Fortianalyzer exceeds logs

rezafathi · ‎05-06-2024

Hi

I am using faz trial license and it says you logs exceeda your limit. So my question is, what happens to logs send to faz after that?

Reza F.

mrafat · ‎05-08-2024

Hi
If you have FAZ VM and this VM got the enough storage , nothing will happen to the received logs
However for hardware models of FAZ, logs will start getting dropped

View solution in original post

AEK · ‎05-06-2024

If one notices that the FortiAnalyzer VM has consistently exceeded its licensed GB/day limit for over 7 days, this is a good time to think about a license upgrade and adjust resources. Although FortiAnalyzer VM will try its best not to drop logs, consistently running over capacity will eventually lead to undetermined behavior. This is because all FortiAnalyzer VM functions are validated within the licensed limit; the behavior beyond that limit is deemed to be unsupportable.

Ref:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Minimizing-logging-from-FortiGate-to-F...

AEK

Yurisk · ‎05-07-2024

There is no definite answer to that - FTNT docs just say "beyond the limit we do not guarantee anything", so it may mean excess logs will be dropped, or may be not - no guarantees.

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

mrafat · ‎05-08-2024

Hi
If you have FAZ VM and this VM got the enough storage , nothing will happen to the received logs
However for hardware models of FAZ, logs will start getting dropped