Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Beduard
Visitor

Created on ‎10-30-2025 08:44 AM

New FortiAnalyzer VM Instance receives way to many logs acrording to the license information

Hello everyone,

 

I have the following problem. We currently still have a FortiAnalyzer 400E in use, but it is being replaced by a FortiAnalyzer VM instance based on Proxmox/KVM.

 

We set up the FortiAnalyzer VM yesterday and connected it to our FortiGate as a second Fortianalyzer. So far, everything is working well and running smoothly. However, I noticed today that the FortiAnalyzer VM is reportedly receiving almost three times as many logs as the FortiAnalyzer 400E.

 

According to the license information in the FortiAnalyzer 400E dashboard, it has received approximately 17.6 GB of logs so far today (see image below). We have only one VDOM, the second one is old and not used anymore. That is why the FortiAnalyzer VM has only one VDOM.

 

Screenshot 2025-10-30 153731.png

 

The FortiAnalyzer VM has received approximately 51 GB in the same period today, at least according to the dashboard (see image below).

 

Screenshot 2025-10-30 153533.png

 

Even on the FortiGate itself, you can see a huge increase in remote logs from around 25 GB per day to 80 GB yesterday, and today it's already almost 70 GB (see image below). Screenshot 2025-10-30 162701.png

The strange thing is that, according to the dashboard, both the FortiAnalyzer 400E and the FortiAnalyzer VM receive almost the same amount of logs. Below are two images of the Log Receive Monitor, the first from the FortiAnalyzer 400E and the second from the FortiAnalyzer VM.

 

Screenshot 2025-10-30 153826.png

Screenshot 2025-10-30 153656.png

 

I have now switched off the FortiAnalyzer VM instance again, as our licensed daily log volume would certainly have been significantly exceeded today.

 

I have been searching for ideas all afternoon, but I haven't found anything yet. I hope one of you has an idea what could be causing the problem.

 

Thank you in advance for your ideas and help.

Labels:
38
0 Kudos
1 REPLY 1
funkylicious
SuperUser
SuperUser

Created on ‎10-30-2025 09:28 AM

hi,

according to the graph from FGT, the huge amount is cause by firewall rules where standard traffic ( L3+L4 ) policy has Log all sessions, most likely.

a best practice would be for traffic where you know the source and destination + port and explicitly define the allow traffic to not log it.

it should not make a difference if FAZ is hardware or VM, if that was the normal amount before it should be maintained.

try running in FAZ cli:

diagnose fortilogd lograte-device

diagnose fortilogd lograte-adom all

diagnose fortilogd lograte-total

diagnose fortilogd lograte

diag log device

"jack of all trades, master of none"
"jack of all trades, master of none"
30
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.