FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rakanda
Staff
Staff
Article Id 198018

Description

 
This article describes how to limit logs from the FortiGate. Such reduction in logging may be motivated, for example, by exceeding the licensed daily log limit of a FortiAnalyzer.


Solution

 

FortiAnalyzer displays the message 'You have exceeded your daily GB Logs/Day within 7 days' when, within the last 7 days, FortiGates exceed the licensed per-day allowance for logging.

 

As long as that limit is exceeded FortiAnalyzer will display this warning message.

 

If one notices that the FortiAnalyzer VM has consistently exceeded its licensed GB/day limit for over 7 days, this is a good time to think about a license upgrade and adjust resources. Although FortiAnalyzer VM will try its best not to drop logs, consistently running over capacity will eventually lead to undetermined behavior. This is because all FortiAnalyzer VM functions are validated within the licensed limit; the behavior beyond that limit is deemed to be unsupportable.

 

If the FortiAnalyzer encounters any issues while it is in the license-exceeded state (GB/day), customer support will not be able to investigate unless the licensing issue is fixed. This may delay the response time for any incidents and may lead to further complications not affected and Admin users are only being warned.

 

There are a few ways to limit logs from the FortiGate.

 

  1. If possible, disable logs in internal policies. Options are: log all sessions/security events(UTM) only/none.

  2. Limit the logs from UTM profiles(AV/webfilter/Application control/Email).

 

 

  1. Limit logs using a log filter.

    config log fortianalyzer filter

        set severity              information
        set forward-traffic       enable
        set local-traffic         enable
        set multicast-traffic     enable
        set sniffer-traffic       enable
        set anomaly               enable
        set netscan-discovery     enable
        set netscan-vulnerability enable
        set voip                  enable
        set dlp-archive           enable
    end

  2. Limit local logs using the log setting.

    config log setting
        set fwpolicy-implicit-log    disable
        set log-invalid-packet       disable
        set local-in-allow           disable
        set local-in-deny-unicast    disable
        set local-in-deny-broadcast  disable
        set deamon-log               disable
    end

 

  1. Use integrated log shaping capacity (this can cause log loss):
    config log syslogd setting
        set status enable
        set server "a.b.c.d"
        set priority low <- Set priority is set to control the socket priority in traffic queuing in the interface.
        set max-log-rate 1 <- Value in MB for logging rate (The range of max-log-rate is {0,100000} (0 by default).
    end

       

     

If logs are dropped due to a max-log-rate setup, an event log is generated every hour to indicate the number of logs dropped.
Check if logs are dropped using a test command in the CLI to display dropped log information:


diagnose test application miglogd 40


These features are available for FortiAnalyzer, FortiCloud, and Syslog.

 

Related article:

Technical Tip: How to troubleshoot the 'daily logs GB/day limit is exceeded' warning on FortiAnalyze....