Log buffer on FortiGates with an SSD disk

FortiGates with an SSD disk have a configurable log buffer. When the connection to FortiAnalyzer is unreachable, the FortiGate is able to buffer logs on disk if the memory log buffer is full. The logs queued on the disk buffer can be sent successfully once the connection to FortiAnalyzer is restored.

The number of logs queued on the disk buffer is visible in the Log & Report > Log Settings page:

The queued logs are buffered to the memory first and then disk. Main miglogd handles the disk buffering job, while miglogd-children handles the memory buffering. Disk buffer statistics only appear under Main miglogd, and memory buffer statistics only appears under miglogd-children. If the total buffer is full, new logs will overwrite the old logs.

To configure the log buffer:

1. Allocate disk space (MB) to temporarily store logs to FortiAnalyzer:

   config system global
       set faz-disk-buffer-size 200
   end

2. Check the Main miglogd and miglogd-children statistics. The 200 MB disk buffer has been set, and there are currently no logs buffered in memory or on disk when FortiAnalyzer is reachable:

   # diagnose test application miglogd 41 0
   cache maximum: 106100940(101MB) objects: 0 used: 0(0MB) allocated: 0(0MB)
   VDOM:root
   Queue for: global-faz
    
       memory queue:
           num:0 size:0(0MB) max:101906636(97MB) logs:0
    
       disk max queue size:200MB total:0MB
           totol items:0
           disk queue agents:
               devid:-1-10-0-1
               buffer path:/var/log/qbuf/10.0/1
               saved size:0MB cached size:0
               save roll:0 restore roll:0
               restore id:0 space:0MB
   
   # diagnose test application miglogd 41 1
   cache maximum: 106100940(101MB) objects: 0 used: 0(0MB) allocated: 0(0MB)
   VDOM:root
   Queue for: global-faz
    
       memory queue:
           num:0 size:0(0MB) max:101906636(97MB) logs:0
    
       disk queue client:
           dev