|
To download the local logs stored on system memory or disk using CLI, the below commands can be used:
execute backup disk alllogs [ftp/tftp] <ftp server>[:ftp port] <user> <passwd>
execute backup memory alllogs [ftp/tftp] <ftp server>[:ftp port] <user> <passwd>
For the logs stored on disk, there is an option to directly backup using a USB stick:
execute backup disk alllogs usb
After 7.0.4+ Firmware, in all Firewall models, it is possible to add an uncompressed parameter at the end of the command 'execute backup disk log ftp' to have a cleartext file and that will be easier to upload to the FortiAnalyzer.
execute backup disk alllogs ftp <IP_address> <username> <password> <compressed | uncompressed>
execute backup disk log ftp <IP_address> <username> <password> <log_type> <compressed |uncompressed>
Now decompress the logs which can be uploaded to FortiAnalyzer:
Technical Note: Transferring historical logs from a FortiGate hard disk to a FortiAnalyzer
Note:
- This feature is present only in 7.0.4 and above.
- If trying to uncompress the log file using lz4_reader and it gives a java error, then use the jdk-8u351-windows-x64.exe.
- The command will only work if the Firewall has a physical disk on it, and this can be verified by using the command 'exec disk list'.
|
