Technical Tip: How to troubleshoot the 'daily logs GB/day limit is exceeded' warning on FortiAnalyzer

1. When seeing this warning notification 'Your daily logs GB/day limit is exceeded within the last 7 days.' on the FortiAnalyzer’s alert pane, it means that the logging rate of this FortiAnalyzer has exceeded the licensed logging rate.

2. This can be verified under System Settings -> Dashboard -> 'License Information' widget -> Logging -> GB/Day -> Details. In the image shown below, the daily licensed logging rate is 201 GB/day but the actual logging rate detected by FortiAnalyzer has exceeded that amount for the past 7 days.

    

   

    

    

3. This could be a good time to think of purchasing a bigger license to accommodate the increased logging rate.  Operating your VM beyond the licensed capacity could affect the ability to receive technical support.

   
   Any additional licenses that are purchased are stackable with the old license. For example, if originally it was on the FAZ-VM-GB1 (1 GB/day) license and had purchased a FAZ-VM-GB5 (5 GB/day) license, the entitled GB/day logs would be 6 GB/day.

    

   

    

   Datasheet: FortiAnalyzer Data Sheet.

    

4. Alternatively, it is possible to consider minimizing logging from the FortiGate to the FortiAnalyzer-VM via the KB article below or use the below command:

   
   diagnose fortilogd lograte-device
   
   Logs per second
   Totals Last Hour Day Week
   -------------------------------------------------------
   FGXXXXXXXXXX: 0.00 0.00 0.00
   FGXXXXXXXXX2: 0.00 0.00 0.00

    

   That will show the FortiGate sending the most on the past hour Day and week.

    

Related article:

Technical Note: Minimizing logging from FortiGate to FortiAnalyzer.

Technical Tip: Extending disk space in FortiAnalyzer VM / FortiManager VM