Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
david1
New Contributor

HA cluster logging

Hi,

 

I currently have a pair of 620B's in Active-Active HA mode that I want to connect to my FortiAnalyzer VM v5.2.1-build0662 141212 (GA). My question is, do I need to add both nodes of the HA to the FortiAnalyzer, or will adding only the HA master enable both nodes to send their logs to the FA?

 

Thanks!

 

David

3 REPLIES 3
scao_FTNT
Staff
Staff

Hi, David,

 

If FGT running on 5.2, then you should be able to see 1 HA entry in FAZ unregistered device, FAZ get info from FGT request and will auto group them into 1 entry (in unregistered list, not after added/promoted into device manager)

 

If FGT is on 5.0, then FGT not yet support send that info to FAZ, so you will see 2 standalone device in FAZ unreg list and you need to add/promote them separately, then after add, in device manager, edit 1 of them, enable cluster to add the other device.

 

If you want to keep the old logs when they are in standalone mode in new HA cluster, we have a document for how to do that in 5.2.1 and if you need that, please let me know

 

Thanks

 

Simon

david1
New Contributor

Thanks Simon. The FGT are not on 5.x yet, so I see the HA Master and the HA Slave in the FAZ even after I enable HA and add the serial numbers to the device properties in the FAZ. I have a project to get the FGT up to 5.x, so hopefully that will resolve this as well. I would like to be able to keep the old logs, could you provide a link to the document you referenced?

 

Thanks Again,

David

scao_FTNT
Staff
Staff

If your FGT (master and slave) already in device manager and then upgrade FGT to 5.2, FAZ will not auto update device manager (to combine 2 devices into 1 HA device), and you still need to manually do that

 

on FAZ 5.2.1, you need to do below steps

   -- on FAZ 5.2.2, we will support to auto do below steps after you enable HA cluster, I will update later for 5.2.2 behavior

 

Thanks

 

Simon

 

 

