Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Estimation of log size per day

Hi,

I need to have an estimation of the log sizes generated by my firewall everyday in order to purchase a suitable license for my Fortianalyzer or a similar log solution. The firmware is 6.4.x.

I thought of clearing logs, coming up tomorrow and find the log size on the disk but maybe there are some better ways to find except that clearing valuable logs on my 200 series firewalls.

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
13 REPLIES 13
AlexC-FTNT
Staff
Staff

Log size can't be estimated as such. Try to obtain a trial FortiAnalyzer license from your local distributor, and set it up to collect the logs. In 1 week you can see the amount of logs collected and based on that, you can make an informed decision.

Every FortiGate passes completely different amount and type of traffic, and has different logging options - making an estimation very difficult.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
xsilver_FTNT
Staff
Staff

Hi mhdganji,

 

first set up at least some logging, like to memory or disk (in case you have FortiGate equipped with disk), as close to intended logging filter (config log memory filter) as possible.
Then keep it logging for some time.

And then go CLI to see something like in my example below:

 

# diag test app miglogd 4
info for vdom: root
memory
traffic: logs=1160137 len=627074265, Sun=89458 Mon=132174 Tue=225162 Wed=239396 Thu=145690 Fri=153707 Sat=60834
event: logs=93493 len=29698750, Sun=1173 Mon=1545 Tue=1372 Wed=1403 Thu=825 Fri=1778 Sat=1107

disk
traffic: logs=1160137 len=627074265, Sun=89458 Mon=132174 Tue=225162 Wed=239396 Thu=145690 Fri=153707 Sat=60834 compressed=37039926
event: logs=82559 len=24792447, Sun=885 Mon=1257 Tue=1084 Wed=1115 Thu=651 Fri=1490 Sat=819 compressed=5176706

 

I know those are not actual log sizes but amounts of log messages, but they might give some insight to amounts you face.

 

In case you have a log disk .. show log disk usage
# diag test app miglogd 16

VDOM log disk usage:
root: 58456760B/7556M

 

Once you have some external log collector (could be simple Syslog on some external machine), then you can see usage in GUI

xsilver_FTNT_0-1650544918738.png

 



Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Debbie_FTNT

Hey mhdganji, in addition to Tom's and Alex update - FortiAnalyzer size recommendations are usually made by calcuating with 100 byte per log message and observing over a few days how many log messages are generated.

If you have a rough estimate of the number of logs per day, that times 100 byte would roughly be the daily logging volume, and you can look for a suitable FortiAnalyzer based on that.

You could also go with a VM; the base licence is for one 1GB logs per day, and you can stack up very easily as necessary.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mhdganji

With now logging to memory, any query command to find counts of logs in a minute or so?

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Debbie_FTNT

Hey mhdganji,

there isn't really a command for log rates per timeframe that I'm aware of, but there is a log rate monitor widget you can add to your Dashboard (click on Add Widget, search for 'Log Rate' under 'Resource Usage').

That should give you some information at least.

The absolutely stunning log rate in my lab:

Debbie_FTNT_0-1650557331217.png

And one with slightly more activity:

Debbie_FTNT_0-1650557489057.png

-> you could set a longer time span in the widget (it might take a bit to display that properly) and then work out a rough average of logs to go from

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mhdganji
Contributor II

I used demo version of a software to collect the logs and could get a good estimate but as I noticed the size goes about 500-800 bytes per log ! Maybe it's because of the format and the nature of the software functionality (seems it uses elastic search)

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Debbie_FTNT

Hey mhdganji,

My knowledge may be a bit outdated, but the 100 bytes I mentioned above was how FortiAnalyzer engineers told me they very roughly calculated logging volume.

This might have changed, or it could be that if you're logging to syslog the logs are in a slightly different format than logging to FortiAnalyzer (the logs are compressed when sent to FortiAnalyzer, which would reduce the logging volume).

For more qualified help I would suggest you get in touch with your local Fortinet Sales partner - they should have the resources to more accurately assess and size a FortiAnalyzer to your needs :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mhdganji

The majority (80+ percent) are the allowed forwarding logs. I cannot find the command to disable logging or sending these to remote log server. Is that possible or it should be completely turned off or on per rule (which also I think makes troubleshooting difficult for short and specific periods that a rule is being tested)

 

regards

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
xsilver_FTNT

Just short hint:

1.

Logging of forwarded traffic is generally turned on policy level. That will determine if anything will be logged, at all.

 

2.

Then there are log destination filters, like ..


config log fortianalyzer filter
set severity information
set forward-traffic enable   << forward traffic will be logged to that log device

And then log device settings will determine if that log device, and therefore destination to which logs generated based on policy and matching that destination filter options, will be used and logs will be sent to it.

 

config log fortianalyzer setting
set status enable 

 

So if you want to disable just one log device/destination, then got to its settings and set status disabled. But that will disable log device for all the possible logs from all the firewall policies, for example.
Want to disable logging for specific traffic, as we still for example talk about forward traffic logging, then go to firewall policy level and disable logging to all of the destinations.

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors