Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
infrastoque_2025
New Contributor

Created on ‎03-07-2025 09:25 AM

Missing event monitor logs after one week on FortiAnalyzer

Hey guys. I've been having a problem with logs disappearing since I updated firmware version 7.0.2 to 7.6.2 for a period longer than a week. When a week of log collection "Incidents & Events > Event Monitor" is completed, the date of the first occurrence returns to 3 days ago, and we have much more logs stored than 3 days ago. I already ran the command to rewrite the sql, I got the logs from February 28, 2025 to March 7, 2025 (exactly one week). I would like to know if there is any way to completely restore from the beginning (I believe it is around May 2022) all the logs, including those from the Event Monitor session and for the logs to remain permanent. Below are some images of the problem.

This is the collection after I ran the sql library rewrite command which lasted for 9 days, as in the image below.

imagem (2).png

 

 

Today (March 7, 2025), the problem with showing the logs appeared again and you can only see the events from 3 days ago as in the image

 

FAZ_ISSUE.jpg

Labels:
1033
0 Kudos
8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Created on ‎03-09-2025 10:01 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
1000
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎03-13-2025 01:52 AM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
965
Anthony_E
Community Manager
Community Manager

Created on ‎03-14-2025 01:40 AM

To troubleshoot missing event monitor logs after one week on FortiAnalyzer:

  1. Check Log Retention Settings: Verify the log retention settings in FortiAnalyzer. Ensure that the retention period is set appropriately to retain logs for the desired duration.
  2. ADOM Quota Utilization: Go to `System Settings -> Storage Info` and select the ADOM with the device. Check the Analytics & Archive utilization. If the usage is high (85% or above), older logs may be deleted to free up space.
  3. Device Log Settings: Check the device log settings under the "Advanced" tab. Ensure the "Automatically Delete" section is configured correctly, with the "Device log store duration" set to a value that meets your retention needs.
  4. Log Rate Monitoring: Use the CLI command 'diagnose fortilogd lograte' to monitor the log rate. High log rates can lead to rapid consumption of storage space.
  5. Lograte Per Device: Use the CLI command 'diag fortilogd lograte-device' to identify devices sending a large volume of logs. This can help pinpoint devices that may be consuming excessive storage.
  6. Check for Abnormal Logs: Analyze the FortiAnalyzer TAC report for any abnormal logs or indications of memory issues, which could affect log retention.
Anthony-Fortinet Community Team.
949
infrastoque_2025
New Contributor
In response to Anthony_E

Created on ‎03-14-2025 05:18 AM

This is my current configuration, looks right?

 

FAZ STORAGE.jpg

The commands results, is there something wrong?

FAZ_CLI_RESULTS.jpg

 

931
0 Kudos
infrastoque_2025
New Contributor
In response to Anthony_E

Created on ‎03-14-2025 05:22 AM

"Device Log Settings: Check the device log settings under the "Advanced" tab. Ensure the "Automatically Delete" section is configured correctly, with the "Device log store duration" set to a value that meets your retention needs".

 

FAZ_LOG SETTINGS.jpg

This is my current configuration, looks right?

925
0 Kudos
infrastoque_2025
New Contributor
In response to Anthony_E

Created on ‎03-14-2025 01:27 PM

@Anthony_E After performing a check on my fortigate, I found that there are much more logs archived than stored. Would there be any way to restore these stored logs to storage?

FGT.jpg

898
0 Kudos
czamudio
Staff
Staff

Created on ‎03-27-2025 10:24 AM

Hi, 

the event monitor list is a separated table of the database, you can see a limited size of logs

 

you can try to extend with

 

config sys log alert

set max-alert-count 50000 < -- it depends on the version, it may be 100000

end

 

 

 

Cuauhtemoc Zamudio Technical Support Engineer – LATAM ETAC M-F 09:00-18:00 Hrs. Central Time T: +1 408-542-7780
771
garyfutch
New Contributor

Created on ‎08-29-2025 04:00 AM

After upgrading FortiAnalyzer from 7.0.2 to 7.6.2 the SQL event database was partially rebuilt which is why Event Monitor only shows about a week of logs and the “First Occurrence” resets to 3 days ago. The raw logs may still exist on disk but are not fully indexed in SQL. You can confirm this from Log View and by checking System Settings > Storage Info for disk quota. To restore visibility, run a full SQL database rebuild (execute sql-local rebuild-db). If older logs were purged due to quota limits, only restoring from backup will bring them back. In case of SQL corruption, a repair tool like Stellar Repair for MySQL can help recover missing or inaccessible log data.

Gary
Gary
74
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.