Skip to main content
Rafa123_
Rafa123_
Explorer
August 21, 2017
Question

Fortigate VDOM logging

  • August 21, 2017
  • 1 reply
  • 12487 views

Hello.

 

We had a enviroment with some Fortigates of many models. The whole enviroment is in 5.2.x. We are facing a problem with VDOM logging. I need to keep in this fortigates 10 days of logs beyond the logs that are sented to fortianalyzer.

 

The issue is: I'm able to keep this logs while no vdom are configured but if we create a VDOM I cannot  use the full disk capacity to keep this logs.

 

Any thoughts about how to solve this ?

 

Thankyou.

    1 reply

    emnoc
    emnoc
    New Member
    August 21, 2017

    Qs:

     

    Have you looked at vdom log override?What's happening in  with or without vdom ? What drives you at 10days? Can you use  upload ( compress or not  )?

     

     

    example ( multivdom )

     

     

     

    config log disk setting     set status enable     set ips-archive disable

        set upload enable

        set uploaddir  log

        set roll-schedule weekly     set roll-day sunday     set roll-time 00:00

        set uploadtype traffic event

        set uploadpass "xxxxxxxxxxxxxx"

        set uploaduser  logrollup

        set uploadip  x.x.x.x

        set uploadzip enable

    end

     

    FWIW;

     

    Trying to compute a 10day max on disk storage is very hard to calculate, hard on the disk , and provides no retention if the unit actually fails.....imho

     

    rollups is  the ideal method and again imho and experience.

     

     

       

    Ken

     

     

     

    Rafa123_
    Rafa123_Author
    Explorer
    August 21, 2017

    emnoc wrote:

    Qs:

     

    Have you looked at vdom log override?What's happening in  with or without vdom ? What drives you at 10days? Can you use  upload ( compress or not  )?

     

     

    example ( multivdom )

     

     

     

    config log disk setting    set status enable    set ips-archive disable

        set upload enable

        set uploaddir  log

        set roll-schedule weekly    set roll-day sunday    set roll-time 00:00

        set uploadtype traffic event

        set uploadpass "xxxxxxxxxxxxxx"

        set uploaduser  logrollup

        set uploadip  x.x.x.x

        set uploadzip enable

    end

     

    FWIW;

     

    Trying to compute a 10day max on disk storage is very hard to calculate, hard on the disk , and provides no retention if the unit actually fails.....imho

     

    rollups is  the ideal method and again imho and experience.

     

     

       

    Ken

     

     

     

    Hello. Thanks for your help.

     

    I need to keep at least 10 days, for contractual reasons.

     

    My problem is the Fortigate starts to subscribing logs before it reaches 10 days, and before the disk is full either. I do not know what is limmiting the logs.

     

    I will check the config logdisk setting.

    emnoc
    emnoc
    New Member
    August 21, 2017

    do a cli cmd  "show fulll sys log setting" let's ensure no qutoa or other weird cfg.

     

    e.g

     

    show full-configuration  log disk  setting

     

    and

     

    show full-configuration  log memory  global-setting

     

     

    and it probably will not hurt to check  misled statisics

     

    diag test  application  miglog 6

    diag test  application  miglog 16

     

    Pay attention to the last value with  miglogs #16

     

    e.g 

     

    VDOM log disk usage:

      root: 235045768B/3605M

      GEFRA01: 34407844558B/3605M  <-----

      GEBER01: 0B/3605M

      SOCO:  950514964B/3605M  

     

     

    I think that might shed light on your max value again and why your  not hitting what you suspect. The best command to see full max values

     

    cli cmd  dia sys  logdisk usage 

     

    Total HD usage: 59707MB/60093MB

    Total HD logging space: 18028MB

     

    I don't know what means can be  execute to change the size since it depends on hardware but can set quotas 

     

    Quote are easily to be detected

     

    e.g 

     

    FSOCPUPCHIIL (global) $ dia sys logdisk  quota

                 type    quota(MB)    usage(MB)

     ================ ============ ============

    ----- vdom cst1 -----

    log disk quota 0 MB

            disk log:            0        32813

         dlp archive:            0            0

              report:            0           10

          quarantine:            0            0

         ips archive:            0            0

    ----- vdom NEXTTECH -----

    log disk quota 0 MB

            disk log:            0          253

         dlp archive:            0            0

              report:            0            0

          quarantine:            0            0

         ips archive:            0            0

    ----- vdom VDMZ -----

    log disk quota 0 MB

            disk log:            0         1039

         dlp archive:            0            0

              report:            0         1771

          quarantine:            0            0

         ips archive:            0            0

    ----- vdom WAN  -----

    log disk quota 0 MB

            disk log:            0            0

         dlp archive:            0            0

              report:            0            0

          quarantine:            0            0

         ips archive:            0            0

    ----- vdom root -----

    log disk quota 0 MB

            disk log:            0          2224

         dlp archive:            0            0

              report:            0            0

          quarantine:            0            0

         ips archive:            0            0

     

     

    rollups are  great and still the best method imho.

     

    Ken

     

     

     

    Terms & ConditionsAccessibility statement