Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mrafat
Staff
Staff

Created on ‎04-06-2022 01:11 PM Edited on ‎04-07-2022 02:58 AM By Community Manager

Article Id 208577

Troubleshooting Tip: Historical Logs in FortiAnalyzer are lost

Description

 

This article describes how to resolve the loss of historical logs on Fortianalyzer due to ADOM Quota over limit.

 

Scope

 

FortiAnalyzer

 

Investigation:

 

1) Verify the ADOM Quota utilization by going to System Settings -> Storage Info-> Double click on the ADOM that has the device --> the below window will show up showing the Analytics & Archive utilization in addition to the Data Policy.

 

mrafat_0-1649325188989.png

 

2) The above can also be observed through the FAZ CLI by issuing the command :
[# diagnose log device ].

Notice the 'used%' for both Analytics and Archive if it reached 85% or above.

mrafat_1-1649325212430.png

 

3) In this scenario, the FortiAnalyzer will start deleting old logs to free up space in the allocated ADOM storage so that it can receive the new logs and that can result in unnecessary CPU resources enforcing Quota with log deletion and database trims.

 

4) Verify the log rate received on the FortiAnalyzer by issuing the below command:
# diagnose fortilogd lograte  (Monitoring the log rate/sec on FortiAnalyzer)

last 5 seconds: 2329.6, last 30 seconds: 2300.9, last 60 seconds: 2283.4.

 

5) Verify the lograte per device to check which device is sending a huge amount of logs that consume high disk space by issuing the below command on FortiAnalyzer CLI:

 

# diag fortilogd lograte-device

 

Logs per second

Totals            Last Hour       Day      Week

     -------------------------------------------------

    Device1_Serial:      200.00      5.30      2.10

    Device2_Serial:      1136.77     72.09     10.30

 

Solutions.

To prevent the loss of Historical logs due to limited ADOM Quota , please follow the below steps:

 

1) If there is enough storage in the Hard-disk assign an extra Quota to the ADOMs in the highlighted below section:

mrafat_2-1649325258193.png

 

 

2) In the case of FortiAnalyzer -VM only, if there is not enough Hard-disk to be assigned to the ADOM,  extend the Hard-disk of the unit.

 

[Check Related Articles for the KB of Hard-disk expansion]

 

3) To know the estimated Hard-disk needed based on the log rate received and accordingly upgrade the Hard-disk.

[Check Related Articles for the KB of Formula to estimate the amount of Hard-disk needed]

 

4) If there is not enough space and want to reduce the logging of a specific device that sends a huge amount of logs to FortiAnalyzer.

[Check Related Articles for the KB of minimizing FGT logging on FortiAnalyzer]

 

Related Articles:

1) Extending FAZ VM Hard-disk

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Extending-disk-space-in-FortiAnalyzer-...

 

2) Formula for Calculating the estimated Hard-disk

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-to-calculate-disk-space-needed-for...

 

3) Minimizing FortiGate logging on FortiAnalyzer

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Note-Minimizing-logging-from-FortiGate-to/...

3812
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.