FortiAnalyzer: Log Data Migration from an Old to a New FortiAnalyzer

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to migrate logs from an old FortiAnalyzer to a new FortiAnalyzer. 

When migrating logs, the firmware versions must be the same. For example, if you are migrating logs from an old FortiAnalyzer running 5.2 to a new FortiAnalyzer running 5.4, you must upgrade the 5.2 FortiAnalyzer to 5.4 firmware before aggregating and migrating logs to the new 5.4 FortiAnalyzer.

Migrating Prerequisites

  1. Make the old and new FortiAnalyzer the same firmware version.
    5.4.0 or later is preferred. 
  2. Migrate the Device Manager settings from the old FortiAnalyzer to the new one.
  3. Enable the GUI display by using the following command:
    conf sys admin setting > show-device-import-export: enable
  4. In the old FortiAnalyzer, export the Device List from the Device Manager.
  5. In the new FortiAnalyzer, import the Device List from the Device Manager.

Setting up the Aggregation Client

FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI

Use the following command to set up the Aggregation Client:

config system aggregation-client
     edit 1
          set mode aggregation 
          set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER]
          set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER]
          set agg-time 1 [LOG AGGREGATION START TIME]
          set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS]
     next
end

Setting up the Aggregation Server

Use the following command to set up the Aggregation Server:

config system aggregation-service
     set accept-aggregation enable
end

After running the command, take note of the Instance ID. You will need to enter the Instance ID when running the aggregation command in the Client CLI.

Log Aggregation is not supported on all FortiAnalyzer models, check your specific device’s datasheet.

Running Aggregation in the Client CLI

You can initiate log aggregation via the GUI or the CLI console.

In the GUI, go to System > Log Forwarding > select Aggregation Profile > click Aggregate Now.

In the CLI, use the following command to aggregate logs in the Client:

exec log-aggregation all

Checking the Aggregation Progress on the Client

On the old FortiAnalyzer, go to System Settings > Event Log. When the log aggregation is completed, the following message will be displayed: Log aggregation session completed.

Rebuilding the Database

If you are migrating a large amount of logs, you will need to rebuild the database after log aggregation. 

Use the following command to rebuild the database:

exec sql-local rebuild-db

Debugging Log Aggregation

To debug log aggregation, use the following CLI command:

dia debug application log-aggregate 255
dia deb en
  • Was this helpful?
  • Yes   No