FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rameshk_FTNT
Staff
Staff
Article Id 191972

Description

 

This article describes how to back up and restore FortiAnalyzer settings, logs, and reports.


Scope

 

Periodic backup allows recovery in the event of a unit failure, unit replacement or maintenance such as disk formatting, RAID rebuilding, or resetting configuration to the factory default.

 

In a planned (non-emergency) replacement or upgrade of a FortiAnalyzer, log aggregation (also known as log forwarding) from an old to a new unit is an alternative to using log restore.

 

Solution

 

Backing up Logs, Reports, and Settings (Configuration).

 

To back up both logs and associated DLP archive files:

 

execute backup logs <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

    Examples to back up both logs and associated DLP archive files by Device Name.

    execute backup logs FortiGate1 ftp 192.168.170.10 test1 test1 /

    execute backup logs FortiGate2 ftp 192.168.170.10 test1 test1 /

 

To back up logs only:

 

execute backup logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

    Examples to back up logs only by Device Name.

    execute backup logs-only FortiGate1 ftp 192.168.170.10 test1 test1 /

    execute backup logs-only FortiGate2 ftp 192.168.170.10 test1 test1 /

 

To Backup Reports:

 

execute backup reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

Examples to back up Reportes only by Report Name:

 

   <report name(s)> Report name(s) separated by ',' or 'all' for all reports.
   all Backup all reports
   <report name pattern> Backup reports with names containing given pattern.
   A '?' matches any single character.
   A '*' matches any string, including the empty string, e.g.:
   foo : for exact match
   *foo : for report names ending with foo
   foo* : for report names starting with foo
   *foo*: for report names containing foo substring


   execute backup reports Test_Report ftp 192.168.170.10 test1 test1 /

   execute backup reports Test_* ftp 192.168.170.10 test1 test1 /

 

 

To Backup the FortiAnalyzer Unit Settings to an FTP, SFTP, or SCP server:

 

When the unit settings are backed up from the vdom_admin account, the backup file contains global settings and the settings for each VDOM.

 

When the unit settings are backed up from a regular administrator account, the backup file contains the global settings and only the settings for the VDOM to which the administrator belongs.

 

execute backup all-settings {ftp | sftp} <ip> <string> <username> <password> <crptpasswd>
execute backup all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>

 

To check the backup progress:

 

diagnose test app uploadd 6

 

Restoring Logs, Reports, and Settings (Configuration).

 

To restore FortiAnalyzer settings, it is recommended to do this before restoring logs.

This is to ensure that the quotas/log retention policy is properly set before the logs are restored.

 

To Restore FortiAnalyzer Unit Settings:

 

execute restore all-settings {ftp | sftp} <ip> <string> <username> <password> <crptpasswd>

execute restore all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>

 

To Restore All Logs:

 

execute restore logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

   Examples to back up logs only by Device Name.

   execute restore logs-only FortiGate1 ftp 192.168.170.10 test1 test1 /

   execute restore logs-only FortiGate2 ftp 192.168.170.10 test1 test1 /

 

To Restore Reports:

 

execute restore reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

  

   Examples to restore Reportes only by Report Name.

   <report name(s)> Report name(s) separated by ',' or 'all' for all reports.
   all Backup all reports
   <report name pattern> Backup reports with names containing given pattern.
   A '?' matches any single character.
   A '*' matches any string, including the empty string, e.g.:
   foo : for exact match
   *foo : for report names ending with foo
   foo* : for report names starting with foo
   *foo*: for report names containing foo substring


   execute restore reports Test_Report ftp 192.168.170.10 test1 test1 /

   execute restore reports Test_* ftp 192.168.170.10 test1 test1 /

 

Example and verifying of the backup.

 

How to create the configuration backup from the GUI:

The logs are not included in this backup. Go under System Settings -> Dashboard -> System Information widget.

 

Vito_0-1665567712815.png

 

When the backup is successful, it is possible to find the MD5 hash from the System Settings -> Event Log.

 

Vito_1-1665567712826.png

 

Using the CLI:

 

execute backup all-settings ftp 10.109.21.220 / test1 test1

 

Starting backup all settings in background, please wait.

# Starting transfer the backup file to FTP server...

Transferred 139.237M of 139.237M in 0:00:00s (178.065M/s)

Backup all settings...Ok.

MD5: 635f75d00009242f37684cf0e6018b83

 

First, start the backup. The name of the backup is created by the system. When the backup is successful MD5 hash has been generated.

 

Then it is possible to use the native tools under Linux/GNU distributions and Windows as shown below to check the integrity of the file.

 

Under Windows Power shell:

 

PS C:\Users\fortinet\Downloads> Get-FileHash -Algorithm MD5 .\fmg_clibackup.dat

Algorithm       Hash                                                                   Path

---------       ----                                                                   ----

MD5             635F75D00009242F37684CF0E6018B83        C:\Users\fortinet\Downloads\f...

 

Under Linux:

 

# md5sum fmg_clibackup.dat > fmg_clibackup.dat.md5sum

# cat fmg_clibackup.dat.md5sum

635f75d00009242f37684cf0e6018b83  fmg_clibackup.dat

 

By enabling the encryption or disabling the encryption during the config file backup, the final checksum value will be different.

 

Note:

Since v. 7.4.2 in both FortiManager and FortiAnalyzer the backup is encrypted by default.

 

image.png

 

Related documents:

DOCS: Backing up the system

Technical Tip: Items included in the backup config file

Technical Note: How to check SQL Database rebuild progress on FortiAnalyzer

Technical Note: Forwarding logs between FortiAnalyzers

Technical Tip: How to migrate a FortiAnalyzer logs and config to a new system

Technical Tip: How to reduce FortiManager config backup size (.dat file)

Administration Guide: Backing up the system

Docs: Extended JSON API to support the FortiManager backup operation 7.2.3