Log arrays
Log arrays support group-based access to logs and reports. They also allow you to manage log data belonging to FortiGate HA clusters from a single device object. You can add VDOMs from a single device to different log arrays, and configure and schedule reports for each log array.
| Both the device disk log quota and the log array disk log quota are enforced. The device disk log quota includes all log files, all archive files, and database space for logs on the device. The log array disk log quota includes database space used by log array tables. The device disk log quota no longer applies when it is added to a log array. |
After creating a log array, only new logs will be populated into this array. Older logs will remain on the device. To collect older logs, you will need to build the array database. Use the following CLI command to build the array database:
execute sql-local rebuild-device <log array device ID>
The SQL logs for the members of the log array will be rebuilt. To verify that the array rebuild was successful, select the Log View tab to view the log array and logs.
| Executing this command will not reboot the FortiAnalyzer device. |
| Fortinet recommends configuring log arrays prior to deploying the FortiAnalyzer into production. When adding and deleting log arrays, you will need to rebuild the database to view older logs. |
To create a new log array:
1. In the Device Manager tab, right-click on All Log Arrays in the tree menu, and under the Log Array heading select Add in the right-click menu.
The Create Log Array window opens.
2. Configure the following settings:
Name | The name of the log array. |
Description | Descriptive information about the log array. |
Disk Log Quota (MB) | Enter the disk log quota in MB. |
When Allocated Disk Space is Full | Select to overwrite the oldest logs or to stop logging when the allocated disk space is full. |
Devices | Select the plus (+) sign to add devices or VDOMs to the log array. Each device can only belong to one log array. If the device you want to add is currently assigned to another log array, you must first remove the device from the other log array. You can add VDOMs from a single device to different log arrays. Select OK in the pop-up dialog box once you have selected all of the devices an VDOMs that you would like to add to the log array. |
3. Select OK to save the log array configuration.
4. You will be prompted to rebuild the log array.
5. Select to rebuild the log array now or at a later date. To view older logs they will need to be re-indexed.
To edit a log array:
1. In the Device Manager tab, select All Log Arrays from the navigation tree.
2. In the right content pane, right-click the log array you would like to edit and select Edit in the right-click menu.
3. Edit the settings as required.
4. Select OK to save the changes.
To rebuild a log array:
1. In the Device Manager tab, select All Log Arrays from the navigation tree.
2. In the right content pane, right-click the log array you would like to rebuild and select Rebuild in the right-click menu.
The Rebuild Log Array dialog box opens.
3. Select Rebuild Now to continue.
To delete a log array:
1. In the Device Manager tab, select All Log Arrays from the navigation tree.
2. In the right content pane, right-click the log array you would like to delete and select Delete in the right-click menu.
3. Select OK in the confirmation window to delete the log array.
.