This article describes how to retrieve the collector logs for troubleshooting.

FortiEDR Windows, Linux, and macOS Collectors.

If the collector is currently connected to FortiEDR Central Manager, it is possible to retrieve the collector logs via the management console:

1. Go to INVENTORY -> Collectors.
2. Select the checkbox of the Collector.
3. Select Export -> Collector Logs.
4.  Select 'Download'.
5. The Collector log archive should then be provided to Fortinet TAC.

----------------------------------------------------------------

If the Collector is disconnected from the FortiEDR Central Manager, it is possible to collect logs from the local Collector machine:

Windows:

1. Run the following command as Administrator in CMD:"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --support.
2. Gather the log files from %TEMP%\program_data_archive_support.zip. *%TEMP% is at 'C:\Users\[username]\AppData\Local\Temp

If this procedure fails, follow these steps:

1. Open the Command Prompt as Administrator and run the following command: "C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --stop.

The registration password would be prompted which can be found in the Management Console.

In the Console select Administration - > Tools - > Display.

2. Zip the following directory C:\ProgramData\FortiEDR\.
3.  Run the following Command to start the Collector Service: "C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --start.

macOS:

1. Open Terminal and execute the command: sudo /Applications/FortiEDR.app/FortiEDRCollector --support.

For v6.0+ execute the command: 

sudo /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --support

2.  This will output a zipped directory containing all appropriate log files.

If the script does not work, zip/tar the directory /Library/Application Support/FortiEDR/Logs/.

Linux:

Open a terminal and zip/tar the directory /opt/FortiEDRCollector/.