Troubleshooting Tip: FortiAnalyzer disk reaches 100% due to FortiSIEM database

Issue condition:

The issue may be triggered or observed under the following conditions:

• After a reboot, a small amount of disk space is temporarily freed, but the disk quickly fills up again.
• Log View and other GUI pages do not function normally or fail to load.
• Attempts to mitigate disk usage through log configuration changes are ineffective, including:
  • Reducing log file rollover size (e.g., from 300 MB to 50 MB).
  • Tried to change the log interface-stats to 20 days, but no help.

Symptoms:    

• Software RAID is used up.
• FortiAnalyzer becomes slow or unresponsive.
• Log ingestion stops.
• Reports and queries fail.
• Firmware upgrade fails or is not possible.
• CLI may show database-related instability.

Example disk usage output:

diagnose system print df -h

Filesystem             Size       Used     Available         Use%       Mounted on
/dev/md/mda            1.7T       1.7T       0               100%          /var
/dev/md/mda            1.7T       1.7T       0               100%          /drive0
/dev/sdb2              982M       439M      543M             45%           /data

Solution/workaround:

To disable the FortiSIEM module, the following CLI command can be used:

config system global
(global) set disable-module siem
(global) end
DISABLE SIEM module
Do you want to continue? (y/n)y

Note:

Consider downtime, since the command below will require a reboot.

diagnose siem remove database ALL
Remove the entire SIEM database has been requested.
This operation will remove all data in the SIEM database and reset the database server.
This operation will reboot the device.
Do you want to continue? (y/n)y

Resolution:

This issue has been addressed in the following FortiAnalyzer versions:

• v7.4.11.
• v7.6.7.