Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jamestiberius
New Contributor

fortianalyzer reports only go back 10 days - log setting?

I was asked to run user detailed browsing log and web usage report for the last 45 days.

when I run the reports, it only goes back 10 days.

 

I checked the device log settings on the analyzer, and it was set to roll log file at 200 MB, and I changed that to the maximum of 500.

under file management nothing is checked to automatically delete.

 

how can I view how far back my logs go?

is there someplace else I need to check settings?

 

10 REPLIES 10
Marilia
New Contributor

Verify the Disk Log Quota

On Device Manager Right Click and select EDIT

very the Disk Log Quota (min. 100MB)

Mikael_A

Hello!

You can check the logs @ Log View->Log Browse

jamestiberius

okay, so I have found that I can run the report for any 10 day period, going back more than 45 days, and I can see the report for those 10 days.

 

but it appears that if I try to run the report for more than 12 days, it only gives me the last 12 days.

I have ran reports for 15 days, 20 days, 30 days, and each only returns the last 12 days.

 

BUT- I can specify the date, make it over 30 days ago, and I have that information in the report, as long as the time period is less than 12 days.

I have tried running reports for N days, N weeks, custom days, it all works the same.

 

is there a setting I am missing?

jamestiberius

or, is it that the report runs just over 400 pages?

maybe the limit is in the page count?

FatalXCepti0n

The limit is the record count. as soon as you hit 10000 records, it terminates the query.

Hossein_Oliabak

I have the same problem with fortianalyzer vm v.6.0.3. When I create a report, it only shows me the last x days.

I am not sure if this is a problem with "disk quota" since I can filter all the expected logs in FortiView/Log View to what extent I want.

I also ran the query manually but the same problem still persisted:

 

select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and ( ( lower(`app`) = lower('YouTube')) AND (`srcip` <<= inet('X.Y.Z.0/24'))) group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc

 

Do "Datasets" queries default to some value and once it hits x# of records, they terminate the queries?

 

@jamestiberius did you find a resolution or workaround?

MikePruett
Valued Contributor

Every issue I have ever run into where logs were only showing for the past x number of days was related to log quota size.

 

Either that, or someone only kicked on UTM / logging that long ago and before it was running without it.

Mikael_A

I´ve seen issues where Fortianalyzers with low performance will not give you good reports even if the data is present.

For example, you have data for periods 1-30 but the report gives you output for say day 3-6, 15, 28-30.

Really strange and inconsistent results.

If I restored the logs in a VM, the report generated OK.

 

You could try and setup a free VM and try a restore there.

AtiT
Valued Contributor

The same issue as Mikael.A described above.

We are using approx. 80 ADOMS. We sometimes had a problem mainly with the webfilter log that no result was generated or only for some days but only under some ADOM. When I backed up the logs for the specific ADOM to FTP and uploaded them back the report was OK.

Probably corrupted database? (version was 5.0.10)

Now we are on 5.2.7 (1 month) and it is OK. We will see.

 

AtiT
--------------------
NSE 8, CCNP R+S