Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jonboy0706
New Contributor

Estimated logging volume for Fortigate 3700D

All:

We are trying to get an estimate of daily syslog log volume in GB with all logging options enabled on the 3700D for roughly a 500mbps throughput.  Could someone give us a rough estimate?  We realize there are many variables but are just looking for an estimate to make a comparison.

 

Thanks!

1 Solution
emnoc
Esteemed Contributor III

Romanr  has hit all of the  issues. Also attack traffic more or less is hard to predict. You can have some time of 1000  log p/s in a heavily firewall or even more. The FAZ will give you great details on the number of log events per-second btw.

 

Also forget about 500mbps thruput , that nonsense ( are you running 500mbps continous, how many sessions, how long are the sessions, etc.......) . The number of fwpolicies that you have and the number of session is going to be two bigger issues that are Variables  with numerous ????s

 

I would suggest the following;

 

1: setup a syslog server  1st for monitor ( a simple unix freeware distribution cost 0.00 dollars )

 

2:  run "diag test  application  miglogd 6" and look at the numbers  for monitor

 

3: monitor the remote-syslog collector ( number of log events per-hour, per-day, per-week, the size ,etc......)

 

4: use the  information gathered and then make plans for that number and with a buffer for growth.

 

5: if you need retention, plan accordingly, use file compress xv  vrs bzip2 or gzip etc.... when ever available

 

 

NOTE: even without a real working-syslog server, you can enable the  syslogd server and monitor the  traffic counts that's sent . If you place a real-server, you can use the filesize and diskusage for storage planning.

 

 

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
3 REPLIES 3
romanr
Valued Contributor

Hey,

 

you can't really tell this just because of bandwidth and firewall type.

This will very much depend on:

- Do you log every traffic? Also denied traffic?

- Do you use a lot of UTM features and will have full logging for them? (webfilter can produce huge amount if logs, depending on the configuration)

 

Anything between 10G/day and 100G/day seems realistic - or even more.

 

Br,

Roman

MikePruett
Valued Contributor

Yeah, it truly depends on how much traffic you want to send to the FAZ. You can have a 7000 Chasis but not log on any policies and generate nothing or you could have a 200D and log ANYTHING and EVERYTHING and nuke a faz lol

Mike Pruett Fortinet GURU | Fortinet Training Videos
emnoc
Esteemed Contributor III

Romanr  has hit all of the  issues. Also attack traffic more or less is hard to predict. You can have some time of 1000  log p/s in a heavily firewall or even more. The FAZ will give you great details on the number of log events per-second btw.

 

Also forget about 500mbps thruput , that nonsense ( are you running 500mbps continous, how many sessions, how long are the sessions, etc.......) . The number of fwpolicies that you have and the number of session is going to be two bigger issues that are Variables  with numerous ????s

 

I would suggest the following;

 

1: setup a syslog server  1st for monitor ( a simple unix freeware distribution cost 0.00 dollars )

 

2:  run "diag test  application  miglogd 6" and look at the numbers  for monitor

 

3: monitor the remote-syslog collector ( number of log events per-hour, per-day, per-week, the size ,etc......)

 

4: use the  information gathered and then make plans for that number and with a buffer for growth.

 

5: if you need retention, plan accordingly, use file compress xv  vrs bzip2 or gzip etc.... when ever available

 

 

NOTE: even without a real working-syslog server, you can enable the  syslogd server and monitor the  traffic counts that's sent . If you place a real-server, you can use the filesize and diskusage for storage planning.

 

 

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors