- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAnalyzer Log Settings
How exactly do we look at the historical logs in FortiAnalyzer? Although 720 days of logs are selected, it shows a maximum of 400 days, what could be the reason for this?
- Labels:
-
FortiAnalyzer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @rcpdkc
How are the retention values defined in Fortianalyzer ? This article might help.
regards,
Sheikh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I look at the picture below, it will remain in the device memory for 720 days and when it comes to the top, it will archive, is this information correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In FortiAnalyzer (FAZ), below are the two key log types.
- Archive logs: When a real-time log file in Archive has been completely inserted, that file is compressed and considered to be offline.
- Analytics logs or historical logs: Indexed in the SQL database and online.
When viewing the Storage Info based on your screenshot, the 720 days is the number of days worth of Archive logs that you have configured in the ADOM Data Policy. This means that you have configured FAZ to keep 720 days worth of archive logs, assuming there is sufficient disk storage in the ADOM.
To better understand Archive & Analytics logs, you may refer to below doc link.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, when I look at this picture, no files will be deleted because there are no adjustments. Is that correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you have not configured for automatic log deletion. Hence, FAZ will not proceed to delete logs automatically.
However, log deletion will still happen based on the automatic deletion policies as defined in below doc link.
https://docs.fortinet.com/document/fortianalyzer/7.2.5/administration-guide/87802/automatic-deletion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rcpdkc ,
I would suggest to add more space, but as you already have 14TB in use in some version its possible to hit the 16TB max.
Try to upgrade to the latest and then to expand the space with 5-10 TB above.
Don't forget to use the backup and the upgrade path!!!
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Backup-and-restore-of-FortiAnalyzer-se...
https://docs.fortinet.com/document/fortianalyzer/7.4.3/administration-guide/743670/configuring-log-s...
https://docs.fortinet.com/upgrade-tool/fortianalyzer
Best,