This article describes that backup logs in plaintext format avoid LZ4 decompression.
By default, if the logs are backed up to the FTP server, logs will be encrypted.
# execute backup disk alllogs ftp <IP_address> <username> <password>
# execute backup disk log ftp <IP_address> <username> <password> <log_type>If it is necessary to upload the logs to Fortianalyzer, it is necessary to decrypt it using LZ4 and then upload it to the FortiAnalyzer.
Scope
FortiGate version 7.0.4+
Solution
After 7.0.4+ Firmware, in all Firewall models, it is possible to add an uncompressed parameter at the end of the command ‘# execute backup disk log ftp’ to have a cleartext file and that will be easier to upload to the Fortianalyzer.
# execute backup disk alllogs ftp <IP_address> <username> <password> <compressed | uncompressed>
# execute backup disk log ftp <IP_address> <username> <password> <log_type> <compressed |uncompressed>Now decompressed logs which can be uploaded to FortiAnalywer.
Note:
- This feature is present only in 7.0.4 and above.
- If you are trying to uncompress the log file using lz4_reader and it gives a java error, then use jdk-8u351-windows-x64.exe,