This example illustrates how to migrate logs from an old FortiAnalyzer to a new FortiAnalyzer.
 |
When migrating logs, the firmware versions must be the same. For example, if you are migrating logs from an old FortiAnalyzer running 5.2 to a new FortiAnalyzer running 5.4, you must upgrade the 5.2 FortiAnalyzer to 5.4 firmware before aggregating and migrating logs to the new 5.4 FortiAnalyzer. |
Migrating Prerequisites
- Make the old and new FortiAnalyzer the same firmware version.
5.4.0 or later is preferred. - Migrate the Device Manager settings from the old FortiAnalyzer to the new one.
- Enable the GUI display by using the following command:
conf sys admin setting > show-device-import-export: enable
- In the old FortiAnalyzer, export the Device List from the Device Manager.
- In the new FortiAnalyzer, import the Device List from the Device Manager.
Setting up the Aggregation Client
 |
FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI. |
Use the following command to set up the Aggregation Client:
config system aggregation-client
edit 1
set mode aggregation
set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER]
set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER]
set agg-time 1 [LOG AGGREGATION START TIME]
set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS]
next
end
Setting up the Aggregation Server
Use the following command to set up the Aggregation Server:
config system aggregation-service
set accept-aggregation enable
end
After running the command, take note of the Instance ID. You will need to enter the Instance ID when running the aggregation command in the Client CLI.
|
Log Aggregation is not supported on all FortiAnalyzer models, check your specific device’s datasheet. |
Running Aggregation in the Client CLI
You can initiate log aggregation via the GUI or the CLI console.
In the GUI, go to System > Log Forwarding > select Aggregation Profile > click Aggregate Now.
In the CLI, use the following command to aggregate logs in the Client:
exec log-aggregation all
Checking the Aggregation Progress on the Client
On the old FortiAnalyzer, go to System Settings > Event Log. When the log aggregation is completed, the following message will be displayed: Log aggregation session completed.
Rebuilding the Database
If you are migrating a large amount of logs, you will need to rebuild the database after log aggregation.
Use the following command to rebuild the database:
exec sql-local rebuild-db
Debugging Log Aggregation
To debug log aggregation, use the following CLI command:
dia debug application log-aggregate 255 dia deb en
The post FortiAnalyzer: Log Data Migration from an Old to a New FortiAnalyzer appeared first on Fortinet Cookbook.