Log forwarding buffer
When log forwarding is configured, FortiAnalyzer reserves space on the system disk as a buffer between the fortilogd and logfwd daemons. In the event of a connection failure between the log forwarding client and server (network jams, dropped connections, etc.), logs are cached as long as space remains available. When storage space is exceeded, older logs are deleted in favor of new logs.
The default log forward buffer size is 30% of the system reserved disk size, and it can be configured up to 80%. The system reserved disk size varies by platform and total available storage. See Disk space allocation on page 54.
For example, in a scenario where the FortiAnalyzer has a system reserved disk size of 50 GB, the default logfwd buffer is 15 GB (30% of 50 GB), and the maximum configurable size is 40 GB (80% of 50 GB).
The log forward buffer is shared between fortilogd for all logfwd servers.
When changes are made to the log forward cache size, each server individually resets the log reading position to the latest one, and all logs currently in the log-forward disk cache are dropped.
To change the log forward cache size:
- In the FortiAnalyzer CLI, enter the following commands:
config system global
(global)# set log-forward-cache-size [number (GB)]
- When prompted, enter Y to confirm the change.
Entering a number that is outside of the valid cache size range will cause the valid range to be displayed. For example:
(global)# set log-forward-cache-size 360
Cache size must be within the range between 1GB and 240GB node_check_object fail! for log-forward-cache-size 360
The diagnose test application 3 CLI command can be used to display log
positions for the last log buffered and last log sent, as well as determine the buffer lag-behind. See the FortiAnalyzerCLI Reference.