Disk usage full and not getting logged on fortianalyzer

Sunilp · ‎01-21-2015

Hello All,

After upgrading the firewall and fortianalyzer to v5.0.9 we are facing issues on high CPU utilization and the local disk usage is 90%. Please let me know what could be the reason.

Regards,

Sunil

Christopher_McMullan · ‎01-21-2015

Hello,

Did you rebuild the database on the FortiAnalyzer after the upgrade completed, and do you notice whether any new logs have appeared since the FortiGate finished its own upgrade?

It sounds like (whether Store-and-Forward or in Realtime) the FortiGate is caching logs locally it means to send to the FAZ, but the connection is currently down.

The best way to tell, if you don't have reliable transport of logs enabled, is to sniff for traffic between FGT and FAZ on 514/udp:

di sniff pack any "host w.x.y.z and host a.b.c.d and port 514 and proto 17" 4

-Replace w.x.y.z with the FGT IP

-Replace a.b.c.d with the FAZ IP

-Proto 17 is for UDP traffic only; proto 6 would mean TCP, or control traffic

Regards, Chris McMullan Fortinet Ottawa

Dave_Hall · ‎01-21-2015

I'm going to assume you have followed the recommended firmware upgrade path? If you read the the firmware patch notes on some of the firmwares, they list caveats about possible needing to reformat the log disk on certain Fortigate models (and/or between certain firmwares like going from 4.0.x to 5.x). I know on some of the upgrades, there is a warning (in the patch notes) about FortiAnalyer logging defaulting to store and upload -- you may want to change this to real time. Also, you may want to review some of the disk logging options, specify the diskfull (overwrite) and upload delete options.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C