Technical Tip: Backup logs in plaintext format avoid performing LZ4 decompression

akumar02 · ‎11-24-2022

Description

This article describes that backup logs in plaintext format avoid LZ4 decompression.

By default, if the logs are backed up to the FTP server, logs will be encrypted.

# execute backup disk alllogs ftp <IP_address> <username> <password>

# execute backup disk log ftp <IP_address> <username> <password> <log_type>

If it is necessary to upload the logs to Fortianalyzer, it is necessary to decrypt it using LZ4 and then upload it to the FortiAnalyzer.

Scope

FortiGate version 7.0.4+

Solution

After 7.0.4+ Firmware, in all Firewall models, it is possible to add an uncompressed parameter at the end of the command '# execute backup disk log ftp' to have a cleartext file and that will be easier to upload to the Fortianalyzer.

# execute backup disk alllogs ftp <IP_address> <username> <password> <compressed | uncompressed>

# execute backup disk log ftp <IP_address> <username> <password> <log_type> <compressed |uncompressed>

Now decompressed logs which can be uploaded to FortiAnalywer:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Note-Transferring-historical-logs-from-a-F...

Note:

1)This feature is present only in 7.0.4 and above.

2) If you are trying to uncompress the log file using lz4_reader and it gives a java error, then use jdk-8u351-windows-x64.exe,