1.1 SSH into the Supervisor, Worker/ or Collector as root.
1.2 Enter the following command:phziplogs /tmp/<ticket_number> <number_of_days>This will create a directory with a ticket number as well as collect logs for the number of days to go back to.To be able to pick up historical events will be critical if an issue is in the past, please make sure to know how many days are necessary. eg. phziplogs /tmp/1234 5.The log name will appear as AOLogs.tar, in /tmp/<ticket number>/1.3 Change the filename of AOLogs.tar to a more unique name (eg. FortiSIEMLogs-SP-20181119.tar for Supervisor Logs on November 19th 2018 )
mv AoLogs.tar <new file name>
1.4 Repeat steps 1.1 thru 1.3 for all Collectors, Workers, and Supervisor.
2. From the FortiSIEM appliance, directly SCP the log to the desktop.
2.1 For Windows users, use Winscp to pull the logs from the /tmp directory of the fortiSIEM appliance2.2 For Linux user, use SCP from the FortiSIEM bash prompt to copy it out to the local desktop
$ scp -r <local directory> username@<host_ip>:<remote directory>
3. Upload the file to the support ticket at support .fortinet.com
3.1 Log into Fortinet support account.3.2. Find the ticket associated with the log request upload.3.2 Upload the attachment to the ticket with a response (Note that the upload limit is 500MB per attachment).