Technical Tip: How to avoid FortiSIEM crashes because of growing logs

When FortiSIEM is running into some errors, the system is writing those errors in log files. Some errors may be looping in short periods that make the disk full and the FortiSIEM go down. To avoid that, it is possible to define the logs on a dedicated disk to avoid disruption on system disks.

Here are the steps to follow from super CLI as root:

# Check disk space on /opt

df -h

# Create a virtual disk of 9GB in /opt
dd if=/dev/zero of=/opt/logVirtDisk.img bs=1M count=9600 
mkfs -t ext4 /opt/logVirtDisk.img

# Stop the ph services
su admin -c "phtools --stop ALL"

# Copy the files
tar -czvf /tmp/phoenix_logs.tar.gz /opt/phoenix/log
rm -rf /opt/phoenix/log/*

# Mount the virtual disk

mount -t auto -o loop /opt/logVirtDisk.img /opt/phoenix/log
echo "/opt/logVirtDisk.img /opt/phoenix/log ext4 defaults 0 0" >> /etc/fstab

# Restore the files

cd /
tar -xvf /tmp/phoenix_logs.tar.gz

# Restart services
su admin -c "phtools --start ALL"

If the system is looping in an error, it will fill up only this virtual disk.