cyber-101

How does disk quota work on FortiAnalyzer?

Let's discuss how data is structured, organized, and enforced on FAZ, shall we?

Mike Berggren

Mike Berggren

3 min read
How does disk quota work on FortiAnalyzer?
Photo by Waldemar / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

Seeing as we've been discussing FortiAnalyzer for the past few days, why don't we go ahead and dig deeper: lets explore disk quota workflows, safeguards, and space allocations.

Here's the dealio. A FortiAnalyzer device typically stores data in one and/or two forms:

  • Archive Logs: These are compressed logs that live directly on FortiAnalyzer hard disks (or virtual disks in the case of VMs). For all intents and purposes, the data here is effectively "offline". These logs take up much less space but are not indexed or immediately searchable. If it helps, you can think of these as "cold storage" logs.
  • Analytics Logs: These are log events that live in the SQL (PostgreSQL) database. The data stored here is readily available to administrators and can be quickly/easily searched. You can think of these as "hot storage" logs.

Keeping log data in the database incurs a higher storage footprint. According to Fortinet, the average indexed log entry consumes about 600 bytes per vent. In contrast, a compressed archive log entry consumes about 80 bytes of disk space.

FortiAnalyzer sets aside a percentage of disk space for reserve purposes (system usage and unexpected quota overflow). That percentage varies depending on the size of the disk itself:

  • "Small" (<500 GB) - 20% or 50 GB is reserved (whichever is smaller).
  • "Medium" (500 GB - 1000 GB) - 15% or 100 GB is reserved (whichever is smaller)
  • "Large" (1000 GB - 3000 GB) - 10% or 200 GB is reserved (whichever is smaller)
  • "Very large" (3000 - 5000 GB) - 5% or 500 GB is reserved (whichever is smaller)

A report on disk log usage can be retrieved from the CLI via the following command: # diagnose log device

Still with me? Cool. There's one last part of this topic to go over... Disk quota enforcement is handled by a couple different processes:

  • logfiled - Think of this as the parent process. It monitors the sizes of log files, databases, and archive files. It also sends instructions/commands to other specialized processes/daemons to process. It checks every two minutes.
  • sqlplugind - This daemon specifically enforces the PostgreSQL database size.
  • oftpd - This daemon specifically enforces the archive file size.

For more information on this topic, check out the following resources:

Disk space allocation | Administration Guide
Fortinet docs logo
Log and file workflow | Administration Guide
Fortinet docs logo
Automatic deletion | Administration Guide
Fortinet docs logo

Read more