When a FortiGate device is edited to enable HA Cluster and include two or more FortiGates, the log data of previous standalone FortiGates are not automatically migrated to the HA Cluster. Administrator has to manually move the log data from the HA member FortiGates to the HA Cluster. In this sample, at first, FGT1 and FGT2 are standalone FortiGates. Administrator edits FGT1 and enable HA Cluster, adding FGT2 to this HA Cluster. Detailed Steps: To move the log data of FGT1 and FGT2 into HA Cluster, the steps are as follows: 1. FGT Cluster members are already registered in DVM as standalone devices. They already have log files. FAZVM64 # diagnose log device Device Name          Device ID        Used Space(logs/database/qua/content/IPS) Allocated Space  % Used FG100D0000000001     FG100D0000000001      143MB(118 / 25  / 0   / 0   / 0   )           10000MB   1.43% FG100D0000000002     FG100D0000000002       61MB(52  / 9   / 0   / 0   / 0   )           10000MB   0.61% Total: 2 log devices, used=204MB quota=20000MB 2. From GUI->DVM, edit FG100D0000000001, enable HA cluster and include FG100D0000000002. After this, there is only one active device in DVM, and FGT2 becomes a zombie device: #diag log device Device Name          Device ID        Used Space(logs/database/qua/content/IPS) Allocated Space  % Used FG100D-HA       FGHA001382585443_CID        0MB(0   / 0   / 0   / 0   / 0   )           20000MB   0.00%         |- HA clsuter member: FG100D0000000001         |- HA clsuter member: FG100D0000000002 Total: 1 log devices, used=0MB, quota=20000MB FG100D0000000002     FG100D0000000002---> zombie device <--- 3. Check zombie directories: FAZVM64 # execute log device logstore list       Device ID           logfiles           archive files      status ================================================================== (1) FG100D0000000001        N/A        N/A    zombie (2) FGHA001382585443_CID          0MB          0MB          active. (3) FAZ-VM0000000001          0MB          0MB          active. (4) FG100D0000000002        N/A        N/A    zombie 4. Move log files from zombie directories to HA cluster: FAZVM64 # execute log device logstore move FG100D0000000001 FGHA001382585443_CID This will move all logs and archive files from device:FG100D0000000001 to device:FGHA001382585443_CID. You may back up all logs of device:FG100D0000000001 before the move. Please ensure that system has enough extra disk space for the copy of log files from both devices. You may need to rebuild database after moving logs. Do you want to continue? (y/n)y Start moving rlog files from FG100D0000000001 to FGHA001382585443_CID... Start moving alog files from FG100D0000000001 to FGHA001382585443_CID... Start moving clog files from FG100D0000000001 to FGHA001382585443_CID... Start moving dlog files from FG100D0000000001 to FGHA001382585443_CID... Start moving slog files from FG100D0000000001 to FGHA001382585443_CID... Start moving elog files from FG100D0000000001 to FGHA001382585443_CID... Start moving glog files from FG100D0000000001 to FGHA001382585443_CID... Start moving hlog files from FG100D0000000001 to FGHA001382585443_CID... Start moving ilog files from FG100D0000000001 to FGHA001382585443_CID... Start moving xlog files from FG100D0000000001 to FGHA001382585443_CID... Start moving tlog files from FG100D0000000001 to FGHA001382585443_CID... Clean up tlog files of device FG100D0000000001... Move merged tlog files to device FGHA001382585443_CID... End moving tlog files from FG100D0000000001 to FGHA001382585443_CID, took 269 seconds. Start moving vlog files from FG100D0000000001 to FGHA001382585443_CID... Start moving plog files from FG100D0000000001 to FGHA001382585443_CID... Start moving wlog files from FG100D0000000001 to FGHA001382585443_CID... Start moving nlog files from FG100D0000000001 to FGHA001382585443_CID... start to move the archive file from FG100D0000000002 to FGHA001382585443_CID.  processing root path /drive0/private/http_files/FG100D0000000001/.  processing root path /drive0/private/http_files/FG100D0000000001/.  processing root path /drive0/private/email_files/FG100D0000000001/.  processing root path /drive0/private/ftp_files/FG100D0000000001/.  processing root path /drive0/private/im_files/FG100D0000000001/.  processing root path /drive0/private/mms_files/FG100D0000000001/.  processing root path /drive0/private/quard_files/FG100D0000000001/.  processing root path /drive0/private/ips_files/FG100D0000000001/. Device:FG100D0000000001 logs and archives were moved to device:FGHA001382585443_CID successfully. FAZVM64 # execute log device logstore move FG100D0000000002 FGHA001382585443_CID This will move all logs and archive files from device:FG100D0000000002 to device:FGHA001382585443_CID. You may back up all logs of device:FG100D0000000002 before the move. Please ensure that system has enough extra disk space for the copy of log files from both devices. You may need to rebuild database after moving logs. Do you want to continue? (y/n)y Start moving rlog files from FG100D0000000002 to FGHA001382585443_CID... Start moving alog files from FG100D0000000002 to FGHA001382585443_CID... Start moving clog files from FG100D0000000002 to FGHA001382585443_CID... Start moving dlog files from FG100D0000000002 to FGHA001382585443_CID... Start moving slog files from FG100D0000000002 to FGHA001382585443_CID... Start moving elog files from FG100D0000000002 to FGHA001382585443_CID... Start moving glog files from FG100D0000000002 to FGHA001382585443_CID... Start moving hlog files from FG100D0000000002 to FGHA001382585443_CID... Start moving ilog files from FG100D0000000002 to FGHA001382585443_CID... Start moving xlog files from FG100D0000000002 to FGHA001382585443_CID... Start moving tlog files from FG100D0000000002 to FGHA001382585443_CID... Clean up tlog files of device FG100D0000000002... Move merged tlog files to device FGHA001382585443_CID... End moving tlog files from FG100D0000000002 to FGHA001382585443_CID, took 269 seconds. Start moving vlog files from FG100D0000000002 to FGHA001382585443_CID... Start moving plog files from FG100D0000000002 to FGHA001382585443_CID... Start moving wlog files from FG100D0000000002 to FGHA001382585443_CID... Start moving nlog files from FG100D0000000002 to FGHA001382585443_CID... start to move the archive file from FG100D0000000002 to FGHA001382585443_CID.  processing root path /drive0/private/http_files/FG100D0000000002/.  processing root path /drive0/private/http_files/FG100D0000000002/.  processing root path /drive0/private/email_files/FG100D0000000002/.  processing root path /drive0/private/ftp_files/FG100D0000000002/.  processing root path /drive0/private/im_files/FG100D0000000002/.  processing root path /drive0/private/mms_files/FG100D0000000002/.  processing root path /drive0/private/quard_files/FG100D0000000002/.  processing root path /drive0/private/ips_files/FG100D0000000002/. Device:FG100D0000000002 logs and archives were moved to device:FGHA001382585443_CID successfully. 5. Manually delete zombie device FGT2. 6. Clear zombie directories: FAZVM64 # execute log device logstore clear All This will clean up all zombie devices logs and archive files. Do you want to continue? (y/n)y Remove log dir FG100D0000000001. Device:All logs and archives files were removed. 7. rebuild sql db FAZVM64 # execute sql-local rebuild-db Rebuild the whole SQL database has been requested. This operation will remove the SQL database and rebuild from log data. This operation will reboot the device. Do you want to continue? (y/n)y Please wait for reboot...