What is the difference between Archive and Analytic logs in Fortianalyzer?
Every Fortigate generate logs that can send logs to Fortianalyzer
Consider every log can have multiple "Log Field Names" like "date", "time". "srcip", "dstip", "action", "type" and so on. By one log we refer to the following example
Every log Fortigate generates, Fortianalyzer can see it in two different formats "Raw log" (text option) and "Formatted Log" (GUI option). The second one is the most used by all customers.
As is expected, the size of every log Fortigate generates will change depending of the number of "Log Field names" as well as the information included on it. There are some logs size will be smaller than other.
We can determinate the size of some logs by disabling reliable connection on log Fortianalyzer settings so that we can see the size of the log. You will see we may have different sizes.
When Fortianalyzer receives logs (it could be only some, hundreds, thousand, millions) it goes directly to what we called "Archive database"
Fortianalyzer Archive Database is the place where we compress logs. These logs are considered as "Offline logs".
If you double click in one packet of logs you will see many logs in raw format
Fortianalyzer Analytic Database is the place where we index logs from Archive to SQL database, these logs are considered as "Online logs"
In this example, the fact that you have 196 days on Analytics does not indicate you have full logs all the one hundred ninety six days, it means the oldest log you can find in any field (event, traffic, voip, application control, webfilter and so on). Normally is Event logs
Consider that Reports are generated based on Analytic Database
The general picture looks like
Please consider that the size relationship is Archive Logs : Analytic Logs (1:4 or even 1:8). This means that if you have an Archive Database of 100Mb you may have an Analytic Database of 400Mb, or even 800Mb. This is due to Archive database is a compressed database. Normally we assign more disk space to Analytics rather than Archive. A database of 80%:20% is normal setting
Always consider assign disk space according to your license you have.
Also, when we talk about logs being received on Fortianalyzer, we normally refer to the logs we receive into Archive Database. This number can be seen on System Settings, License Information. We name it "GB/Day"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.