Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
schmil
New Contributor

Log history very short

Hi,

 

Is the log file length for forwarding traffic on disk configurable?

 

On my FG3140B the Log is 90.000 entries large containing only 2 hours. That is way too short!

 

Config:

FSM1 (35GB of 58GB)

 

Feature                       |   Storage Size   |   Allocated   |   Used

Logging and Archiving   |   23GB             |                  | 

Disk Logging               |                       |  0MB           | 46MB

Historic Reports           |                       |  0MB           |  35GB

11 REPLIES 11
MikePruett
Valued Contributor

You are most likely running through (and in turn rolling over old logs) rapidly.

 

Are you logging anything and everything the Gate processes?

Mike Pruett Fortinet GURU | Fortinet Training Videos
schmil

Yes I do. But there seems to be space left on the device. But when I get this right these some GB wouldn't bring me more than some minutes I guess?

 

Without Syslog-Server there is only Reducing the Logs drastically or upgrade the SSD? 

MikePruett
Valued Contributor

Depends heaviliy on the amount of traffic going through the device at that point. You should get more than a few minutes I would think.

 

But then again, I just saw that you have a 3140B.....one of my 3600C's fills up over 70 gigs to FAZ a slow day

Mike Pruett Fortinet GURU | Fortinet Training Videos
SCSIraidGURU

Do you have logging properly enabled?  Do you log all sessions or just security issues?

schmil

I have log everything on by default :o

Didn't thought that the logging is so demanding.

 

Now have modded some rules and gained an extra hour. Now I have 3 hours of history. Way too small anyway.

 

Biggest fish seems to be the log everything-deny-all policy with 40.000 drops per hour. Ideas?

 

Is a SSD upgrade possible and easy to setup? 

SCSIraidGURU

Deny policies don't get logged for some reason.   On every other firewall I ever used they did.   Maybe it can be enabled in features.

SCSIraidGURU

Found something. Log Settings,  Enable all and you can customize what is logged.  Maybe you have a lot disabled. 

 

schmil

Doesn't help ME :p

 

I have a non-implicit deny policy at the end - there I can log!

SCSIraidGURU
Contributor

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36471 FortiOS 5.x Fortigate # config log setting (global)# set fwpolicy-implicit-log enable This will log denied traffic on implicit Deny policies. Optional: You can create deny policy and log traffic . You need to create a policy with Action DENY, the policy action blocks communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called “violation traffic”. Other settings to consider: Fortigate # config log setting local-in-deny-unicast: enable local-in-deny-broadcast: enable

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors