Description | This article describes why FortiGate is generating the System Event log 'Threat feed overflow'. |
Scope | FortiOS 7.4.4/7.6.0 and above. |
Solution |
The log id 22224 refers to 'Threat feed overflow' and will be generated when your threat feed exceeds the allowed limit. This log message was introduced starting in FortiOS v7.4.4 / v7.6.0.
In this example, an IP address threat feed was configured in 40F (one VDOM and running 7.4.6 firmware) which has a 300000 limit. The txt file contains 562032 lines.
FGT40F-1 # diagnose sys external-resource stats IP-ThreatFeed
date=2025-01-03 time=17:20:32 eventtime=1735881631947067619 tz="+1200" logid="0100022224" type="event" subtype="system" level="warning" vd="root" logdesc="Threat feed overflow" msg="Threat feed 'ext-root.IP-ThreatFeed' overflowed. Not all entries in list will be loaded" |