Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis.
The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.
Log fetching can only be done on two FortiAnalyzer devices running the same firmware. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiAnalyzer devices. Only one log fetching session can be established at a time between two FortiAnalyzer devices.
The basic steps for fetching logs are:
- On the client, create a fetching profile. See Fetching profiles.
- On the client, send the fetch request to the server. See Fetch requests.
- If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing devices and ADOMs.
- On the server, review the request, then either approve or reject it. See Request processing.
- Monitor the fetch process on either FortiAnalyzer. See Fetch monitoring.
- On the client, wait until the database is rebuilt before using the fetched data for analysis.