Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ritikranjan
Staff
Staff

Created on ‎03-17-2025 10:54 PM

Article Id 382845

Technical Tip: Log Storage behavior on FortiGate when FortiAnalyzer becomes unavailable

Description This document explains the Log Storage behavior on FortiGate when FortiAnalyzer is unavailable to receive logs.
Scope FortiGate, FortiAnalyzer.
Solution

Overview:
When FortiAnalyzer becomes temporarily unavailable, FortiGate uses its miglogd process to cache logs locally. However, this caching has a maximum limit, and once it is reached, miglogd starts dropping the oldest logs. When the connection between FortiGate and FortiAnalyzer is restored, miglogd sends the cached logs to FortiAnalyzer.

Log Caching Mechanism.
Log Caching by miglogd:

  • FortiGate stores logs in a temporary buffer using the miglogd process.
  • If the cache reaches its maximum limit, older logs are dropped first.

 

Log Forwarding After Restoration:

  • When FortiAnalyzer connectivity is restored, miglogd automatically starts sending cached logs to FortiAnalyzer.


FortiGate Devices with SSD:

  • FortiGate devices with an SSD have a configurable log buffer.
  • If the memory log buffer is full, logs can be temporarily stored on disk until FortiAnalyzer becomes available.
  • Once restored, logs stored on the disk are forwarded to FortiAnalyzer.

 

To change the buffer size:

 

config system global
    set faz-disk-buffer-size <integer> ; <integer> disk queue size of FortiAnalyzer within range 0-4506 MB (0 = disabled).
end

 

Note:

The buffer range 0-4506 MB is for FortiWiFi-81F. Other models may have a different buffer range depending on the SSD size. 

 

Note:

The buffer is meant only for short-term outages, such as reboots, and is not for lengthy outages. 

 


Monitoring Log Caching and Failures.
Log caching, failed logs, and total logs stored can be checked using CLI on the FortiGate

Checking miglogd Cache and Statistics:
Run the following command:


diagnose test application miglogd 6

mem=0, disk=9036, alert=0, alarm=0, sys=0, faz=3113, faz-cloud=0, web=0, fds=0
interface-missed=170


Checking Logging Statistics:
To view FortiGate’s logging queue, use:

diagnose test application fgtlogd 4

Queues in all miglogds: cur=0 total-so-far=213817
global log dev statistics:
faz=3115, faz_cloud=0, fds_log=0
faz_ox: sent=3087, failed=0, cached=0, dropped=0

This command provides:

  • Current cache size (cur = 0).
  • Total cache size (total-so-far: 23437) .
  • Number of logs cached and failed logs.


If the link experiences bursts or becomes overloaded, then 'failed' increases. If the FortiAnalyzer is unavailable, then 'cached' increases. 

Checking Kernel Log Buffer:
Use the following command to check log failures due to a full cache:

diagnose log kernel-stat
fgtlog: 1
fgtlog: 0 total-log=16388, failed-log=0 log-in-mem=0


If the failed-log value increases, it indicates that logs are being dropped due to insufficient buffer space. 

 

 

150
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.