Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Estimation of log size per day

Hi,

I need to have an estimation of the log sizes generated by my firewall everyday in order to purchase a suitable license for my Fortianalyzer or a similar log solution. The firmware is 6.4.x.

I thought of clearing logs, coming up tomorrow and find the log size on the disk but maybe there are some better ways to find except that clearing valuable logs on my 200 series firewalls.

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
13 REPLIES 13
mhdganji

I just want to disable syslogd forwarding the accepted flows if possible for all the rules and my remote logger is not fortianalyzer

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
ede_pfau
Esteemed Contributor III

in CLI:

conf log syslogd filter

 

and get the options by typing

'set ?'

 

IMHO setting up a FAZ-VM without license would be the most accurate way to see what is coming onto you. The dashboard of the FAZ clearly shows logs/sec, GB/day etc. etc.

Unlicensed VMs run for 14 days for free.

You can even aquire a FAZ license after/during the trial, register it, get the license file and import it into the trial VM - no re-configuration, fully operational.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
mhdganji

Speaking of FAZ, I've a question about how licensing works. Let's say we have a 1GB/Day license. If the input log size exceeds 1GB in a day, what happens exactly? Collecting logs stops completely? Logs are collected but only 1GB per day are analyzed and available to make reports? or any other method?

 

Regards,

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Debbie_FTNT

If logging volume exceeds the licenced volume, FortiAnalzyer does not forcibly drop logs, stop processing them or not use them in reporting, but there can be performance issues which can eventually lead to loss of logs.

See https://community.fortinet.com/t5/FortiAnalyzer/Technical-Note-Minimizing-logging-from-FortiGate-to/...
"Although FortiAnalyzer VM will try its best not to drop logs, consistently running over capacity will eventually lead to undetermined behavior. This is because all FortiAnalyzer VM functions are validated within the licensed limit; the behavior beyond that limit is deemed to be unsupportable."

If you run into issues while exceeding licence, FortiAnalyzer support will not be able to investigate until you have resolved the licencing issue.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors