Fortinet black logo

Administration Guide

Log and file workflow

Log and file workflow

When devices send logs to a FortiAnalyzer unit, the logs enter the following workflow automatically:

  1. Compressed logs are received and saved in a log file on the FortiAnalyzer disks.

    When a log file reaches a specified size, FortiAnalyzer rolls it over and archives it, and creates a new log file to receive incoming logs. You can specify the size at which the log file rolls over. See Device logs.

  2. Logs are indexed in the SQL database to support analysis.

    You can specify how long to keep logs indexed using a data policy. See Log storage information.

  3. Logs are purged from the SQL database, but remain compressed in a log file on the FortiAnalyzer disks.
  4. Logs are deleted from the FortiAnalyzer disks.

    You can specify how long to keep logs using a data policy. See Log storage information.

In the indexed phase, logs are indexed in the SQL database for a specified length of time so they can be used for analysis. Indexed, or Analytics, logs are considered online, and details about them can be used viewed in the SOC, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Compressed, or Archived, logs are considered offline, and their details cannot be immediately viewed or used to generate reports.

The following table summarizes the differences between indexed and compressed log phases:

Log Phase

Location

Immediate Analytic Support

Indexed

Compressed in log file and indexed in SQL database

Yes. Logs are available for analytic use in SOC, Incidents & Events, and Reports.

Compressed

Compressed in log file

No.

Log and file workflow

Log and file workflow

When devices send logs to a FortiAnalyzer unit, the logs enter the following workflow automatically:

  1. Compressed logs are received and saved in a log file on the FortiAnalyzer disks.

    When a log file reaches a specified size, FortiAnalyzer rolls it over and archives it, and creates a new log file to receive incoming logs. You can specify the size at which the log file rolls over. See Device logs.

  2. Logs are indexed in the SQL database to support analysis.

    You can specify how long to keep logs indexed using a data policy. See Log storage information.

  3. Logs are purged from the SQL database, but remain compressed in a log file on the FortiAnalyzer disks.
  4. Logs are deleted from the FortiAnalyzer disks.

    You can specify how long to keep logs using a data policy. See Log storage information.

In the indexed phase, logs are indexed in the SQL database for a specified length of time so they can be used for analysis. Indexed, or Analytics, logs are considered online, and details about them can be used viewed in the SOC, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Compressed, or Archived, logs are considered offline, and their details cannot be immediately viewed or used to generate reports.

The following table summarizes the differences between indexed and compressed log phases:

Log Phase

Location

Immediate Analytic Support

Indexed

Compressed in log file and indexed in SQL database

Yes. Logs are available for analytic use in SOC, Incidents & Events, and Reports.

Compressed

Compressed in log file

No.