


Accept the fetching request on the old FAZ:

 


An advantage of log fetching is being able to filter out unwanted logs based on time, but in case of multiple ADOMs it must be configured for each individually.

Log Aggregation
Aggregation is only available if the old FortiAnalyzer is still reachable and operational.
Note: Some low-end FortiAnalyzer models, like the FortiAnalyzer 200D, don't have aggregation available.

Log aggregation in version 5.4:

Client side (old FortiAnalyzer):

config system aggregation-client
  edit 1
    set mode aggregation
    set agg-user        [admin user for new FortiAnalyzer]
    set agg-password    [password for new FortiAnalyzer]
    set agg-time 1      [log aggregation start time]
    set server-ip       [new FortiAnalyzer IP adress]
  next

Server side (new FortiAnalyzer):

config system admin user
  edit "aggradmin"
    set password password
    set profileid "Super_User"
    set adom "all_adoms"
end
config system aggregation-service
  set accept-aggregation enable
  set aggregation-disk-quota 50000
  set password “fortinet”
end


Log aggregation in version 5.6 and 6.0:

Client side (old FAZ):

config system log-forward
  edit 1
    set mode aggregation
    set agg-user aggradmin
    set agg-password password
    set agg-time 1
    set server-ip           [new FortiAnalyzer IP address]
  next
end

Server Side (new FAZ)

config system admin user
  edit "aggradmin"
    set password password
    set profileid "Super_User"
    set adom "all_adoms"
end
config system log-forward-service
  set accept-aggregation enable
end


3. Debug

In case of a migration failure, the following config will be requested for troubleshooting.

FTP transfer debug
The FTP transfer has limited troubleshooting capability. However, the output of the CLI command will be requested as well as the system event log as well as the FTP event log:

Exe tac report
Diag sniffer packet any “host <Ip of the FTP server> and port 21” 3 0 a

 

 


Log aggregation debug

Exe tac report
diagnose debug application log-aggregate 8
diag debug enable
exec log-aggregation
diag sniffer packet any ”port 3000” 3 0 a


Log Fetching debug

Exe tac report
diag debug app log-fecth 8
diag debug enable


Launch the fetching and record the output on both fetcher sender and receiver

diag test application log-fetch
diag test application log-fecth 2
diag test application log-fecth 3

 

Related KB articles

Technical Note: Backup and restore of FortiAnalyzer settings, logs and reports

Technical Note: FortiAnalyzer SQL database rebuild start-time

Technical Tip: FortiAnalyzer SQL database delete and rebuild

Restarting SQL Rebuilds

Technical Note: Using 'exec migrate' to migrate to a new FortiAnalyzer / FortiManager model

Technical Tip: How to change the IP Address of the FortiManager/FortiAnalyzer VM License file

Contributors