Fortianalyzer analytics logs exceeding the configured disk quota

Hello analystOps, 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Thanks, 

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Hello again analystOps,

I found this solution. Can you tell me if it helps, please?

To address the issue of analytics logs exceeding the configured disk quota on your FortiAnalyzer VM running v7.0.3, follow these steps:

1. Verify ADOM Quota Utilization:
   - Go to System Settings -> Storage Info and select the ADOM in question.
   - Check the utilization for both Analytics and Archive.
   
   
2. Monitor Log Rate:
   - Use the CLI command `diagnose fortilogd lograte` to monitor the log rate per second.
   - Identify which devices are sending a high volume of logs using `diag fortilogd lograte-device`.
   
   
3. Adjust Data Retention Policy: Consider reducing the "Keep Log for Analytics" period from 60 days to a lower value if feasible, to reduce storage usage.
   
   
4. Enable Alerts and Automatic Deletion: Ensure that alerts and automatic deletion are configured correctly to trigger when usage reaches 80%.
   
   
5. Optimize Log Handling:
   - Reduce unnecessary logs being sent to FortiAnalyzer by adjusting log settings on the devices.
   - Refer to the article on minimizing logging from FortiGate to FortiAnalyzer for guidance.
   
   
6. Expand Disk Space: If possible, expand the disk space or allocate more space to the ADOM if the physical or virtual environment allows it.
   
   
7. Review and Adjust Storage Allocation: In the ADOM edit interface, adjust the storage allocation between Analytics and Archive as needed.

By following these steps, you should be able to manage the disk space usage effectively and return the analytics logs to the maximum configured size.