This guide describes the behavior of event data flow between FortiSIEM Cloud dashboard Online Storage and Archive Storage.

In FortiSIEM Cloud platform deployments, Online and Archive storage is managed together. Fortinet will automatically deploy Archive storage and the FortiSIEM Cloud instance will then automatically move data from Online to Archive based on any retention policy needs.

According to the official deployment guide, if free online storage utilization is less than 10%, oldest events are moved to the Archive until free Online storage utilization is more than 20%. When FortiSIEM Cloud removes event data, FortiSIEM goes through each retention policy (90 days, 180 days, ...) and within each policy, FortiSIEM removes the oldest data.

However, when users log in to the FortiSIEM Cloud instance from the FortiSIEM Cloud Portal, they may encounter a scenario where the Online Storage is almost or completely full, or assume the Archive Storage or the data archiving function between Online and Archive storage are not working.

In reality, when FortiSIEM Cloud instances are deployed, a small disk buffer of 50GB is including along the Online storage, providing a total of 550GB.
However, the portal displays results based on 500GB, which can give the impression that it is full.
An instance can be close to the 500GB of usage according to the pie chart on the GUI, but in the backend will not hit the threshold for the data movement to the Archive.
It may appear that data was not moving to the Archive or was lost during the data transfer operation. However, no such issue has occurred: the thresholds to move the event data between Online and Archive Storage had simply not been met yet from the backend. No data was lost.

More information on event retention can be found in this section of the FortiSIEM documentation.