Logs and files are stored on the FortiAnalyzer hard disks. Logs are also temporarily stored in the SQL database.
When a SIEM license is added, a SIEM database is created to store normalized Fabric logs.
When ADOMs are enabled, settings can be specified for each ADOM that apply only to the devices in it. When ADOMs are disabled, the settings apply to all managed devices.
Data policy and disk utilization settings for devices are collectively called log storage settings. Global log and file storage settings apply to all logs and files, regardless of log storage settings (see File Management). Both the global and log storage settings are always active.
The log rate and log volume per ADOM can be viewed through the CLI using the following commands: