Fortinet black logo

Handbook

7.0.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Configuring Attack Log purge settings

Configuring Attack Log purge settings

The attack log retains 1 million entries by default but can be increased to a maximum of 2 million entries.

When the attack log fills, it will stop logging unless Automatic Purge is enabled (default), in which case it automatically removes (purges) the oldest 200,000 entries, based on the Purge Drop Count setting. You can also purge entries manually by date range.

An event log is created for automatic or manual purges.

If you would like to retain more than the maximum number of log entries, you can:

  1. Use an external syslog server (recommended) - see Configuring remote log server settings for DDoS attack log
  2. Download logs from the Log & Report > LOG ACCESS: Logs > DDoS Attack log page. Note that a maximum of 100,000 displayed logs are downloaded. You can filter by date to obtain the oldest logs.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To configure purge settings:
  1. Go to Log & Report > Log Configuration > Log Purge Settings.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Attack Log purge settings configuration guidelines

Settings Guidelines
Automatic Purge

Select to automatically purge Attack Logs after the max number of entries is reached.

NOTE: If this is disabled, logging will stop when loges reach the Purge Watermark below.
Purge Watermark (in Entries) Purge the earliest Attack Logs when this threshold is reached. The default is 1,000,000 entries. Maximum is 2,000,000.

Purge Drop Count

Purge the oldest logs with drop counts under the entered threshold. The default threshold is 1, which will purge any logs from oldest to newest until 200,000 have been removed.

Setting this threshold to 5000, for example, would first purge the oldest logs with less than 5000 drops. If that did not allow 200,000 logs to be purged, then remaining oldest to newest will be purged until 200,000 is reached.
Manual Purge Select to purge entries logged during the specified date period.
Start Date / End Date Specify a period when purging logs manually. The period begins at 0:00 on the start date and ends at 23:59 on the end date.

To configure with CLI:

config ddos global attack-event-purge

set purge-watermark 2000000

end
Previous
Next

Configuring Attack Log purge settings

The attack log retains 1 million entries by default but can be increased to a maximum of 2 million entries.

When the attack log fills, it will stop logging unless Automatic Purge is enabled (default), in which case it automatically removes (purges) the oldest 200,000 entries, based on the Purge Drop Count setting. You can also purge entries manually by date range.

An event log is created for automatic or manual purges.

If you would like to retain more than the maximum number of log entries, you can:

  1. Use an external syslog server (recommended) - see Configuring remote log server settings for DDoS attack log
  2. Download logs from the Log & Report > LOG ACCESS: Logs > DDoS Attack log page. Note that a maximum of 100,000 displayed logs are downloaded. You can filter by date to obtain the oldest logs.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To configure purge settings:
  1. Go to Log & Report > Log Configuration > Log Purge Settings.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Attack Log purge settings configuration guidelines

Settings Guidelines
Automatic Purge

Select to automatically purge Attack Logs after the max number of entries is reached.

NOTE: If this is disabled, logging will stop when loges reach the Purge Watermark below.
Purge Watermark (in Entries) Purge the earliest Attack Logs when this threshold is reached. The default is 1,000,000 entries. Maximum is 2,000,000.

Purge Drop Count

Purge the oldest logs with drop counts under the entered threshold. The default threshold is 1, which will purge any logs from oldest to newest until 200,000 have been removed.

Setting this threshold to 5000, for example, would first purge the oldest logs with less than 5000 drops. If that did not allow 200,000 logs to be purged, then remaining oldest to newest will be purged until 200,000 is reached.
Manual Purge Select to purge entries logged during the specified date period.
Start Date / End Date Specify a period when purging logs manually. The period begins at 0:00 on the start date and ends at 23:59 on the end date.

To configure with CLI:

config ddos global attack-event-purge

set purge-watermark 2000000

end
Previous
Next