Missing event monitor logs after one week on FortiAnalyzer

infrastoque_2025 · ‎03-07-2025

Hey guys. I've been having a problem with logs disappearing since I updated firmware version 7.0.2 to 7.6.2 for a period longer than a week. When a week of log collection "Incidents & Events > Event Monitor" is completed, the date of the first occurrence returns to 3 days ago, and we have much more logs stored than 3 days ago. I already ran the command to rewrite the sql, I got the logs from February 28, 2025 to March 7, 2025 (exactly one week). I would like to know if there is any way to completely restore from the beginning (I believe it is around May 2022) all the logs, including those from the Event Monitor session and for the logs to remain permanent. Below are some images of the problem.

This is the collection after I ran the sql library rewrite command which lasted for 9 days, as in the image below.

imagem (2).png

Today (March 7, 2025), the problem with showing the logs appeared again and you can only see the events from 3 days ago as in the image

Anthony_E · ‎03-09-2025

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎03-13-2025

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎03-14-2025

To troubleshoot missing event monitor logs after one week on FortiAnalyzer:

Check Log Retention Settings: Verify the log retention settings in FortiAnalyzer. Ensure that the retention period is set appropriately to retain logs for the desired duration.
ADOM Quota Utilization: Go to `System Settings -> Storage Info` and select the ADOM with the device. Check the Analytics & Archive utilization. If the usage is high (85% or above), older logs may be deleted to free up space.
Device Log Settings: Check the device log settings under the "Advanced" tab. Ensure the "Automatically Delete" section is configured correctly, with the "Device log store duration" set to a value that meets your retention needs.
Log Rate Monitoring: Use the CLI command 'diagnose fortilogd lograte' to monitor the log rate. High log rates can lead to rapid consumption of storage space.
Lograte Per Device: Use the CLI command 'diag fortilogd lograte-device' to identify devices sending a large volume of logs. This can help pinpoint devices that may be consuming excessive storage.
Check for Abnormal Logs: Analyze the FortiAnalyzer TAC report for any abnormal logs or indications of memory issues, which could affect log retention.

Anthony-Fortinet Community Team.

infrastoque_2025 · ‎03-14-2025

This is my current configuration, looks right?

FAZ STORAGE.jpg

The commands results, is there something wrong?

infrastoque_2025 · ‎03-14-2025

"Device Log Settings: Check the device log settings under the "Advanced" tab. Ensure the "Automatically Delete" section is configured correctly, with the "Device log store duration" set to a value that meets your retention needs".

FAZ_LOG SETTINGS.jpg

This is my current configuration, looks right?

infrastoque_2025 · ‎03-14-2025

@Anthony_E After performing a check on my fortigate, I found that there are much more logs archived than stored. Would there be any way to restore these stored logs to storage?

Missing event monitor logs after one week on FortiAnalyzer

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website