Description
This article describes how to free up disk space on FortiAnalyzer. When available disk space is low on a FortiAnalyzer, an effective approach to freeing up disk space is to target deletion of some of the data which is stored as files (rather than logs):
- DLP files.
- Packet log files.
- Quarantined files.
If these files are large, they could quickly use up disk space.
Solution
To reduce space used by these types of files
- Set up automatic deletion based on the ages of files:
System Settings -> Advanced -> File Management.
Setup rules specific to:
- Content Archive
- Quarantine Files
- Delete Files from the CLI.
Use the following CLI commands to delete all files of a specific type from a specific device (FortiGate):
For DLP Files:
execute log dlp-files clear
<string> device name
FG100C-Swift-4
FG3K91-2
For IPS Files:
execute log ips-pkt clear
<string> device name
FG100C-Swift-4
FG3K91-2
For Quarantine Files:
execute log quarantine-files clear
<string> device name
FG100C-Swift-4
FG3K91-2
For FortiRecorder files:
config system global
set disable-module siem fortirecorder
end
diagnose siem remove database ALL
------------------------------------------
On FortiAnalyzer, check statistics on received archives and quarantines:
diagnose dlp-archives statistics [show|flush]
For example:
