Fortinet white logo
Fortinet white logo

Administration Guide

Log forwarding buffer

Log forwarding buffer

When log forwarding is configured, FortiAnalyzer reserves space on the system disk as a buffer between the fortilogd and logfwd daemons. In the event of a connection failure between the log forwarding client and server (network jams, dropped connections, etc.), logs are cached as long as space remains available. When storage space is exceeded, older logs are deleted in favor of new logs.

The default log forward buffer size is 30% of the system reserved disk size, and it can be configured up to 80%. The system reserved disk size varies by platform and total available storage. See Disk space allocation.

For example, in a scenario where the FortiAnalyzer has a system reserved disk size of 50 GB, the default logfwd buffer is 15 GB (30% of 50 GB), and the maximum configurable size is 40 GB (80% of 50 GB).

Caution

The log forward buffer is shared between fortilogd for all logfwd servers.

When changes are made to the log forward cache size, each server individually resets the log reading position to the latest one, and all logs currently in the log-forward disk cache are dropped.

To change the log forward cache size:
  1. In the FortiAnalyzer CLI, enter the following commands:
    config system global
    (global)# set log-forward-cache-size [number (GB)]
  2. When prompted, enter Y to confirm the change.
    Entering a number that is outside of the valid cache size range will cause the valid range to be displayed. For example:
    (global)# set log-forward-cache-size 360
    Cache size must be within the range between 1GB and 240GB
    node_check_object fail! for log-forward-cache-size 360
Note

The diagnose test application logfwd 4 CLI command can be used to display log positions for the last log buffered and last log sent, as well as determine the buffer lag-behind. See the FortiAnalyzer CLI Reference.

Log forwarding buffer

Log forwarding buffer

When log forwarding is configured, FortiAnalyzer reserves space on the system disk as a buffer between the fortilogd and logfwd daemons. In the event of a connection failure between the log forwarding client and server (network jams, dropped connections, etc.), logs are cached as long as space remains available. When storage space is exceeded, older logs are deleted in favor of new logs.

The default log forward buffer size is 30% of the system reserved disk size, and it can be configured up to 80%. The system reserved disk size varies by platform and total available storage. See Disk space allocation.

For example, in a scenario where the FortiAnalyzer has a system reserved disk size of 50 GB, the default logfwd buffer is 15 GB (30% of 50 GB), and the maximum configurable size is 40 GB (80% of 50 GB).

Caution

The log forward buffer is shared between fortilogd for all logfwd servers.

When changes are made to the log forward cache size, each server individually resets the log reading position to the latest one, and all logs currently in the log-forward disk cache are dropped.

To change the log forward cache size:
  1. In the FortiAnalyzer CLI, enter the following commands:
    config system global
    (global)# set log-forward-cache-size [number (GB)]
  2. When prompted, enter Y to confirm the change.
    Entering a number that is outside of the valid cache size range will cause the valid range to be displayed. For example:
    (global)# set log-forward-cache-size 360
    Cache size must be within the range between 1GB and 240GB
    node_check_object fail! for log-forward-cache-size 360
Note

The diagnose test application logfwd 4 CLI command can be used to display log positions for the last log buffered and last log sent, as well as determine the buffer lag-behind. See the FortiAnalyzer CLI Reference.