Hi all,
We have some old logs stored at Fortigate SSD, and we want to export those logs to FAZ to generate a report.
We found the KB and try to do the same:
We have used "lz4_reader.tar.gz" to convert the log to readable format and change to .txt extension.
And we got this error when imported the log to the FAZ via Gui.
---- Update on 7th Nov, 2024.
After checking this issue with Fortinet TAC about the FAZ built-it log format, the FAZ log format is now required as :
[FirrwallSN].[VdomName].[tlog].[Date].[not sure what is it, just a random last Five numbers generated by Firewall?].log
If you follow that KB and try to import something from Fortigate, you might use a " ReNamer " program to change all log naming formats.
I would like to share my script here for easier operation as well.
Hope this helps everyone who suffers the same issue when trying to import an old FGT log to FAZ.
Just import the KB format log to the program and you will get the correct naming:
KB Format:
MY Script to change the naming to correct format:
Success to import now:
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Did you check if the log file is actually readable?
If so, can you share few lines from the log file?
Created on 11-06-2024 03:04 AM Edited on 11-06-2024 03:06 AM
If I change the filename to "disk-tlog.log" , the file can be uploaded and passed.
Also, we can find the traffic details on FAZ then.
But there are numerous log files, I don't want to change and upload them one by one. If we change and upload it one by one, the new one will overwrite the old one and lose the logs.
Not worked as expect.
date=2024-10-29 time=05:47:49 eventtime=1730152069169145048 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::1053:c623:401c:ee2e srcport=5353 srcintf="Vlan3500" srcintfrole="lan" dstip=ff02::fb dstport=5353 dstintf="root" dstintfrole="undefined" sessionid=594403 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Apple" devtype="Computer" osname="macOS" srcswversion="10.15.7" mastersrcmac="62:24:6e:a4:65:18" srcmac="62:24:6e:a4:65:18" srcserver=0
date=2024-10-29 time=05:47:49 eventtime=1730152069253049209 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::14c3:2dd2:6e90:f4d1 srcport=5353 srcintf="Vlan3200" srcintfrole="lan" dstip=ff02::fb dstport=5353 dstintf="root" dstintfrole="undefined" sessionid=594404 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Apple" devtype="Phone" srcfamily="iPhone" osname="iOS" srcswversion="18.0.1" mastersrcmac="ba:f0:e0:f9:24:95" srcmac="ba:f0:e0:f9:24:95" srcserver=0
date=2024-10-29 time=05:47:49 eventtime=1730152069300641550 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::16:67e3:b917:8ab1 srcport=5353 srcintf="Vlan3500" srcintfrole="lan" dstip=ff02::fb dstport=5353 dstintf="root" dstintfrole="undefined" sessionid=594405 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Apple" devtype="Laptop" srcfamily="Mac" osname="macOS" srchwversion="MacBook Pro" srcswversion="10.15.7" mastersrcmac="0e:60:8d:7d:03:33" srcmac="0e:60:8d:7d:03:33" srcserver=0
date=2024-10-29 time=05:47:49 eventtime=1730152069383618251 tz="+0800" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.72.14 srcname="DR-ATLASSIAN" srcport=49465 srcintf="Vlan3500" srcintfrole="lan" dstip=142.250.198.42 dstport=443 dstintf="port2" dstintfrole="wan" srccountry="Reserved" dstinetsvc="Google-Web" dstcountry="United States" dstregion="California" dstcity="Mountain View" dstreputation=5 sessionid=61277222 proto=6 action="accept" policyid=1 policytype="policy" poluuid="ef0ab6fc-8072-51ef-515f-33647f470d60" policyname="InternetAccess" service="Google-Web" trandisp="snat" transip=118.143.99.22 transport=49465 appid=42533 app="Google.Services" appcat="General.Interest" apprisk="elevated" applist="default" appact="detected" duration=178 sentbyte=9974 rcvdbyte=4627 sentpkt=19 rcvdpkt=14 shapingpolicyid=1 shaperperipname="PerIP-40Mbps" shaperperipdropbyte=0 vwlid=2 vwlquality="Seq_num(2 port2), alive, latency: 2.031, selected" vwlname="Wan2" sentdelta=9974 rcvddelta=4627 srchwvendor="Apple" devtype="Laptop" srcfamily="Mac" osname="macOS" srchwversion="MacBook Pro" srcswversion="15.0.1" mastersrcmac="1e:4d:c2:33:47:99" srcmac="1e:4d:c2:33:47:99" srcserver=0
I have found a way to fix the issue with Fortinet TAC, I have just updated the post now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.