Automatic deletion
Logs and files are automatically deleted from the FortiAnalyzer unit according to the following settings:
- Global automatic file deletion
File management settings specify when to delete the oldest Archive logs, quarantined files, reports, and archived files from the disks, regardless of the log storage settings. See File Management for information.
- Data policy
Data policies specify how long to store Analytics and Archive logs for each device. When the specified length of time expires, Archive logs for the device are automatically deleted from the FortiAnalyzer device's disks.
- Disk utilization
Disk utilization settings delete the oldest Archive logs for each device when the allotted disk space is filled. The allotted disk space is defined by the log storage settings. Alerts warn you when the disk space usage reaches a configured percentage.
All deletion policies are active on the FortiAnalyzer unit at all times, and you should carefully configure each policy. For example, if the disk fullness policy for a device hits its threshold before the global automatic file deletion policy for the FortiAnalyzer unit, Archive logs for the affected device are automatically deleted. Conversely, if the global automatic file deletion policy hits its threshold first, the oldest Archive logs on the FortiAnalyzer unit are automatically deleted regardless of the log storage settings associated with the device.
The following table summarizes the automatic deletion polices:
Policy |
Scope |
Trigger |
---|---|---|
Global automatic file deletion |
All logs, files, and reports on the system |
When the specified length of time expires, old files are automatically deleted. This policy applies to all files in the system regardless of the data policy settings associated with devices. |
Data policy |
Logs for the device with which the data policy is associated |
When the specified length of retention time expires, old Archive logs for the device are deleted. This policy affects only Archive logs for the device with which the data policy is associated. |
Disk utilization |
Logs for the device with which the log storage settings are associated |
When the specified threshold is reached for the allotted amount of disk space for the device, the oldest Archive logs are deleted for the device. This policy affects only Archive logs for the device with which the log storage settings are associated. |