When you delete one or more devices from FortiAnalyzer, the raw log files and archive packets are deleted, and the action is recorded in the local event log. However, the logs that have been inserted into the SQL database are not deleted from the SQL database. As a result, logs for the deleted devices might display in the Log View and SOC > FortiView panes, and any reports based on the logs might include results.
The following are ways you can remove logs from the SQL database for deleted devices.
- Rebuild the SQL database for the ADOM to which deleted devices belonged or rebuild the entire SQL database.
- Configure the log storage policy. When the deleted device logs are older than the Keep Logs for Analytics setting, they are deleted. Also, when analytic logs exceed their disk quota, the SQL database is trimmed starting with the oldest database tables. For more information, see Configuring log storage policy.
- Configure global automatic file deletion settings in System Settings > Advanced > File Management. When the deleted device logs are older than the configured setting, they are deleted. For more information, see File Management.
File Management configures global settings that override other log storage settings and apply to all ADOMs.