FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 192568


This article describes how to package the FortiSIEM logs in order to deliver them to support. 


Here is a step by step guide on how collect log files over a certain period of time and send them to a FortiSIEM support team. 
1. Extract and Compress Logs:
1.1 SSH into the Supervisor, Worker/ or Collector as root.

1.2 Enter the following command:

phziplogs /tmp/<ticket_number> <number_of_days>
This will create a directory with a ticket number as well as collect logs for the number of days to go back to.
To be able to pick up historical events will be critical if an issue is in the past, please make sure to know how many days are necessary. eg. phziplogs /tmp/1234 5.
The log name will appear as AOLogs.tar, in /tmp/<ticket number>/ 
1.3 Change the filename of AOLogs.tar to a more unique name (eg. FortiSIEMLogs-SP-20181119.tar for Supervisor Logs on November 19th 2018 )

cd /tmp/1234
mv AoLogs.tar <new file name>
1.4 Repeat steps 1.1 thru 1.3 for all Collectors, Workers, and Supervisor.
2. From the FortiSIEM appliance, directly SCP the log to the desktop.
2.1 For Windows users, use Winscp to pull the logs from the /tmp directory of the fortiSIEM appliance
2.2 For Linux user, use SCP from the FortiSIEM bash prompt to copy it out to the local desktop

$ scp -r <local directory> username@<host_ip>:<remote directory>
3. Upload the file to the support ticket at support
3.1 Log into Fortinet support account.
3.2. Find the ticket associated with the log request upload.
3.2 Upload the attachment to the ticket with a response (Note that the upload limit is 500MB per attachment).