Fortinet black logo

Administration Guide

Automatic deletion

Automatic deletion

Logs and files are automatically deleted from the FortiAnalyzer unit according to the following settings:

  • Global automatic file deletion

    File management settings specify when to delete the oldest Archive logs, quarantined files, reports, and archived files from disks, regardless of the log storage settings. For more information, see File Management.

  • Data policy

    Data policies specify how long to store Analytics and Archive logs for each device. When the specified length of time expires, Archive logs for the device are automatically deleted from the FortiAnalyzer device's disks.

  • Disk utilization

    Disk utilization settings delete the oldest Archive logs for each device when the allotted disk space is filled. The allotted disk space is defined by the log storage settings. Alerts warn you when the disk space usage reaches a configured percentage.

    Tooltip

    When log trimming is performed by disk quota enforcement, tables from both the SQL and SIEM databases are considered together, and the oldest table, identified by the timestamp of logs inside, is trimmed. The process repeats until the quota is within the defined threshold. The SIEM database is always partitioned by day, whereas the size of the SQL database partition can be configured in FortiAnalyzer settings. For information on SIEM logs, see Types of logs collected for each device.

All deletion policies are active on the FortiAnalyzer unit at all times, and you should carefully configure each policy. For example, if the disk fullness policy for a device hits its threshold before the global automatic file deletion policy for the FortiAnalyzer unit, Archive logs for the affected device are automatically deleted. Conversely, if the global automatic file deletion policy hits its threshold first, the oldest Archive logs on the FortiAnalyzer unit are automatically deleted regardless of the log storage settings associated with the device.

The following table summarizes the automatic deletion polices:

Policy

Scope

Trigger

Global automatic file deletion

All logs, files, and reports on the system

When the specified length of time expires, old files are automatically deleted. This policy applies to all files in the system regardless of the data policy settings associated with devices.

Data policy

Logs for the device with which the data policy is associated

When the specified length of retention time expires, old Archive logs for the device are deleted. This policy affects only Archive logs for the device with which the data policy is associated.

Disk utilization

Logs for the device with which the log storage settings are associated

When the specified threshold is reached for the allotted amount of disk space for the device, the oldest Archive logs are deleted for the device. This policy affects only Archive logs for the device with which the log storage settings are associated.

Automatic deletion

Logs and files are automatically deleted from the FortiAnalyzer unit according to the following settings:

  • Global automatic file deletion

    File management settings specify when to delete the oldest Archive logs, quarantined files, reports, and archived files from disks, regardless of the log storage settings. For more information, see File Management.

  • Data policy

    Data policies specify how long to store Analytics and Archive logs for each device. When the specified length of time expires, Archive logs for the device are automatically deleted from the FortiAnalyzer device's disks.

  • Disk utilization

    Disk utilization settings delete the oldest Archive logs for each device when the allotted disk space is filled. The allotted disk space is defined by the log storage settings. Alerts warn you when the disk space usage reaches a configured percentage.

    Tooltip

    When log trimming is performed by disk quota enforcement, tables from both the SQL and SIEM databases are considered together, and the oldest table, identified by the timestamp of logs inside, is trimmed. The process repeats until the quota is within the defined threshold. The SIEM database is always partitioned by day, whereas the size of the SQL database partition can be configured in FortiAnalyzer settings. For information on SIEM logs, see Types of logs collected for each device.

All deletion policies are active on the FortiAnalyzer unit at all times, and you should carefully configure each policy. For example, if the disk fullness policy for a device hits its threshold before the global automatic file deletion policy for the FortiAnalyzer unit, Archive logs for the affected device are automatically deleted. Conversely, if the global automatic file deletion policy hits its threshold first, the oldest Archive logs on the FortiAnalyzer unit are automatically deleted regardless of the log storage settings associated with the device.

The following table summarizes the automatic deletion polices:

Policy

Scope

Trigger

Global automatic file deletion

All logs, files, and reports on the system

When the specified length of time expires, old files are automatically deleted. This policy applies to all files in the system regardless of the data policy settings associated with devices.

Data policy

Logs for the device with which the data policy is associated

When the specified length of retention time expires, old Archive logs for the device are deleted. This policy affects only Archive logs for the device with which the data policy is associated.

Disk utilization

Logs for the device with which the log storage settings are associated

When the specified threshold is reached for the allotted amount of disk space for the device, the oldest Archive logs are deleted for the device. This policy affects only Archive logs for the device with which the log storage settings are associated.