This example illustrates how to migrate logs from an old FortiAnalyzer to a new FortiAnalyzer.
- Make the old and new FortiAnalyzer the same firmware version.
5.4.0 or later is preferred.
- Migrate the Device Manager settings from the old FortiAnalyzer to the new one.
- Enable the GUI display by using the following command:
conf sys admin setting > show-device-import-export: enable
- In the old FortiAnalyzer, export the Device List from the Device Manager.
- In the new FortiAnalyzer, import the Device List from the Device Manager.
Setting up the Aggregation Client
FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI.
Use the following command to set up the Aggregation Client:
config system aggregation-client edit 1 set mode aggregation set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER] set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER] set agg-time 1 [LOG AGGREGATION START TIME] set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS] next end
Setting up the Aggregation Server
Use the following command to set up the Aggregation Server:
config system aggregation-service set accept-aggregation enable end
After running the command, take note of the Instance ID. You will need to enter the Instance ID when running the aggregation command in the Client CLI.
|Log Aggregation is not supported on all FortiAnalyzer models, check your specific device’s datasheet.|
Running Aggregation in the Client CLI
You can initiate log aggregation via the GUI or the CLI console.
In the GUI, go to System > Log Forwarding > select Aggregation Profile > click Aggregate Now.
In the CLI, use the following command to aggregate logs in the Client:
exec log-aggregation all
Checking the Aggregation Progress on the Client
On the old FortiAnalyzer, go to System Settings > Event Log. When the log aggregation is completed, the following message will be displayed: Log aggregation session completed.
Rebuilding the Database
If you are migrating a large amount of logs, you will need to rebuild the database after log aggregation.
Use the following command to rebuild the database:
exec sql-local rebuild-db
Debugging Log Aggregation
To debug log aggregation, use the following CLI command:
dia debug application log-aggregate 255 dia deb en
Latest posts by Tiara Quan (see all)
- FortiSandbox 2000E Installation Guide - October 4, 2017
- FortiAnalyzer: Replacing FortiGate HA Pairs with Logging Enabled - October 2, 2017
- FortiManager: Third Party Blacklist Provider Workflow - September 12, 2017