The FortiAnalyzer allows you to log system events to disk. You can control device log file size and the use of the FortiAnalyzer unit's disk space by configuring log rolling and scheduled uploads to a server.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
- Verifies whether the log file has exceeded its file size limit.
- Checks to see if it is time to roll the log file if the file size is not exceeded.
When a current log file (
tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of
xlog.N.log (for example,
x is a letter indicating the log type and
N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called
tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the GUI, they are in the following format:
If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.
Log rolling and uploading can be enabled and configured using the GUI or CLI.
This pane is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features.