Fetcher Management – FortiAnalyzer – FortiOS 6.2.3

Fetcher Management

Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis.

The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.

Log fetching can only be done on two FortiAnalyzer devices running the same firmware. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiAnalyzer devices. Only one log fetching session can be established at a time between two FortiAnalyzer devices.

The basic steps for fetching logs are:

  1. On the client, create a fetching profile. See Fetching profiles on page 196.
  2. On the client, send the fetch request to the server. See Fetch requests on page 197.
  3. If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing devices and ADOMs on page 199.
  4. On the server, review the request, then either approve or reject it. See Request processing on page 199.
  5. Monitor the fetch process on either FortiAnalyzer. See Fetch monitoring on page 200.
  6. On the client, wait until the database is rebuilt before using the fetched data for analysis.

Fetching profiles

Fetching profiles can be managed from the Profiles tab on the System Settings > FetcherManagement pane.

Profiles can be created, edited, and deleted as required. The profile list shows the name of the profile, as well as the IP address of the server it fetches from, the server and local ADOMs, and the administrator name on the fetch server.

To create a new fetching profile:

  1. On the client, go to System Settings > FetcherManagement.
  2. Select the Profiles tab, then click Create New in the toolbar, or right-click and select Create New from the menu. The Create New Profile dialog box opens.
  3. Configure the following settings, then click OK to create the profile.
Name   Enter a name for the profile.
Server IP   Enter the IP address of the fetch server.
User   Enter the username of an administrator on the fetch server, which, together with the password, authenticates the fetch client’s access to the fetch server.
Password   Enter the administrator’s password, which, together with the username, authenticates the fetch client’s access to the fetch server.

To edit a fetching profile:

  1. Go to System Settings > Fetching Management.
  2. Double-click on a profile, right-click on a profile then select Edit, or select a profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete a fetching profile or profiles:

  1. Go to System Settings > Fetching Management.
  2. Select the profile or profiles you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected profile or profiles.

Fetch requests

A fetch request requests archived logs from the fetch server configured in the selected fetch profile. When making the request, the ADOM on the fetch server the logs are fetched from must be specified. An ADOM on the fetching client must be specified or, if needed, a new one can be created. If logs are being fetched to an existing local ADOM, you must ensure the ADOM has enough disk space for the incoming logs.

The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM’s data policy is configured to keep analytics logs for 30 days (June 1 – 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

To send a fetch request:

  1. On the fetch client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Request Fetch in the toolbar, or right-click and select Request Fetch from the menu. The Fetch Logs dialog box opens.
  3. Configure the following settings, then click Request Fetch.

The request is sent to the fetch server. The status of the request can be viewed in the Sessions tab.

Name Displays the name of the fetch server you have specified.
Server IP Displays the IP address of the server you have specified.
User Displays the username of the server administrator you have provided.
Secure Connection Select to use SSL connection to transfer fetched logs from the server.
Server ADOM Select the ADOM on the server the logs will be fetched from. Only one ADOM can be fetched from at a time.
Local ADOM Select the ADOM on the client where the logs will be received.

Either select an existing ADOM from the dropdown list, or create a new ADOM by entering a name for it into the field.

Devices Add the devices and/or VDOMs that the logs will be fetched from. Up to 256 devices can be added.

Click Select Device, select devices from the list, then click OK.

Enable Filters Select to enable filters on the logs that will be fetched.

Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.

Time Period Specify what date and time range of log messages to fetch.
Index Fetch Logs If selected, the fetched logs will be indexed in the SQL database of the client once they are received. Select this option unless you want to manually index the fetched logs.
This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.