Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
axel_gonzalez_FTNT

What is the difference between Archive and Analytic logs in Fortianalyzer?

Every Fortigate generate logs that can send logs to Fortianalyzer

 

Consider every log can have multiple "Log Field Names" like "date", "time". "srcip", "dstip", "action", "type" and so on. By one log we refer to the following example

axel_gonzalez_FTNT_0-1638224580800.png

Every log Fortigate generates, Fortianalyzer can see it in two different formats "Raw log" (text option) and "Formatted Log" (GUI option). The second one is the most used by all customers.

 

Raw log

axel_gonzalez_FTNT_4-1638224981037.png

 

Formatted Log

axel_gonzalez_FTNT_3-1638224872228.png

As is expected, the size of every log Fortigate generates will change depending of the number of "Log Field names" as well as the information included on it. There are some logs size will be smaller than other.

 

We can determinate the size of some logs by disabling reliable connection on log Fortianalyzer settings so that we can see the size of the log. You will see we may have different sizes.

axel_gonzalez_FTNT_5-1638225142705.png

When Fortianalyzer receives logs (it could be only some, hundreds, thousand, millions) it goes directly to what we called "Archive database"

 

Fortianalyzer Archive Database is the place where we compress logs. These logs are considered as "Offline logs". 

axel_gonzalez_FTNT_2-1638228108731.png

 

If you double click in one packet of logs you will see many logs in raw format

 

axel_gonzalez_FTNT_8-1638226218667.png

 

Fortianalyzer Analytic Database is the place where we index logs from Archive to SQL database, these logs are considered as "Online logs"

 

axel_gonzalez_FTNT_10-1638226393050.png

 

In this example, the fact that you have 196 days on Analytics does not indicate you have full logs all the one hundred ninety six days, it means the oldest log you can find in any field (event, traffic, voip, application control, webfilter and so on). Normally is Event logs

 

Consider that Reports are generated based on Analytic Database

 

The general picture looks like

axel_gonzalez_FTNT_6-1638225223129.png

Please consider that the size relationship is Archive Logs : Analytic Logs (1:4 or even 1:8). This means that if you have an Archive Database of 100Mb you may have an Analytic Database of 400Mb, or even 800Mb. This is due to Archive database is a compressed database. Normally we assign more disk space to Analytics rather than Archive. A database of 80%:20% is normal setting

 

axel_gonzalez_FTNT_0-1638227739079.png

 

Always consider assign disk space according to your license you have. 

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Extending-disk-space-in-FortiAnalyzer-...

 

Also, when we talk about logs being received on Fortianalyzer, we normally refer to the logs we receive into Archive Database. This number can be seen on System Settings, License Information. We name it "GB/Day"

 

axel_gonzalez_FTNT_1-1638228057979.png

AX
0 REPLIES 0