Description
This article describes how to limit logs from the FortiGate. Such reduction in logging may be motivated, for example, by exceeding the licensed daily log limit of a FortiAnalyzer.
Solution
FortiAnalyzer displays the message 'You have exceeded your daily GB Logs/Day within 7 days' when, within the last 7 days, FortiGates exceed the licensed per-day allowance for logging.
As long as that limit is exceeded FortiAnalyzer will display this warning message.
If one notices that the FortiAnalyzer VM has consistently exceeded its licensed GB/day limit for over 7 days, this is a good time to think about a license upgrade and adjust resources. Although FortiAnalyzer VM will try its best not to drop logs, consistently running over capacity will eventually lead to undetermined behavior. This is because all FortiAnalyzer VM functions are validated within the licensed limit; the behavior beyond that limit is deemed to be unsupportable.
If the FortiAnalyzer encounters any issues while it is in the license-exceeded state (GB/day), customer support will not be able to investigate unless the licensing issue is fixed. This may delay the response time for any incidents and may lead to further complications not affected and Admin users are only being warned.
There are a few ways to limit logs from the FortiGate.
- If possible, disable logs in internal policies. Options are: log all sessions/security events(UTM) only/none.
- Limit the logs from UTM profiles(AV/webfilter/Application control/Email).
- It is possible to disable logging in any UTM profiles/sensors.
- The logging option can only be changed from the CLI.
- Refer to the CLI reference documentation:
- Limit logs using a log filter.
config log fortianalyzer filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set netscan-discovery enable
set netscan-vulnerability enable
set voip enable
set dlp-archive enable
end
- Limit local logs using the log setting.
config log setting
set fwpolicy-implicit-log disable
set log-invalid-packet disable
set local-in-allow disable
set local-in-deny-unicast disable
set local-in-deny-broadcast disable
set deamon-log disable
end
-
Use integrated log shaping capacity (this can cause log loss):
config log syslogd setting
set status enable
set server "a.b.c.d"
set priority low <- Set priority is set to control the socket priority in traffic queuing in the interface.
set max-log-rate 1 <- Value in MB for logging rate (The range of max-log-rate is {0,100000} (0 by default).
end
If logs are dropped due to a max-log-rate setup, an event log is generated every hour to indicate the number of logs dropped.
Check if logs are dropped using a test command in the CLI to display dropped log information:
diagnose test application miglogd 40
These features are available for FortiAnalyzer, FortiCloud, and Syslog.
Related article:
Technical Tip: How to troubleshoot the 'daily logs GB/day limit is exceeded' warning on FortiAnalyze....
