| Description |
This article describes that when 'reliable' logging is disabled on FortiGate, FortiAnalyzer records a significantly higher GB/day usage compared to when 'reliable' is enabled.
For example, with 'reliable' disabled, the log volume can reach approximately 280 GB/day, while with 'reliable' enabled on the same device, it drops to around 120 GB/day. |
| Scope | FortiAnalyzer, FortiManager with FortiAnalyzer features enabled. |
| Solution |
This difference is due to the way logs are transmitted:
With 'reliable' disabled, Logs are sent over UDP using small buffer sizes (based on the MTU size, for example, 1500 bytes) to avoid fragmentation across the network.
With 'reliable' enabled, Logs are sent over TCP using larger buffer sizes (for example, 8KB), which reduces the number of packets sent. Additionally, LZ4 compression is applied to these larger buffers, significantly reducing the total volume of data transmitted.
In summary, enabling 'reliable' logging on FortiGate results in fewer, more efficiently compressed packets being sent to FortiAnalyzer, ultimately reducing bandwidth consumption.
Related document: |
