Technical Tip: Resolving sudden change of number of Archive Log days in FortiAnalyzer

In FortiAnalyzer, there are two types of logs:

• Analytics Logs: indexed in FortiAnalyzer's SQL database for real-time analysis and are stored uncompressed as .log files.
• Archived Logs: compressed raw files stored on the disk, which cannot be used for real-time analysis and are stored as .log.gz files.

As long as a log file is not rotated, it will not be taken into account towards the total number of Archived Days. In the following example, a total of 109 days of Archive Logs can be seen:

A few days later, the calculation increases to 241 days of Archive Logs:

Checking in the CLI with a command and in the GUI via Log Browse will reveal that certain older log files did not rotate until recently, increasing the total number of Archive Day Logs available, which can be misleading:

diagnose system filesystem list /Storage/Logs/

There are several reasons why a log file in FortiAnalyzer might not be rotated, which directly affect how it contributes to the total number of archived days.

1. Log file thresholds and rotation schedules.

File size not reached: FortiAnalyzer rotates logs only after they exceed a configured size (commonly 200 MB). If the log volume is low, files remain open longer and are not counted as archived.

Time-based rotation disabled: If the option to roll logs daily or weekly is off, rotation depends solely on file size. Enabling scheduled rolling ensures consistent archiving.

CLI misconfiguration: If set when none is configured for rolling, automatic log rotation is disabled entirely. Use a set when daily or similar to enforce scheduled rotation.

2. Disk, performance, and resource issues.

Insufficient disk space: When storage capacity or inodes are nearly full, FortiAnalyzer halts log rotation to prevent corruption.

Database or process overload: High CPU or disk I/O usage, or database integrity issues, delay log write and compression processes, postponing file rolling.

Quota saturation: When log or device quotas are exhausted, the system pauses rotation and archiving until space is reclaimed.

3. Retention and Archive Settings.

Long retention periods: Even after new logs roll over, older files remain until retention time expires, giving the impression of delayed rotation.

Archive limits: If archive size or quota thresholds are reached, the system defers rotation to maintain stability.

Note: A single log file for one device can affect the calculation of Archive Days, as it takes the oldest existing file. Deleting these stale files will force FortiAnalyzer to recalculate, showing a more accurate number.

To limit every archive log file to a single day of logs, change the log rolling schedule under System Settings -> Advanced -> Device Log Settings.

When rolling is configured to run daily at 00:00, no single log file will contain more than one day of logs.
Applying the configuration change will work on new files going forward. It will not split existing files.