Description
This article describes how to package the FortiSIEM logs to deliver them to support.
Scope
FortiSIEM.
Solution
This is a step-by-step guide on how to collect log files over a certain period and send them to a FortiSIEM support team.
- Extract and Compress Logs:
- SSH into the Supervisor, Worker/ or Collector as root.
- Enter the following commands:
get-fsm-health.py --local -o /tmp/fsm-health.log
journalctl -k --no-pager > /tmp/journlctl.log
env > /tmp/root_env
su admin -c env > /tmp/admin_env
phziplogs /tmp/<ticket_number> <number_of_days>
This will create a directory with a ticket number as well as collect logs for the number of days to go back to.
Being able to pick up historical events will be critical if an issue occurs in the past. Make sure to know how many days are necessary. For example: phziplogs /tmp/1234 5.
The log name will appear as AOLogs.tar, in /tmp/<ticket number>/.
-
- Change the filename of AOLogs.tar to a more unique name (e.g. FortiSIEMLogs-SP-20181119.tar for Supervisor Logs on November 19th, 2018).
-
- cd /tmp/1234
- tar --append --file=AOLogs.tar /tmp/fsm-health.log
- tar --append --file=AOLogs.tar /tmp/journlctl.log
- tar --append --file=AOLogs.tar /tmp/root_env
- tar --append --file=AOLogs.tar /tmp/admin_env
- mv AoLogs.tar <new file name>
-
- Repeat steps 1.a. thru 1.c. for all Collectors, Workers, and Supervisors.
-
From the FortiSIEM appliance, directly SCP the log to the desktop.
-
For Windows users, use Winscp to pull the logs from the /tmp directory of the fortiSIEM appliance.
-
For Linux users, use SCP from the FortiSIEM bash prompt to copy it out to the local desktop.
$ scp -r <local directory> username@<host_ip>:<remote directory>
- Upload the file to the support ticket at support .fortinet.com.
-
Log into the Fortinet support account.
-
Find the ticket associated with the log request upload.
-
Upload the attachment to the ticket with a response (Note that the upload limit is 500MB per attachment).
