Archive issue

Forum|Forum|8 years ago
May 4, 2018
2 replies
5556 views

Ran into an incident where I need to do some digging into fortigate logs that were not being forwarded to FAZ. I was able to import the logs into FAZ, but I notice that a certain portion of the logs are not available for analytics, even though I have more than enough space for analytics allocated. The ADOM I put these logs into has 70GB storage, and I set it at 95% Analytics and 5% archive, as well as 365 days worth of analytics. Since this is temporary, i really dont need anything in archive. I imported about 4GB worth of logs, split across about 30 imported log files. For some reason, FAZ is putting 2.0GB of those logs in archive. What am I missing?

chall_FTNT

Staff

Check that your storage settings for analytics extend back far enough in time to encompass all the logs. Also, check the SQL start-time that it is before the start of the logfile being imported.

config system sql

set start-time X

dwearAuthor

New Member

Thanks. under the config system sql, the "set start time" is set to 00:00 2000/01/01. Can you tell me where to find the storage for analytics start time you referenced?

chall_FTNT

Staff

For FortiAnalyzer 5.6 GUI:

From, Logview, click on Storage Statistics to edit the Storage Policy. It is under the "Data Policy" section that you can configure how many days back Analytics should extend.

dwearAuthor

New Member

Thanks. I actually have that configured for 365 days and it still shows 2 GB of archive.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded