FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
iyotov
Staff
Staff
Article Id 194365

Description

 

This article describes how to increase the disk space of FortiAnalyzer-VM and FortiManager-VM. The procedure requires a reboot but logs are preserved.
Increasing disk space using the same disk or an extra disk will not impact log storage. However, it is recommended to save the log before doing so.
 
ESXi is used as an example.  
 
Scope
 
FortiAnalyzer-VM and FortiManager-VM.


Solution

 

Method 1 - Add new virtual disks and extend the logical volume.

 

  1. In the vSphere client: Edit the FortiAnalyzer/FortiManager VM settings.

    Select 'Add'…
    Select 'Hard Disk' and select 'Next'.

 

iyotov_FD40848_tn_FD40848-1.jpg

Select 'Create a new virtual disk' in the Add Hardware dialog box.
 
iyotov_FD40848_tn_FD40848-2.jpg

Configure the disk size, provisioning type, and location. This depends on the deployment specifics.

Select 'Next' and wait until the task is completed.
 
 
iyotov_FD40848_tn_FD40848-4.jpg

Note:

Since the SQL database operations may consume a lot of disk time, it is recommended to locate the FortiAnalyzer disks on a datastore (physical drive or array) that is not shared with other disk-consuming VMs, in order to avoid performance issues.

Specify the Advanced Options if needed, or select 'Next' and 'Finish' in the next two dialog boxes.

 
  1. Run the following command in the FortiAnalyzer/FortiManager CLI:
 
execute lvm info
 
Notice 200Gb was added, so now for this example, Disk2 is 200GB 'Unused'. The output should look similar to:
 
execute lvm info
Disk1  :         Used       41GB
Disk2  :       Unused      200GB
Disk3  :  Unavailable        0GB
Disk4  :  Unavailable        0GB
Disk5  :  Unavailable        0GB
Disk6  :  Unavailable        0GB
Disk7  :  Unavailable        0GB
Disk8  :  Unavailable        0GB
Disk9  :  Unavailable        0GB
Disk10 :  Unavailable        0GB
Disk11 :  Unavailable        0GB
Disk12 :  Unavailable        0GB
 
Note:
 
FortiAnalyzer/FortiManager in the late 6.4 and the 7.x versions can have up to 15 (fifteen) total log disks added to a VM instance. Previous versions support less. The output of the command 'execute lvm info' also indicates the maximum supported number of log disks (i.e., 12 in the 6.2 example above).
 
  1. Use the following CLI command to extend the file system on the new disk.

exec lvm extend

This operation will need to reboot the system.

Do you want to continue? (y/n)y

 

Note:

Although the above prompt only mentions a reboot, FortiAnalyzer will first perform a file system check (FSCK). If no errors occur, it will proceed to resize the file system (RESIZE2FS). With large file systems, the file system check may take significantly longer than a simple reboot.

The output below (only visible via the ESXi virtual console) shows the two steps:

 

The system is going down NOW !!
Rescan disks...
    add new disk2: 200GB
Extend /dev/mdvg/mdlv...
Fsck /dev/mdvg/mdlv...
    Done, no error.
Resize2fs /dev/mdvg/mdlv...
Please stand by while rebooting the system.
[ 3698.432925]reboot: Restarting system

 
  1. Upon reboot, the user will see the changes made from 200Gb 'Unused' to 'Used'. Run the below command again to confirm if the operation is successful:
 
execute lvm info
FortiAnalyzer # execute lvm info
Disk1  :         Used       41GB
Disk2  :         Used      200GB
Disk3  :  Unavailable        0GB
Disk4  :  Unavailable        0GB
Disk5  :  Unavailable        0GB
Disk6  :  Unavailable        0GB
Disk7  :  Unavailable        0GB
Disk8  :  Unavailable        0GB
Disk9  :  Unavailable        0GB
Disk10 :  Unavailable        0GB
Disk11 :  Unavailable        0GB
Disk12 :  Unavailable        0GB
 
 
Method 2 - Increase the size of already provisioned disk/s:
 

Before FortiAnalyzer/FortiManager 5.6.6 and 6.0.3, increasing the size of an already used virtual disk required format in order to utilize the additional space.

As of FortiAnalyzer/FortiManager 5.6.6 and 6.0.3:

  • The command 'exec lvm extend' no longer requires the selection of specific virtual disks, but instead, it automatically extends the file system over the whole unused disk space. 
  • As part of the extension, it detects not only the unused new disks but also the expanded disk space on the already used disks.
  • Therefore, increasing the provisioned size of an already used virtual disk no longer requires format.

 

The examples below are from VMware ESXi (vSphere) 6.7.0, but the process is similar for most hypervisor types.

 

  1. In the vSphere client, edit the FortiAnalyzer/FortiManager VM settings.


iyotov_0-1666272535005.png

 

  1. Increase the size of Hard disk 2, Hard disk 3, etc. as required and select OK.
    Note that 'Hard disk 1' listed in vSphere is NOT the same as the 'disk 1' listed by the command 'execute lvm info'.
    Do not
    increase the size of 'Hard disk 1' unless explicitly instructed by Fortinet Technical Support.

  2. Use the CLI command below to confirm if the new disk size is correctly assigned (note that it says Disk1 in the output, but that is in fact disk2 of the VM):

 

exec lvm info

LVM Status: OK

LVM Size: 150GB

File System: ext4 147GB

Disk1 :         Used      150GB of 160GB

Disk2 :  Unavailable        0GB

Disk3 :  Unavailable        0GB

Disk4 :  Unavailable        0GB

Disk5 :  Unavailable        0GB

Disk6 :  Unavailable        0GB

Disk7 :  Unavailable        0GB

Disk8 :  Unavailable        0GB

 

  1. Use the CLI below to extend the file system:

 

exec lvm extend

This operation will need to reboot the system.

Do you want to continue? (y/n)y

 

Note:

Although the above prompt only mentions a reboot, FortiAnalyzer will first perform a file system check (FSCK) and, if no errors, will proceed to resize the file system (RESIZE2FS). With large file systems, the file system check may take significantly longer than a simple reboot.

The output below (only visible via the ESXi virtual console) shows the two steps:

 

The system is going down NOW !!
Rescan disks...
    extend disk1: 160GB
Extend /dev/mdvg/mdlv...
Fsck /dev/mdvg/mdlv...
    Done, no error.
Resize2fs /dev/mdvg/mdlv...
Please stand by while rebooting the system.
[5951271.416233] reboot: Restarting system

 

  1. Once the system reboots, confirm the new disk size:


exec lvm info
LVM Status: OK
LVM Size: 160GB
File System: ext4 156GB
Disk1 :         Used      160GB
Disk2 :  Unavailable        0GB
Disk3 :  Unavailable        0GB
Disk4 :  Unavailable        0GB
Disk5 :  Unavailable        0GB
Disk6 :  Unavailable        0GB
Disk7 :  Unavailable        0GB
Disk8 :  Unavailable        0GB

 
Note:
  • It is not possible to reduce the LVM disk. The only way is to back up the system config and logs and then proceed to format the disk.
  • The maximum size that can be used is limited by the file system type: The ext4 file system can support volumes with sizes up to 1 Exabyte (EB) (1,000 Terabytes = 1018 Bytes) and files with sizes up to 16 Terabytes (TB).
 
Related articles: