FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.


If the current quota on a  FortiAnalyzer is not sufficient, it is possible to increase it to a level that is sufficient for the intended logging purpose.

The impact of increasing disk quota is specific to the device/cluster and this action reduces the total free disk space that can be freely allocated to other units.

By default in a FortiAnalyzer, the system reserves 5% to 25% disk space for system usage and unexpected quota overflow.  Only 75% to 95% disk space is available for allocation to devices.

To check the quota usage and the available space use the following command:
# dia log device list


To increase the disk quota per monitored device (below v5.4 train), go to the "Devices", select the device for which disk quota is to be increased and, under "Disk allocation", change the disk quota allocation.  There is no need to restart the FortiAnalyzer for the change to take effect.

If ADOMs (Administrative Domains) are not enabled, then to increase the disk quota, go to System Settings > Storage Info > and choose an ADOM to modify.  Assign as much space as is considered necessary to the ADOMs.

If ADOMs (Administrative Domains) are enabled, then to increase the Disk Quota, go to System Settings > System Information widget and then look for "Log Storage Policy".  Click the pen button and a new window will open.  Assign as much disk space as is considered necessary to the ADOM.