Fortinet white logo
Fortinet white logo

Administration Guide

Log forwarding buffer

Log forwarding buffer

When log forwarding is configured, FortiAnalyzer reserves space on the system disk as a buffer between the fortilogd and logfwd daemons. In the event of a connection failure between the log forwarding client and server (network jams, dropped connections, etc.), logs are cached as long as space remains available. When storage space is exceeded, older logs are deleted in favor of new logs.

The default log forward buffer size is 30% of the system reserved disk size, and can be increased to use up to 80% of the available reserved disk. Additional storage space is available by using the disk space reserved for ADOMs. When configuring the log forward buffer size above 80% of the reserved disk size, the space available for ADOMs is reduced.

For example, in a scenario where the FortiAnalyzer has a total disk size of 275 GB for the entire system, with a system reserved disk size of 50 GB and an ADOM disk space of 50 GB, the log forwarding buffer can be configured up to a maximum of 90 GB (80% of the 50 GB reserved disk size = 40 GB + 50 GB disk reserved for ADOMs = 90 GB total).

The size of the system reserved disk varies by platform and total available storage. See Disk space allocation.

Caution

The log forward buffer is shared between fortilogd for all logfwd servers.

When changes are made to the log forward cache size, each server individually resets the log reading position to the latest one, and all logs currently in the log-forward disk cache are dropped.

To change the log forward cache size:
  1. In the FortiAnalyzer CLI, enter the following commands:

    config system global (global)#

    set log-forward-cache-size [number (GB)]

  2. When prompted, enter Y to confirm the change.
  • When entering a number outside of the valid cache size range, an error with the valid range is displayed.
  • When entering a number that uses storage from both the reserved disk size and available ADOM disk, a message displays to indicate that the cache will be allocated from the available disk quota and reserved space.

    (global)# set log-forward-cache-size 50

    Log-forward disk cache will be allocated from available disk quota and reserved space.

    All logs currently in log-forward disk cache will be dropped.

    Do you want to continue? (y/n)

Note

The diagnose test application logfwd 3 CLI command can be used to display log positions for the last log buffered and last log sent, as well as determine the buffer lag-behind. See the FortiAnalyzer CLI Reference.

Log forwarding buffer

Log forwarding buffer

When log forwarding is configured, FortiAnalyzer reserves space on the system disk as a buffer between the fortilogd and logfwd daemons. In the event of a connection failure between the log forwarding client and server (network jams, dropped connections, etc.), logs are cached as long as space remains available. When storage space is exceeded, older logs are deleted in favor of new logs.

The default log forward buffer size is 30% of the system reserved disk size, and can be increased to use up to 80% of the available reserved disk. Additional storage space is available by using the disk space reserved for ADOMs. When configuring the log forward buffer size above 80% of the reserved disk size, the space available for ADOMs is reduced.

For example, in a scenario where the FortiAnalyzer has a total disk size of 275 GB for the entire system, with a system reserved disk size of 50 GB and an ADOM disk space of 50 GB, the log forwarding buffer can be configured up to a maximum of 90 GB (80% of the 50 GB reserved disk size = 40 GB + 50 GB disk reserved for ADOMs = 90 GB total).

The size of the system reserved disk varies by platform and total available storage. See Disk space allocation.

Caution

The log forward buffer is shared between fortilogd for all logfwd servers.

When changes are made to the log forward cache size, each server individually resets the log reading position to the latest one, and all logs currently in the log-forward disk cache are dropped.

To change the log forward cache size:
  1. In the FortiAnalyzer CLI, enter the following commands:

    config system global (global)#

    set log-forward-cache-size [number (GB)]

  2. When prompted, enter Y to confirm the change.
  • When entering a number outside of the valid cache size range, an error with the valid range is displayed.
  • When entering a number that uses storage from both the reserved disk size and available ADOM disk, a message displays to indicate that the cache will be allocated from the available disk quota and reserved space.

    (global)# set log-forward-cache-size 50

    Log-forward disk cache will be allocated from available disk quota and reserved space.

    All logs currently in log-forward disk cache will be dropped.

    Do you want to continue? (y/n)

Note

The diagnose test application logfwd 3 CLI command can be used to display log positions for the last log buffered and last log sent, as well as determine the buffer lag-behind. See the FortiAnalyzer CLI Reference.