Fortinet white logo
Fortinet white logo

Handbook

Configuring Attack Log purge settings

Configuring Attack Log purge settings

The attack log retains 1 million entries by default but can be increased to a maximum of 2 million entries. When the attack log fills, it will automatically remove (purge) the oldest 200,000 entries. You can also purge entries manually by date range.

If you would like to retain more than the maximum number of log entries, you can:

  1. Use an external syslog server (recommended) - see Configuring remote log server settings for DDoS attack log
  2. Download logs from the Log & Report > LOG ACCESS: Logs > DDoS Attack log page. Note that a maximum of 100,000 displayed logs are downloaded. You can filter by date to obtain the oldest logs.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To configure purge settings:
  1. Go to Log & Report > Log Configuration > Log Purge Settings.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Attack Log purge settings configuration guidelines

Settings Guidelines
Automatic Purge Select to automatically purge Attack Logs after the max number of entries is reached.
Purge older events when the number of events is over Purge the earliest Attack Logs when this threshold is reached. The default is 1,000,000 entries.
Manual Purge Select to purge entries logged during the specified period.
Start Date / End Date Specify a period when purging logs manually. The period begins at 0:00 on the start date and ends at 23:59 on the end date.

To configure with CLI:

config ddos global attack-event-purge

set purge-watermark 2000000

end

Configuring Attack Log purge settings

Configuring Attack Log purge settings

The attack log retains 1 million entries by default but can be increased to a maximum of 2 million entries. When the attack log fills, it will automatically remove (purge) the oldest 200,000 entries. You can also purge entries manually by date range.

If you would like to retain more than the maximum number of log entries, you can:

  1. Use an external syslog server (recommended) - see Configuring remote log server settings for DDoS attack log
  2. Download logs from the Log & Report > LOG ACCESS: Logs > DDoS Attack log page. Note that a maximum of 100,000 displayed logs are downloaded. You can filter by date to obtain the oldest logs.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To configure purge settings:
  1. Go to Log & Report > Log Configuration > Log Purge Settings.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Attack Log purge settings configuration guidelines

Settings Guidelines
Automatic Purge Select to automatically purge Attack Logs after the max number of entries is reached.
Purge older events when the number of events is over Purge the earliest Attack Logs when this threshold is reached. The default is 1,000,000 entries.
Manual Purge Select to purge entries logged during the specified period.
Start Date / End Date Specify a period when purging logs manually. The period begins at 0:00 on the start date and ends at 23:59 on the end date.

To configure with CLI:

config ddos global attack-event-purge

set purge-watermark 2000000

end