Description

This article describes how to identify the reason for deletion or loss of Analytics or Archive logs in FortiAnalyzer.

Scope

FortiAnalyzer.

Solution

Due to Log retention settings, FortiAnalyzer can delete Analytic and Archive logs for an ADOM. Sometimes admin can also delete log files manually. Following information about event logs can help identify the cause of log deletion.

Event log for deletion of device logs from the Database:

• Look for the Operation field in Event logs such as 'Trim database', and 'Remove DB table'.
• All the event logs related to analytics will have the field 'Sub Type' set as 'logdb'.
• Example of a Message filed in such logs: 'Dropping 65 log database tables with size 190.7MB from Adom <Adom Name> due to Adom quota enforcement'.

Event log for deletion of Archived log files:

• The subtype for Events related to Archive files will be 'logfile'.
• Operation for raw/archive log file deletion will be 'Delete logfile'.
• Example of message field when archive logs are deleted: 'Deleted 10 log files of total size 93.3MB to enforce the disk space quota of Adom FGT'.

Event logs for manually deleting the log file:

• The field 'Sub Type' for events related to manual log file deletion is 'logflile'.
• The user for the event will be the Administrator who deleted the file.
• Example of message field when archive log file is deleted: 'Deleted log file elog.1733328179.log.zst of device FGT40FTKXXXXXXX'.

Note:

Ensure the Data Policy and Disk Allocation are configured efficiently. To adjust the Data Policy and Disk Allocation, navigate to System Settings -> ADOM -> Edit ADOM.

Related documents:

Analytic and Archived Log retention periods

Fortianalyzer event logs
Technical Tip: Archive vs Analytic Logs