FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
jcamacho1
Staff
Staff
Article Id 195140
Description
This article explains how to delete an admin user on the FortiAnalyzer even if the 'idle timeout' has not yet expired.

This process can be used when:

1. The configured admin user has logged out, and
2. The user is not in the list of the "diag system admin-session list"

Even after user has logged out they will appear on the "diag system admin-session list" until the "Idle Timeout" expires (by default 15 minutes) or if users are manually deleted from the "admin-session list".  An attempt to delete the user from the GUI will show the error message "Failed to deleted admin user [username]".

Scope
All FortiAnalyzer firmware versions. 

Solution
1. Verify session list
diag system admin-session list

FAZVM64 # diag system admin-session list
*** entry 0 ***
session_id: 27999 (seq: 1)
username: admin
admin template: admin
from: ssh(192.168.1.110) (type 0)
profile: Super_User (type 3)
adom: root
session length: 655 (seconds)

*** entry 1 ***
session_id: 21454 (seq: 0)
username: admin
admin template: admin
from: console (type 0)
profile: Super_User (type 3)
adom: root
session length: 679 (seconds)

*** entry 2 ***
session_id: 44540 (seq: 2)
username: admin
admin template: admin
from: GUI(192.168.1.110) (type 1)
profile: Super_User (type 3)
adom: root
session length: 219 (seconds)
idle: 211 (seconds)

*** entry 3 ***
session_id: 3027 (seq: 0)
username: Test
admin template: Test
from: GUI(192.168.1.110) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 211 (seconds)
idle: 188 (seconds)
Even though the user "Test" has logged out they still appear in the list (entry 3) and "Idle Timeout" will keep increasing.

2. If the Administrator cannot wait for "Idle Timeout" to expire, the following steps can be used to delete the user.

2.1. Collect the "session-id" from the execution of "diag system admin-session list". In this example for user "Test" it is "session_id: 3027".

2.2. Apply the following command to remove the user from the list.
diag system admin-session kill [session-id]
In this example:
diag system admin-session kill 3027
2.3. Confirm changes by executing again the command "diag system admin-session list".
FAZVM64 # diag system admin-session list
*** entry 0 ***
session_id: 27999 (seq: 0)
username: admin
admin template: admin
from: ssh(192.168.1.110) (type 0)
profile: Super_User (type 3)
adom: root
session length: 1049 (seconds)

*** entry 1 ***
session_id: 20467 (seq: 2)
username: admin
admin template: admin
from: GUI(192.168.1.110) (type 1)
profile: Super_User (type 3)
adom: root
session length: 561 (seconds)
idle: 165 (seconds)

*** entry 2 ***
session_id: 44540 (seq: 1)
username: admin
admin template: admin
from: GUI(192.168.1.110) (type 1)
profile: Super_User (type 3)
adom: root
session length: 613 (seconds)
idle: 605 (seconds)
No entries are now seen for user "Test".

2.4. If there are more than one entries in the list for the user, steps 2.1 and 2.2 must be executed for each "session-id".

3. When no sessions remain in the list for the user, the user can be deleted by using the GUI (System Settings > Admin > Administrator > Username > Delete)

Contributors