Description

Solution

1. Extract and Compress Logs:
   1. SSH into the Supervisor, Worker/ or Collector as root.
   2. Enter the following commands:

get-fsm-health.py --local -o /tmp/fsm-health.log

journalctl -k --no-pager > /tmp/journlctl.log

cat /proc/interrupts > /tmp/interrupts.txt

env > /tmp/root_env

su admin -c env > /tmp/admin_env

tar -czvf /tmp/keeper_logs.tar.gz /data-clickhouse-*/clickhouse-keeper/app_logs > /dev/null 2>&1

tar -czvf /tmp/keeper_conf.tar.gz /data-clickhouse-*/clickhouse-keeper/conf > /dev/null 2>&1

phziplogs /tmp/<ticket_number> <number_of_days>

1. Change the filename of AOLogs.tar to a more unique name (e.g. FortiSIEMLogs-SP-20181119.tar for Supervisor Logs on November 19th, 2018).

cd /tmp/1234

tar --append --file=AOLogs.tar /tmp/fsm-health.log

tar --append --file=AOLogs.tar /tmp/journlctl.log

tar --append --file=AOLogs.tar /tmp/interrupts.txt

tar --append --file=AOLogs.tar /tmp/root_env

tar --append --file=AOLogs.tar /tmp/admin_env

tar --append --file=AOLogs.tar /tmp/pg_stat_activity.out

tar --append --file=AOLogs.tar /tmp/keeper_logs.tar.gz

tar --append --file=AOLogs.tar /tmp/keeper_conf.tar.gz

mv AoLogs.tar <new file name>

2. Repeat steps 1.a. through 1.c. for all Collectors, Workers, and Supervisors.

    

2. From the FortiSIEM appliance, directly SCP the log to the desktop.

   1. For Windows users, use WinSCP to pull the logs from the /tmp directory of the FortiSIEM appliance.
      

   2. For Linux users, use SCP from the FortiSIEM bash prompt to copy it out to the local desktop.

$ scp -r <local directory> username@<host_ip>:<remote directory>

3. Upload the file to the support ticket at support.fortinet.com.
   

3. Log in to the Fortinet support account.

   1. Find the ticket associated with the log request upload. 

   2. Upload the attachment to the ticket with a response (Note that the upload limit is 500MB per attachment).