Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Potato168
New Contributor

Created on ‎11-06-2024 01:32 AM Edited on ‎11-06-2024 05:39 PM

KB NOT WORK! Transferring historical logs from a FortiGate hard disk to a FortiAnalyzer

Hi all,

 

We have some old logs stored at Fortigate SSD, and we want to export those logs to FAZ to generate a report.

 

We found the KB and try to do the same:

 

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Note-Transferring-historical-logs-from-a-F...

 

We have used "lz4_reader.tar.gz" to convert the log to readable format and change to .txt extension.

 

And we got this error when imported the log to the FAZ via Gui.

 

 

222.PNG

 

 

 

---- Update on 7th Nov, 2024.

 

 

After checking this issue with Fortinet TAC about the FAZ built-it log format, the FAZ log format is now required as :

 

[FirrwallSN].[VdomName].[tlog].[Date].[not sure what is it, just a random last Five numbers generated by Firewall?].log

 

If you follow that KB and try to import something from Fortigate, you might use a ReNamer " program to change all log naming formats.

 

I would like to share my script here for easier operation as well.

 

Hope this helps everyone who suffers the same issue when trying to import an old FGT log to FAZ.

 

Just import the KB format log to the program and you will get the correct naming:

 

 

KB Format:

 

ori.PNG

 

MY Script to change the naming to correct format:

 

222.PNG

Success to import now:

 

HIW.PNG

 

 

 

 

 

 

 

Labels:
141
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎11-06-2024 02:33 AM

Hello

Did you check if the log file is actually readable?

If so, can you share few lines from the log file?

AEK
AEK
119
Potato168
New Contributor
In response to AEK

Created on ‎11-06-2024 03:04 AM Edited on ‎11-06-2024 03:06 AM

If I change the filename to "disk-tlog.log" , the file can be uploaded and passed.

Also, we can find the traffic details on FAZ then.

 

But there are numerous log files, I don't want to change and upload them one by one. If we change and upload it one by one, the new one will overwrite the old one and lose the logs.

Not worked as expect.

92
0 Kudos
Potato168
New Contributor
In response to AEK

Created on ‎11-06-2024 03:07 AM

date=2024-10-29 time=05:47:49 eventtime=1730152069169145048 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::1053:c623:401c:ee2e srcport=5353 srcintf="Vlan3500" srcintfrole="lan" dstip=ff02::fb dstport=5353 dstintf="root" dstintfrole="undefined" sessionid=594403 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Apple" devtype="Computer" osname="macOS" srcswversion="10.15.7" mastersrcmac="62:24:6e:a4:65:18" srcmac="62:24:6e:a4:65:18" srcserver=0
date=2024-10-29 time=05:47:49 eventtime=1730152069253049209 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::14c3:2dd2:6e90:f4d1 srcport=5353 srcintf="Vlan3200" srcintfrole="lan" dstip=ff02::fb dstport=5353 dstintf="root" dstintfrole="undefined" sessionid=594404 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Apple" devtype="Phone" srcfamily="iPhone" osname="iOS" srcswversion="18.0.1" mastersrcmac="ba:f0:e0:f9:24:95" srcmac="ba:f0:e0:f9:24:95" srcserver=0
date=2024-10-29 time=05:47:49 eventtime=1730152069300641550 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::16:67e3:b917:8ab1 srcport=5353 srcintf="Vlan3500" srcintfrole="lan" dstip=ff02::fb dstport=5353 dstintf="root" dstintfrole="undefined" sessionid=594405 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Apple" devtype="Laptop" srcfamily="Mac" osname="macOS" srchwversion="MacBook Pro" srcswversion="10.15.7" mastersrcmac="0e:60:8d:7d:03:33" srcmac="0e:60:8d:7d:03:33" srcserver=0
date=2024-10-29 time=05:47:49 eventtime=1730152069383618251 tz="+0800" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.72.14 srcname="DR-ATLASSIAN" srcport=49465 srcintf="Vlan3500" srcintfrole="lan" dstip=142.250.198.42 dstport=443 dstintf="port2" dstintfrole="wan" srccountry="Reserved" dstinetsvc="Google-Web" dstcountry="United States" dstregion="California" dstcity="Mountain View" dstreputation=5 sessionid=61277222 proto=6 action="accept" policyid=1 policytype="policy" poluuid="ef0ab6fc-8072-51ef-515f-33647f470d60" policyname="InternetAccess" service="Google-Web" trandisp="snat" transip=118.143.99.22 transport=49465 appid=42533 app="Google.Services" appcat="General.Interest" apprisk="elevated" applist="default" appact="detected" duration=178 sentbyte=9974 rcvdbyte=4627 sentpkt=19 rcvdpkt=14 shapingpolicyid=1 shaperperipname="PerIP-40Mbps" shaperperipdropbyte=0 vwlid=2 vwlquality="Seq_num(2 port2), alive, latency: 2.031, selected" vwlname="Wan2" sentdelta=9974 rcvddelta=4627 srchwvendor="Apple" devtype="Laptop" srcfamily="Mac" osname="macOS" srchwversion="MacBook Pro" srcswversion="15.0.1" mastersrcmac="1e:4d:c2:33:47:99" srcmac="1e:4d:c2:33:47:99" srcserver=0

74
0 Kudos
Potato168
New Contributor
In response to AEK

Created on ‎11-06-2024 05:40 PM

I have found a way to fix the issue with Fortinet TAC, I have just updated the post now.

12
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.