Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
jkoay
Staff
Staff

Created on ‎01-19-2025 11:52 PM

Article Id 371088

Troubleshooting Tip: edrdata.db occupying disk space

Description This article describes the purpose of edrdata.db and the steps to prevent huge file sizes.
Scope FortiEDR
Solution

edrdata.db is used to store events collected by FortiEDR Collector related to threat hunting events which the FortiEDR administrator has configured in Security Settings -> Threat Hunting -> Collection profile.

 

This includes:

  • File-related events.
  • Process-related events.
  • Network-related events.
  • Windows event logs.

The edrdata.db file is usually a hundred megabytes in size. However, in some cases, after running FortiEDR collector for quite some time with a standard or comprehensive threat hunting collection profile assigned, the edrdata.db file might occupy huge disk space.

 

This can happen when a threat-hunting collection profile is configured to collect events that result in unnecessary event collections. Events as such can be checked by accessing Threat Hunting, Filter by the device name, expanding facets and referring to the top counts: Facets

 

From the top counts listed, threat-hunting exclusions can be configured to prevent FortiEDR collectors from collecting events for threat-hunting usages: Collection Exclusions

 

Workaround for Windows if edrdata.db is occupying disk usages:

  1. Run command prompt as administrator and execute the command below:

 

"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --stop

 

There will be a prompt to enter the device registration password which can be obtained in the FortiEDR console.

 

  1. Backup edrdata.db file located in "C:\ProgramData\FortiEDR\EDR\Collector\" into backup directory and proceed to remove edrdata.db file

 

3. In the same command prompt (running as administrator), execute command below to start FortiEDR Collector:

"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --start

 

Workaround for Linux if edrdata.db is occupying disk usages:

 

1. Stop FortiEDRCollector from running by executing command below in terminal:
sudo /opt/FortiEDRCollector/control.sh --stop

 

There will be a prompt to enter device registration password which can be obtained in FortiEDR console.


2. Backup edrdata.db located in '/opt/FortiEDRCollector/EDR/Collector/' directory and move the file to a backup directory. Proceed to delete the edrdata.db file.

 

  1. Start FortiEDR Collector by executing the command below in the terminal:

 

sudo /opt/FortiEDRCollector/control.sh --start
19265
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.