The Possible effects when FortiAnalyzer has a bad performance due to it has reached capacity limits:

1. High CPU usage.
2. Cannot load logs in logview -> all Menu.
3. Cannot display Analytics in FortiView menus like Threats, Traffic, Traffic Analysis, and SD-WAN.

Validation Procedure:

1. Directly go to the dashboard to review sections 'Average Rate', and 'Insert rate vs Receive Rate', specifically the Insert Rate Vs Receive rate can display the value of the Sustained log rate, especially for physical appliances this value is so important due to this is the maximum value that device support and it is related with hardware resources.   
   1. CLI can display the value of logs received with the command.
      
      diagnose fortilogd lograte
      
      The output is: last 5 seconds: 3542.8, last 30 seconds: 3524.1, last 60 seconds: 3585.6.
      
      
   2. The value of the device's maximum capacity can be obtained with a command.
      
      

       get system loglimits

      The output is: GB/day : 25

      Peak Log Rate : 750

      Sustained Log Rate : 500
      
      

       

   3. In order to have the details of the specific model can be executed the command and use the 'Platform full name' information.

      
      get system status

       

2. Validate system events in System Settings -> Event logs -> Find type 'System performance status'.
                                                                        

   

    

    

3. With that information can be validated the capacity of the device according to the model, for reference of capacity products: FortiAnalyzer data Sheet.

    

    

4. In this example can be confirmed current quantity of logs is exceeded causing resource consumption. The logs received are 3542 and the supported sustained Log Rate is 500.

    

   The options available to resolve this kind of scenario are:

    

   1. When the logs received do not exceed a lot the maximum supported is it possible to disable a siemagentdb when the user does not use it. This can be performed with the following reference: Technical Tip: How to improve FortiAnalyzer performances when FortiSIEM module is not needed.

       

   2. It can be filtered the logs that are received by the FortiAnalyzer, this procedure can be performed with following reference: Technical Tip: Minimizing logging from FortiGate to FortiAnalyzer.

       

   3. For this point how can be identified which ADOM (X), which kind of traffic (Y), and which device (Z) is the top log generator? Users can execute these commands to have the details about the points mentioned.

       

      diagnose fortilogd lograte-adom all
                         

      

       

      diagnose fortilogd lograte-type
                                              

      

       

      diagnose fortilogd lograte-device
                                 

      

       

   4. If the previous solutions cannot resolve it, the other option is to change the device model to one that can feed the network requirements.

Related article:

Technical Tip: How to gather information and fix high CPU and Mem utilization conditions