Technical Tip: How to review a FortiGate's log file stored on the FortiAnalyzer
Description
Scope
FortiAnalyzer.
Solution
- Go to FortiAnalyzer -> Logview -> Log Browse.
- Select the log file for the device to delete.
- Select 'Delete, Download, Import or Display'.
From the CLI:
The below command lists the Device ID and the total size of logs for that device:
execute log device logstore list
The below command deletes all logs for that device:
execute log device logstore clear <device_id>
Another way to review the space used and what kinds of files are saved in the CLI is by using access to the filesystem through the shell.
Note:
Shell access was removed starting FortiAnalyzer v7.2.6, v7.4.4, and v7.6.0.
config system admin setting
set shell-access enable
Enter new password: *****
Confirm new password: *****
end
execute shell
bash$ cd /Storage/Logs/FGVM01TMxxxx/
bash$ pwd
/Storage/Logs/FGVM01TMxxxx
bash$ du -sh
22.8M .
To review how much space is taken by the logs on the HDD:
bash$ du
4 ./root/csf
12 ./root/.info
356 ./root/archive/1684013056
344 ./root/archive/1686110208
4124 ./root/archive/1679818752
348 ./root/archive/1693450240
6836 ./root/archive/1680867328
340 ./root/archive/1694498816
352 ./root/archive/1689255936
340 ./root/archive/1692401664
436 ./root/archive/1681915904
372 ./root/archive/1690304512
172 ./root/archive/1695547392
176 ./root/archive/1687158784
5416 ./root/archive/1678770176
188 ./root/archive/1691353088
516 ./root/archive/1685061632
348 ./root/archive/1688207360
344 ./root/archive/1696595968
240 ./root/archive/1682964480
21256 ./root/archive
Every directory has compressed tlog and elog files.
Related articles: