Logs and files are stored on the FortiAnalyzer disks. Logs are also temporarily stored in the SQL database.
You can configure data policy and disk utilization settings for devices. These are collectively called log storage settings.
You can configure global log and file storage settings. These apply to all logs and files in the FortiAnalyzer system regardless of log storage settings.
When FortiAnalyzer receives a log, it is stored in a file. Logs will continue to populate this file until its limit is reached, at which time the file is "rolled" which involves compressing the file and creating a new one for further logs of that type. There are two settings that you can use to configure when log rolling occurs, and both may be used at the same time, with rolling taking place when either condition is met.
- Log file size: This is enabled by default and set to 200 MB.
- At a scheduled time: Either daily or weekly at a set time.
Rolling the files daily is recommended to avoid a file from spanning more than 24 hours and masking the actual amount of days you are storing logs for.
See also Configuring rolling and uploading of logs using the GUI.
When you reach your archive retention limit as defined by allocated storage size or specified days, FortiAnalyzer deletes old logs to make room for new logs. FortiAnalyzer can only delete files, not logs within a file. Controlling file growth is important because storage capacity is not infinite and it directly affects how old logs are deleted to make room for new logs.
FortiAnalyzer will delete old files based on which condition is forcing the deletion:
- Days: Delete the log file that contains logs which are all outside the configured day retention period. Log files can span several days, or even months. When this is the case, the file will not be considered eligible for deletion when logs that are within the configured retention days would be deleted. This can lead to Archive indicating it is storing more days than it is configured for (for example, 100/90 days). This is due to the number displaying the oldest log date, and not specifically that it has logs for each day up to that number.
- Storage size: Delete the log file with the oldest last received log. This can lead to the administrator not seeing the true amount of logs in analytics since there's no way to indicate that there are no logs for days 60 through 89, only that there are some logs from 90 days ago.
See also Data policy and automatic deletion and Disk utilization for Archive and Analytic logs.