FortiGates with an SSD disk have a configurable log buffer. When the connection to FortiAnalyzer is unreachable, the FortiGate is able to buffer logs on disk if the memory log buffer is full. The logs queued on the disk buffer can be sent successfully once the connection to FortiAnalyzer is restored.
The number of logs queued on the disk buffer is visible in the Log & Report > Log Settings page:
The queued logs are buffered to the memory first and then disk.
Main miglogd handles the disk buffering job, while
miglogd-children handles the memory buffering. Disk buffer statistics only appear under
Main miglogd, and memory buffer statistics only appears under
miglogd-children. If the total buffer is full, new logs will overwrite the old logs.
- Allocate disk space (MB) to temporarily store logs to FortiAnalyzer:
config system global set faz-disk-buffer-size 200 end
- Check the
miglogd-childrenstatistics. The 200 MB disk buffer has been set, and there are currently no logs buffered in memory or on disk when FortiAnalyzer is reachable:
# diagnose test application miglogd 41 0 cache maximum: 106100940(101MB) objects: 0 used: 0(0MB) allocated: 0(0MB) VDOM:root Queue for: global-faz memory queue: num:0 size:0(0MB) max:101906636(97MB) logs:0 disk max queue size:200MB total:0MB totol items:0 disk queue agents: devid:-1-10-0-1 buffer path:/var/log/qbuf/10.0/1 saved size:0MB cached size:0 save roll:0 restore roll:0 restore id:0 space:0MB # diagnose test application miglogd 41 1 cache maximum: 106100940(101MB) objects: 0 used: 0(0MB) allocated: 0(0MB) VDOM:root Queue for: global-faz memory queue: num:0 size:0(0MB) max:101906636(97MB) logs:0 disk queue client: dev