Description

This article describes basic steps to confirm whether the hardware platform has reached its limits.

Scope

FortiAnalyzer, FortiManager with FortiAnalyzer features.

Solution

To review the overall state of the HW platform, run the following commands:

get system status

get system performance

get system loglimits

diagnose test application logfwd 4

diagnose fortilogd lograte

diagnose sql status sqlplugind

Example:

The current received log rate + log forward is exceeding the capabilities of the HW appliance.

get system loglimits

GB/day : 200
Peak Log Rate : 9000
Sustained Log Rate : 6000

diagnose test application logfwd 4
log/sec: 4528.2 4404.3 4361.9

+

diagnose fortilogd lograte
last 5 seconds: 5009.8, last 30 seconds: 4757.8, last 60 seconds: 4545.2

There are also peaks of the insertion of the logs:

log insert speed: logs/5sec: 21922.2, logs/60sec: 7643.4 Overall: 7095.4 (15298400 5)

Reviewing 'diagnose debug crash read' may return additional information.

For example, crashing the log forward service in this case:

2025-06-02 13:26:05 Firmware v7.2.8-build1634 241018 (GA)
2025-06-02 13:26:05 Application logfwd

A short brief of the related processes:

The device receives logs and saves them as a file.

They must be red and inserted into the SQL DB.
At the same time if there is a log forward setup will send the logs to some destination.

A review of LogView, creating of reports, etc... UI processes that will require also CPU, RAM, reading from the HDD.