When devices send logs to a FortiAnalyzer unit, the logs enter the following workflow automatically:
- Compressed logs are received and saved in a log file on the FortiAnalyzer disks.
When a log file reaches a specified size, FortiAnalyzer rolls it over and archives it, and creates a new log file to receive incoming logs. You can specify the size at which the log file rolls over. See Device logs.
- Logs are indexed in the database to support analysis.
You can specify how long to keep logs indexed using a data policy. See Log storage information.
- Logs are purged from the database, but remain compressed in a log file on the FortiAnalyzer disks.
- Logs are deleted from the FortiAnalyzer disks.
You can specify how long to keep logs using a data policy. See Log storage information.
In the indexed phase, logs are indexed in the database for a specified length of time so they can be used for analysis. Indexed, or Analytics, logs are considered online, and details about them can be used viewed in the FortiView, Log View, and Incidents & Events/FortiSoC panes. You can also generate reports about the logs in the Reports pane.
In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Compressed, or Archived, logs are considered offline, and their details cannot be immediately viewed or used to generate reports.
The following table summarizes the differences between indexed and compressed log phases:
Immediate Analytic Support
Compressed in log file and indexed in database
Yes. Logs are available for analytic use in FortiView, Incidents & Events/FortiSoC, and Reports.
Compressed in log file