FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article addresses the question of whether it is possible to check the name of a deleted log file in FortiAnalyzer. Log collection in FortiAnalyzer may involve the periodic deletion of old data based on disk capacity settings, and users may want to access information about deleted log files.
Scope
FortiAnalyzer.
Solution
FortiAnalyzer allows users to access information about deleted log files through the use of filters in the GUI.
By configuring a filter with the 'Sub Type' set to 'logdb' and the 'Operation' set to 'Remove DB table'. users can retrieve details about log deletions, which may be useful for auditing and analysis purposes.
To access information about deleted log files in FortiAnalyzer, including their names or other details, follow these steps:
Access the Event Log Menu:
Log in to FortiAnalyzer's graphical user interface (GUI).
Navigate to the 'Systems Settings' menu.
Add a Filter for Deleted Logs:
Within the 'Event Log' section, select 'Add Filter'.
Configure Filter Settings:
In the filter configuration, set the 'Sub Type' to 'logdb'.
Set the "Operation" to 'Remove DB table'.
Apply the Filter:
Save and apply the filter settings.
View Log Deletion Information:
Once the filter is applied, it will be possible to view information about log deletions, including details about deleted log files.
Review Deletion Details:
Review the details provided, which may include information such as file size, number, and deletion date for logs that have been removed by police.
Additional Resources:
For more information on log storage and log deletion in FortiAnalyzer, refer to the official documentation:
