Archive issue

dwear · ‎05-04-2018

Ran into an incident where I need to do some digging into fortigate logs that were not being forwarded to FAZ. I was able to import the logs into FAZ, but I notice that a certain portion of the logs are not available for analytics, even though I have more than enough space for analytics allocated. The ADOM I put these logs into has 70GB storage, and I set it at 95% Analytics and 5% archive, as well as 365 days worth of analytics. Since this is temporary, i really dont need anything in archive. I imported about 4GB worth of logs, split across about 30 imported log files. For some reason, FAZ is putting 2.0GB of those logs in archive. What am I missing?

chall_FTNT · ‎05-04-2018

Check that your storage settings for analytics extend back far enough in time to encompass all the logs. Also, check the SQL start-time that it is before the start of the logfile being imported.

config system sql

set start-time X

Chris Hall
Fortinet Technical Support

dwear · ‎05-07-2018

Thanks. under the config system sql, the "set start time" is set to 00:00 2000/01/01. Can you tell me where to find the storage for analytics start time you referenced?

chall_FTNT · ‎05-07-2018

For FortiAnalyzer 5.6 GUI:

From, Logview, click on Storage Statistics to edit the Storage Policy. It is under the "Data Policy" section that you can configure how many days back Analytics should extend.

Chris Hall
Fortinet Technical Support

dwear · ‎05-07-2018

Thanks. I actually have that configured for 365 days and it still shows 2 GB of archive.

Archive issue

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website