Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Beduard
New Contributor

Created on ‎10-30-2025 08:44 AM

New FortiAnalyzer VM Instance receives way to many logs acrording to the license information

Hello everyone,

 

I have the following problem. We currently still have a FortiAnalyzer 400E in use, but it is being replaced by a FortiAnalyzer VM instance based on Proxmox/KVM.

 

We set up the FortiAnalyzer VM yesterday and connected it to our FortiGate as a second Fortianalyzer. So far, everything is working well and running smoothly. However, I noticed today that the FortiAnalyzer VM is reportedly receiving almost three times as many logs as the FortiAnalyzer 400E.

 

According to the license information in the FortiAnalyzer 400E dashboard, it has received approximately 17.6 GB of logs so far today (see image below). We have only one VDOM, the second one is old and not used anymore. That is why the FortiAnalyzer VM has only one VDOM.

 

Screenshot 2025-10-30 153731.png

 

The FortiAnalyzer VM has received approximately 51 GB in the same period today, at least according to the dashboard (see image below).

 

Screenshot 2025-10-30 153533.png

 

Even on the FortiGate itself, you can see a huge increase in remote logs from around 25 GB per day to 80 GB yesterday, and today it's already almost 70 GB (see image below). Screenshot 2025-10-30 162701.png

The strange thing is that, according to the dashboard, both the FortiAnalyzer 400E and the FortiAnalyzer VM receive almost the same amount of logs. Below are two images of the Log Receive Monitor, the first from the FortiAnalyzer 400E and the second from the FortiAnalyzer VM.

 

Screenshot 2025-10-30 153826.png

Screenshot 2025-10-30 153656.png

 

I have now switched off the FortiAnalyzer VM instance again, as our licensed daily log volume would certainly have been significantly exceeded today.

 

I have been searching for ideas all afternoon, but I haven't found anything yet. I hope one of you has an idea what could be causing the problem.

 

Thank you in advance for your ideas and help.

Labels:
72
0 Kudos
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎10-30-2025 09:28 AM

hi,

according to the graph from FGT, the huge amount is cause by firewall rules where standard traffic ( L3+L4 ) policy has Log all sessions, most likely.

a best practice would be for traffic where you know the source and destination + port and explicitly define the allow traffic to not log it.

it should not make a difference if FAZ is hardware or VM, if that was the normal amount before it should be maintained.

try running in FAZ cli:

diagnose fortilogd lograte-device

diagnose fortilogd lograte-adom all

diagnose fortilogd lograte-total

diagnose fortilogd lograte

diag log device

"jack of all trades, master of none"
"jack of all trades, master of none"
64
Beduard
New Contributor
In response to funkylicious

Created on ‎10-31-2025 06:15 AM

Hi,

 

thank you for your ideas! 

 

Yes, i am fully aware, that we log a huge amount of casual traffic because we use the FortiAnalyzer also for Troubleshooting. So for us that is normal behaviour.

 

I executed commands on both FAZs and compared the results of the outputs. However, I did not notice any significant deviations.

 

I think I found the error elsewhere, though.

 

On the Fortigate itself, I used the commands below to display the connection configuration to the FAZ 400E and the FAZ VM.

 

--- Command for the first FAZ  the 400E ---


config log fortianalyzer setting
show full-configuration

 

--- Command for the second FAZ the VM ---

 

config log fortianalyzer2 setting
show full-configuration

 

When I compared the output, I noticed that several configuration points were different for the FAZ VM:

 

  • reliable was set to disable
  • enc-algorithm was set to high
  • source ip was emtpy

 

I used the following commands on the FortiGate CLI to change the settings so they match with the settings for the FAZ 400E

 

config log fortianalyzer2 setting
set reliable enable
set source-ip "IP for the Management Acces to our FortiGate"
set enc-algorithm high-medium
end

 

Both FortiAnalyzers have been running again for a few hours now, and so far it looks like the problem has been fixed. Both continue to show that they are receiving the same number of logs, and the log volume also matches to within 100MB, which is perfectly normal.

 

I will monitor this over the next few days and then get back to you.

 

Thanks for your help!

 

 

30
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.