Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rakanda
Staff
Staff

Created on ‎02-10-2015 04:36 PM

Technical Note: Minimizing logging from FortiGate to FortiAnalyzer

Description
This article describes how to limit logs from the FortiGate.  Such reduction in logging may be motivated, for example, by exceeding the licensed daily log limit of a FortiAnalyzer.

Solution
FortiAnalyzer displays the message You have exceeded your daily GB Logs/Day within 7 days  when, within the last 7 days, FortiGates exceed the licensed per-day allowance for logging.

As long as that limit is exceeded FortiAnalyzer will display this warning message.

I f you have noticed your FortiAnalyzer VM has consistently exceeded it's licensed GB/day limit for over over 7 days, this is a good time to think about a license upgrade. Although FortiAnalyzer VM will try its best not to drop logs, consistently running over capacity will eventually lead to undetermined behavior. This is because all FortiAnalyzer VM functions are validated within the licensed limit; the behavior beyond that limit is deemed to be unsupportable.

If the FortiAnalyzer encounters any issues while it’s in the license-exceeded state (GB/day), customer support will not be able to investigate unless the licensing issue is fixed. This may delay the response time for any incidents, and may lead to further complications. not affected and Admin users are only being warned.

There are a few ways to limit logs from the FortiGate.

1. If possible, disable logs in internal policies. Options are: log all sessions/security events(UTM) only/none.

2. Limit the logs from UTM profiles(AV/webfilter/Application control/Email).

  -  You can disable logging in any UTM profiles/sensors.
  -  Logging option can only be changed from the CLI.
  -  Refer to the CLI reference documentation at:
http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_antivirus.06.05.html
http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_webfilter.29.12.html
http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_application.07.3.html

3. Limit logs using log filter.
config log fortianalyzer filter
  set severity              information
  set forward-traffic       enable
  set local-traffic         enable
  set multicast-traffic     enable
  set sniffer-traffic       enable
  set anomaly               enable
  set netscan-discovery     enable
  set netscan-vulnerability enable
  set voip                  enable
  set dlp-archive           enable
end

4. Limit local logs using log setting.
config log setting
  set fwpolicy-implicit-log    disable
  set log-invalid-packet       disable
  set local-in-allow           disable
  set local-in-deny-unicast    disable
  set local-in-deny-broadcast  disable
  set deamon-log               disable
end

28833
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.