- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing event monitor logs after one week on FortiAnalyzer
Hey guys. I've been having a problem with logs disappearing since I updated firmware version 7.0.2 to 7.6.2 for a period longer than a week. When a week of log collection "Incidents & Events > Event Monitor" is completed, the date of the first occurrence returns to 3 days ago, and we have much more logs stored than 3 days ago. I already ran the command to rewrite the sql, I got the logs from February 28, 2025 to March 7, 2025 (exactly one week). I would like to know if there is any way to completely restore from the beginning (I believe it is around May 2022) all the logs, including those from the Event Monitor session and for the logs to remain permanent. Below are some images of the problem.
This is the collection after I ran the sql library rewrite command which lasted for 9 days, as in the image below.
Today (March 7, 2025), the problem with showing the logs appeared again and you can only see the events from 3 days ago as in the image
- Labels:
-
FortiAnalyzer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for someone to help you.
We will come back to you ASAP.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To troubleshoot missing event monitor logs after one week on FortiAnalyzer:
- Check Log Retention Settings: Verify the log retention settings in FortiAnalyzer. Ensure that the retention period is set appropriately to retain logs for the desired duration.
- ADOM Quota Utilization: Go to `System Settings -> Storage Info` and select the ADOM with the device. Check the Analytics & Archive utilization. If the usage is high (85% or above), older logs may be deleted to free up space.
- Device Log Settings: Check the device log settings under the "Advanced" tab. Ensure the "Automatically Delete" section is configured correctly, with the "Device log store duration" set to a value that meets your retention needs.
- Log Rate Monitoring: Use the CLI command 'diagnose fortilogd lograte' to monitor the log rate. High log rates can lead to rapid consumption of storage space.
- Lograte Per Device: Use the CLI command 'diag fortilogd lograte-device' to identify devices sending a large volume of logs. This can help pinpoint devices that may be consuming excessive storage.
- Check for Abnormal Logs: Analyze the FortiAnalyzer TAC report for any abnormal logs or indications of memory issues, which could affect log retention.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my current configuration, looks right?
The commands results, is there something wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Device Log Settings: Check the device log settings under the "Advanced" tab. Ensure the "Automatically Delete" section is configured correctly, with the "Device log store duration" set to a value that meets your retention needs".
This is my current configuration, looks right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Anthony_E After performing a check on my fortigate, I found that there are much more logs archived than stored. Would there be any way to restore these stored logs to storage?
