Log forwarding buffer cache size allocation
In the event of an abrupt disconnection between your FortiAnalyzer (either on-premise or FortiAnalyzer Cloud) and SOCaaS, it is recommended that you configure a log buffer cache size which can accommodate 24 hours of logs in your FortiAnalyzer device.
For more information on log forwarding buffers and how log forwarding space allocation works, see the FortiAnalyzer Administration Guide.
|
In cases where the FortiAnalyzer does not have storage available for storing logs for 24 hours in the buffer cache and a lesser amount of disk space is allocated, logs will only be cached for the amount of time allowed based on the cache size available. Logs exceeding the available cache storage time are dropped. |
The following formula can be used to calculate the log forwarding buffer cache size required for 24 hours:
Average Lograte * 200 * seconds in 1 day (86400) * 1.2 = Cache Size logfwd
Determining the average log rate
The average log rate is the average logs received on your FortiAnalyzer device for 24 hours.
To retrieve average log rate data for your FortiAnalyzer:
- Navigate to the Insert Rate vs. Receive Rate graph on FortiAnalyzer.
- In FortiAnalyzer 7.4.0 and later the graph is available on the Dashboard.
- In earlier versions, the graph is available in System Settings > Dashboard.
- In the Insert Rate vs. Receive Rate graph, select Settings and configure the Time Period as Last 24 Hours, and click OK.
- View the graph details, and use the peak log rate as the number for the average lograte count. In the example below, the peak lograte is 80,000.
Examples
The following table provides three example scenarios for calculating the log forwarding buffer cache size for a small, medium, and enterprise business:
|
Customer size |
Average log rate |
Calculation |
Buffer cache size |
|---|---|---|---|
|
Small |
100 logs/sec | 100 * 200 * 86400 * 1.2
|
2GB |
|
Medium |
1000 logs/sec | 1000 * 200 * 86400 * 1.2
|
20GB |
|
Enterprise |
10000 logs/sec | 10000 * 200 * 86400 * 1.2
|
200GB |