Configure Log Storage (Disk, FortiAnalyzer, Cloud)¶
FortiGate can store logs in multiple places simultaneously — local disk, FortiAnalyzer, FortiCloud, syslog server, memory only. Each has tradeoffs.
Storage Options¶
| Destination | Retention | Searchability | Cost | When to use |
|---|---|---|---|---|
| Memory | Volatile (cleared on reboot) | Fast | Free | Only for testing |
| Local Disk | Days-weeks | Native FortiGate GUI | Free | Small deployments |
| FortiAnalyzer | Years | Best — single pane for fleet | Hardware/VM cost | Multi-site or compliance |
| FortiCloud | Pay-tier | Good | Subscription | When you don't want to host |
| Syslog server | Whatever you build | Depends on collector (Splunk, ELK, Loki) | Self-hosted infra | Already have SIEM |
Most installs send to: - Disk (for the local GUI's Forward Traffic view), AND - FortiAnalyzer or syslog (for retention).
Steps¶
Disk logging (default)¶
- Log & Report → Log Settings.
- Local Log → Disk → Enable.
- Set:
- Log Quota — cap disk usage.
- Days to Keep — retention (default 7).
- Apply.
Send to FortiAnalyzer¶
See Send Logs to FortiAnalyzer.
Send to FortiCloud¶
Send to Syslog¶
See Send Logs to a Syslog Server.
📸 Screenshot needed
Log & Report → Log Settings, showing multiple destinations enabled (Disk + FortiAnalyzer + Syslog).
CLI Equivalent¶
config log disk setting
set status enable
set maximum-log-age 7
set diskfull overwrite
end
Log Levels¶
For each destination:
emergency— system unusable.alert— immediate action needed.critical— critical conditions.error— error conditions.warning— warning conditions.notification— normal but significant.information— informational (most traffic logs here).debug— detailed debug (high volume).
Default is information. Set higher for noisy environments.
Common Issues¶
- Disk fills up. Reduce retention OR offload to FortiAnalyzer.
- Logs delayed. FortiAnalyzer reachable but slow; check network or upgrade FortiAnalyzer.
- Some logs missing on FortiAnalyzer. Per-category logging not configured. Check
config log fortianalyzer filter. - Log level too high. Set to debug accidentally; tons of useless output. Set back to information.