FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
onunez
Staff
Staff

Description

 

When available disk space is low on a FortiAnalyzer, an effective approach to freeing up disk space is to target deletion of some of the data which is stored as files (rather than logs):
 
DLP files.
Packet log files.
Quarantined files.
 
If these files are large, they could quickly use up disk space.


Solution

 

To reduce space used by these types of files
 
1) Setup up Automatic Deletion based on Age of Files:
 
System Settings -> Advanced -> File Management.
 
Setup rules specific to:
Content Archive
Quarantine Files
 
2) Delete Files from the CLI.
 
Below are the CLI commands for deleting all files of a specific type from a specific devices (FortiGate):
 
For DLP Files:
 
# execute log dlp-files clear
 
<string>    device name
 
FG100C-Swift-4
 
FG3K91-2

For IPS Files:
 
# execute log ips-pkt clear
 
<string>    device name
 
FG100C-Swift-4
 
FG3K91-2
 
For Quarantine Files:
 
# execute log quarantine-files clear
 
<string>    device name
 
FG100C-Swift-4
 
FG3K91-2

 

 

For Fortirecorder Files:

 

# config system global
    set disable-module siem fortirecorder
end

# diagnose siem remove database ALL