| Description |
This article describes why FortiGate displays different log statistics for FortiAnalyzer Cloud on-premises and. |
| Scope | FortiGate, FortiAnalyzer. |
| Solution |
If a FortiGate is configured with Fabric connections to both FortiAnalyzer Cloud and on-prem FortiAnalyzer, and it has been observed that the log data volume (GB/day) sent to each for the same period, there is a noticeable difference. The FortiAnalyzer Cloud consistently reports a higher daily log volume compared to the on-prem FortiAnalyzer
FortiAnalyzer On-prem: FortiGate will send compressed (raw) logs to FortiAnalyzer. FortiAnalyzer only reports on the volume of compressed (raw) logs stored during the last 7 days.
FortiAnalyzer Cloud: FortiGate will send compressed (raw) logs to FortiAnalyzer. FortiAnalyzer will uncompress and store data in the analytic database and archive (compressed raw logs). FortiAnalyzer Cloud is a service where Fortinet is responsible for storage as well. As such, FortiAnalyzer reports on uncompressed log volume stored in the analytics database as well as the raw logs. Hence, the increase in log GB/Day compared to the on-prem FortiAnalyzer.
|
