Fortinet black logo

Cookbook

5.4.0
6.2.0
5.4.0
5.2.0

Log data migration from an old to new FortiAnalyzer

Log data migration from an old to new FortiAnalyzer

This example illustrates how to migrate logs from an old FortiAnalyzer to a new FortiAnalyzer.

Note

When migrating logs, the firmware version must be the same. For example, if you are migrating logs from an old FortiAnalyzer running 5.2 to a new FortiAnalyzer running 5.4, you must upgrade the 5.2 FortiAnalyzer to 5.4 firmware before aggregating and migrating logs to the new 5.4 FortiAnalyzer.

Migrating prerequisites

To migrate prerequisites:
  1. Make the old and new FortiAnalyzer the same firmware version.
    5.4.0 or later is preferred.
  2. Migrate the Device Manager settings from the old FortiAnalyzer to the new one.
  3. Enable the GUI display by using the following command:
    conf sys admin setting > show-device-import-export: enable
  4. In the old FortiAnalyzer, export the Device List from the Device Manager.
  5. In the new FortiAnalyzer, import the Device List from the Device Manager.

Setting up the aggregation client

Note

For FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI.
To set up the aggregation client in the CLI:
config system aggregation-client
     edit 1
          set mode aggregation 
          set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER]
          set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER]
          set agg-time 1 [LOG AGGREGATION START TIME]
          set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS]
     next
end

Setting up the aggregation server

To set up the aggregation server in the CLI:
  1. Use the following command in the CLI:
    config system aggregation-service
     set accept-aggregation enable
end
  2. After running the command, take note of the Instance ID. You will need to enter the Instance ID when running the aggregation command in the client CLI.
Note

Log Aggregation is not supported on all FortiAnalyzer models. Check your specific device's datasheet.

Running aggregation in the client CLI

You can initiate log aggregation via the GUI or the CLI console.

To initiate log aggregation in the GUI:
  1. Go to System > Log Forwarding.
  2. Select Aggregation Profile.
  3. Click Aggregate Now.
To initiate log aggregation in the CLI:
exec log-aggregation all

Checking the aggregation progress on the client

To check the aggregation progress on the client:
  1. On the old FortiAnalyzer, go to System Settings > Event Log.
  2. When the log aggregation is completed, the following message will be displayed:
    Log aggregation session completed.

Rebuilding the database

If you are migrating a large amount of logs, you will need to rebuild the database after log aggregation.

To rebuild the database:
exec sql-local rebuild-db

Debugging log aggregation

To debug log aggregation:
dia debug application log-aggregate 255
dia deb en
Previous
Next

Log data migration from an old to new FortiAnalyzer

This example illustrates how to migrate logs from an old FortiAnalyzer to a new FortiAnalyzer.

Note

When migrating logs, the firmware version must be the same. For example, if you are migrating logs from an old FortiAnalyzer running 5.2 to a new FortiAnalyzer running 5.4, you must upgrade the 5.2 FortiAnalyzer to 5.4 firmware before aggregating and migrating logs to the new 5.4 FortiAnalyzer.

Migrating prerequisites

To migrate prerequisites:
  1. Make the old and new FortiAnalyzer the same firmware version.
    5.4.0 or later is preferred.
  2. Migrate the Device Manager settings from the old FortiAnalyzer to the new one.
  3. Enable the GUI display by using the following command:
    conf sys admin setting > show-device-import-export: enable
  4. In the old FortiAnalyzer, export the Device List from the Device Manager.
  5. In the new FortiAnalyzer, import the Device List from the Device Manager.

Setting up the aggregation client

Note

For FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI.
To set up the aggregation client in the CLI:
config system aggregation-client
     edit 1
          set mode aggregation 
          set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER]
          set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER]
          set agg-time 1 [LOG AGGREGATION START TIME]
          set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS]
     next
end

Setting up the aggregation server

To set up the aggregation server in the CLI:
  1. Use the following command in the CLI:
    config system aggregation-service
     set accept-aggregation enable
end
  2. After running the command, take note of the Instance ID. You will need to enter the Instance ID when running the aggregation command in the client CLI.
Note

Log Aggregation is not supported on all FortiAnalyzer models. Check your specific device's datasheet.

Running aggregation in the client CLI

You can initiate log aggregation via the GUI or the CLI console.

To initiate log aggregation in the GUI:
  1. Go to System > Log Forwarding.
  2. Select Aggregation Profile.
  3. Click Aggregate Now.
To initiate log aggregation in the CLI:
exec log-aggregation all

Checking the aggregation progress on the client

To check the aggregation progress on the client:
  1. On the old FortiAnalyzer, go to System Settings > Event Log.
  2. When the log aggregation is completed, the following message will be displayed:
    Log aggregation session completed.

Rebuilding the database

If you are migrating a large amount of logs, you will need to rebuild the database after log aggregation.

To rebuild the database:
exec sql-local rebuild-db

Debugging log aggregation

To debug log aggregation:
dia debug application log-aggregate 255
dia deb en
Previous
Next