Skip to main content
schmil
schmil
New Member
December 23, 2016
Question

Log history very short

  • December 23, 2016
  • 3 replies
  • 15954 views

Hi,

 

Is the log file length for forwarding traffic on disk configurable?

 

On my FG3140B the Log is 90.000 entries large containing only 2 hours. That is way too short!

 

Config:

FSM1 (35GB of 58GB)

 

Feature                       |   Storage Size   |   Allocated   |   Used

Logging and Archiving   |   23GB             |                  | 

Disk Logging               |                       |  0MB           | 46MB

Historic Reports           |                       |  0MB           |  35GB

    3 replies

    MikePruett
    MikePruett
    New Member
    December 26, 2016

    You are most likely running through (and in turn rolling over old logs) rapidly.

     

    Are you logging anything and everything the Gate processes?

    schmil
    schmilAuthor
    New Member
    December 27, 2016

    Yes I do. But there seems to be space left on the device. But when I get this right these some GB wouldn't bring me more than some minutes I guess?

     

    Without Syslog-Server there is only Reducing the Logs drastically or upgrade the SSD? 

    MikePruett
    MikePruett
    New Member
    December 27, 2016

    Depends heaviliy on the amount of traffic going through the device at that point. You should get more than a few minutes I would think.

     

    But then again, I just saw that you have a 3140B.....one of my 3600C's fills up over 70 gigs to FAZ a slow day

    SCSIraidGURU
    SCSIraidGURU
    New Member
    December 30, 2016

    http://kb.fortinet.com/kb/documentLink.do?externalID=FD36471 FortiOS 5.x Fortigate # config log setting (global)# set fwpolicy-implicit-log enable This will log denied traffic on implicit Deny policies. Optional: You can create deny policy and log traffic . You need to create a policy with Action DENY, the policy action blocks communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called “violation traffic”. Other settings to consider: Fortigate # config log setting local-in-deny-unicast: enable local-in-deny-broadcast: enable

    schmil
    schmilAuthor
    New Member
    January 12, 2017

    I'm trying to strip down my logs and am all the way up to 9 hours of logs :\

     

    I have a policy "dns allow all" with logging OFF, but my forward-log is full of connections matching this policy. Why is that?

    SCSIraidGURU
    SCSIraidGURU
    New Member
    January 12, 2017

    My suggestion would be an outbound rule to your ISP DNS servers and a second inbound rule from those DNS server back to your DNS.   This way you can disable logging inbound.   Logs will drop off in 7 days so it is really a problem?  The only problem with DNS allow all is it is not a good practice.   You should have your DNS only forward to your ISP DNS and return from them. 

    Terms & ConditionsAccessibility statement