Skip to content

Configure Log Storage (Disk, FortiAnalyzer, Cloud)

FortiGate can store logs in multiple places simultaneously — local disk, FortiAnalyzer, FortiCloud, syslog server, memory only. Each has tradeoffs.

Storage Options

Destination Retention Searchability Cost When to use
Memory Volatile (cleared on reboot) Fast Free Only for testing
Local Disk Days-weeks Native FortiGate GUI Free Small deployments
FortiAnalyzer Years Best — single pane for fleet Hardware/VM cost Multi-site or compliance
FortiCloud Pay-tier Good Subscription When you don't want to host
Syslog server Whatever you build Depends on collector (Splunk, ELK, Loki) Self-hosted infra Already have SIEM

Most installs send to: - Disk (for the local GUI's Forward Traffic view), AND - FortiAnalyzer or syslog (for retention).

Steps

Disk logging (default)

  1. Log & Report → Log Settings.
  2. Local Log → Disk → Enable.
  3. Set:
    • Log Quota — cap disk usage.
    • Days to Keep — retention (default 7).
  4. Apply.

Send to FortiAnalyzer

See Send Logs to FortiAnalyzer.

Send to FortiCloud

See Send Logs to FortiCloud.

Send to Syslog

See Send Logs to a Syslog Server.

📸 Screenshot needed

Log & Report → Log Settings, showing multiple destinations enabled (Disk + FortiAnalyzer + Syslog).

CLI Equivalent

config log disk setting
    set status enable
    set maximum-log-age 7
    set diskfull overwrite
end

Log Levels

For each destination:

  • emergency — system unusable.
  • alert — immediate action needed.
  • critical — critical conditions.
  • error — error conditions.
  • warning — warning conditions.
  • notification — normal but significant.
  • information — informational (most traffic logs here).
  • debug — detailed debug (high volume).

Default is information. Set higher for noisy environments.

Common Issues

  • Disk fills up. Reduce retention OR offload to FortiAnalyzer.
  • Logs delayed. FortiAnalyzer reachable but slow; check network or upgrade FortiAnalyzer.
  • Some logs missing on FortiAnalyzer. Per-category logging not configured. Check config log fortianalyzer filter.
  • Log level too high. Set to debug accidentally; tons of useless output. Set back to information.