FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
cborgato_FTNT
Article Id 191178
Description
This article provides a possible procedure on how to migrate logs between ADOMs on v5.4.

The same procedure can be applied for v5.0 and v5.2 ADOM versions.

Solution
This process can be useful if it is necessary to re-organize device logs in a different new ADOM design.

In this case there is a need migrate logs from the original ADOM to another (or new) ADOM.  This procedure can be applied only between same ADOM versions.

cborgato_FD40383_tn_FD40383-1.jpg

Backup configuration

The backup can be done from the Web GUI.

cborgato_FD40383_tn_FD40383-2.jpg

Or via CLI
#execute backup all-settings {<devices_str> [ftp | scp | sftp | tftp]<server_ipv4> <username_str> <password_str> <directory_str>}

Example
#execute backup all-settings scp 1.2.3.4 /path user1 pwd1

Backup logs for specific FortiGate to migrate.

The backup must  be done from CLI:
#execute backup logs {<devices_str> [ftp | scp | sftp | tftp]<server_ipv4> <username_str> <password_str> <directory_str>}

Example
#execute backup logs FGVM010000011262 scp 1.2.3.4 user1 pwd1 /home all

Create new ADOM 5.4 for the FortiGate and move it there.

Go to System Settings > All ADOMs and select 'Create New'.

cborgato_FD40383_tn_FD40383-3.jpg

Add the FortiGate to the new ADOM 5.4 and select 'Ok'.

cborgato_FD40383_tn_FD40383-4.jpg

Check that the FortiGate is in the new ADOM.

Go to 'Device Manager' and check the FortiGate is in the new ADOM (ADOM_B)

If it is not yet showing in the new ADOM try to logout then login and check again.

cborgato_FD40383_tn_FD40383-5.jpg

Check logs on 'LogView'.

Go to 'Log View' and switch between the 2 ADOMs.  The logs should still be seen under the old ADOM (ADOM_A) and new ADOM will be empty (ADOM_B).

Perform SQL rebuild from CLI.
#execute sql-local rebuild-db

The rebuild process may take a long time (possibly even hours) depending on the size of the database, a reboot will be required.

cborgato_FD40383_tn_FD40383-6.jpg

Finally check again the logs on 'FortiView'.

Go to 'Log View'.

The logs should now be seen to have moved under the new ADOM  (ADOM-B).

cborgato_FD40383_tn_FD40383-7.jpg


Related Articles

Technical Note: Missing logs - How to migrate former standalone FortiGate devices to HA Cluster on F...

Technical Note: Missing logs - Manual migration of former standalone FortiGate devices to HA Cluster...

Contributors