Fortinet black logo

Administration Guide

Analytics and Archive logs

Analytics and Archive logs

Logs in FortiAnalyzer are in one of the following phases. Use a data policy to control how long to retain Analytics and Archive logs.

  • Real-time log: Log entries that have just arrived and have not been added to the SQL database, i.e., have not been rolled.
  • Analytics logs or historical logs: Indexed in the SQL database and online.
  • Archive logs: Compressed on hard disks and offline.

In the indexed phase, logs are indexed in the SQL database for a specified length of time for the purpose of analysis. Logs in the indexed phase in the SQL database are considered online and you can view details about these logs in SOC > FortiView, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Logs in the compressed phase are considered offline and you cannot immediately view details about these logs in the SOC > FortiView, Log View, and Incidents & Events panes. You also cannot generate reports about the logs in the Reports pane.

Analytics and Archive logs

Logs in FortiAnalyzer are in one of the following phases. Use a data policy to control how long to retain Analytics and Archive logs.

  • Real-time log: Log entries that have just arrived and have not been added to the SQL database, i.e., have not been rolled.
  • Analytics logs or historical logs: Indexed in the SQL database and online.
  • Archive logs: Compressed on hard disks and offline.

In the indexed phase, logs are indexed in the SQL database for a specified length of time for the purpose of analysis. Logs in the indexed phase in the SQL database are considered online and you can view details about these logs in SOC > FortiView, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Logs in the compressed phase are considered offline and you cannot immediately view details about these logs in the SOC > FortiView, Log View, and Incidents & Events panes. You also cannot generate reports about the logs in the Reports pane.