Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ruzeski
New Contributor

Very large logs

Good afternoon, I need to implement the fortianalyzer, but my current log storage configuration seems to be misconfigured, my firewall is generating 40TB of logs per day, so it is not possible to store it on any device, is there any good practice or ideal filter than storing it in logs? I believe to be storing much more than is necessary due to the size.

 

ruzeski_0-1671129020683.png

 

currently the policies are configured to store only the security logs (before it was to record all the logs), but the size has not decreased.

3 REPLIES 3
funkylicious
Contributor III

Hi,


I'm sorry, but HUH ? How are you even being able to do that ?

Are you sure that isnt a GUI bug ?

What firmware are you running ?

Start by disabling logs on the rules between devices in different LAN segments or start doing more explicit rules.

geek
geek
gfleming
Staff
Staff

Looks like the bulk of your logs are traffic logs. You may have a particularly chatty system or systems on your network generating lots of sessions and lots of logs. Can you go to FortiView Sources and sort by session count. That will show you what is generating most logs.

Cheers,
Graham
Markus_M
Staff
Staff

The log count might be correct in very large environment or the GUI is lying/wrong.

 

See from your policies if you need to log everything or may skip some.

See from the log settings if you need to log everything.

If you need the logs, then see whether your retention period is enough.

Logs are usually keeping evidence of things. If you need to look up stuff 30 days later, but your logs are rolled over/deleted, the logging is useless. So if 40 GB is correct, you require 40GBx days of retention period of disk space*2 in case you increase that portion.

Labels
Top Kudoed Authors