This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting.
FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format for uploading. The following table shows a comparison of the supported features of the Analyzer and Collector modes:
|
|
Analyzer Mode |
Collector Mode |
|
FortiView |
Yes |
No |
|
Event Monitor |
Yes |
No |
|
Reports |
Yes |
No |
|
Log View |
Yes |
Compressed logs only; indexed logs not available |
|
Device Manager |
Yes |
Yes |
|
System Settings |
Yes |
Yes |
In this example, Company A has a remote branch network with a FortiGate unit and a FortiAnalyzer 400E in the Collector mode deployed. In its head office, Company A has a FortiAnalyzer 3000D in the Analyzer mode deployed, which analyzes the FortiGate device logs of the remote branch that are forwarded by the Collector and generates reports.
1. Checking and configuring the storage policy of the Analyzer-to-be and Collector-to-beBefore you configure Analyzer and Collector, make sure the data policy and disk utilization policy for both the Analyzer-to-be and Collector-to-be are appropriate and provide sufficient disk space for receiving and storing logs. |
|
|
For both Analyzer-to-be and Collector-to-be, go to Device Manager, and click the Storage Used tab on the quick status bar. Observe the storage usage pattern and trend of the Analyzer-to-be and Collector-to-be, and consider the storage need of this Analyzer–Collector scenario. Decide if you need to adjust the data policy. |
 |
To edit the date policy when ADOMs are enabled:Go to System Settings > All ADOMs, double-click the ADOM to which your FAZ Analyzer/Collector belongs. On the Edit ADOM Storage Configurations page that opens, edit the log storage policy. To edit log storage settings when ADOMs are disabled:Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box that opens, change the settings. The screen shots on the right show an example of storage configurations for the Analyzer (top) and Collector (bottom) modes. |
|
Recommended settings
|
|
2. Setting up the Analyzer |
|
| Configure the Operation Mode. Go to System Settings > Dashboard. In the System Information widget, go to Operation Mode, and select Analyzer. |  |
| Prepare an administrator account with a Super_User profile. (You can use the default admin account, which is assigned the Super_User profile, or create a custom administrator account.) The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer. |
|
|
Add the FortiGate device to the Analyzer. Go to Device Manager, and click Device Unregistered in the quick status bar. Select the FortiGate device, and click Add. In the Add Device dialog box that opens, select the ADOM to which to add the FortiGate device (if ADOM is disabled, select root), and give the device a name you prefer. Once the FortiGate device is added, you can see it under the Device Total tab. |
|
|
Make sure that the log aggregation service is enabled on the Analyzer. Go to System Settings > Dashboard. In the CLI Console widget, enter the following CLI commands: |
|
|
Make sure the interface that will receive logs allows aggregator access. Go to System Settings > Network. In the System Network Management Interface pane, select Aggregator under Administrative Access. |
 |
3. Setting up the Collector |
|
|
Configure the Operation Mode. Go to System Settings > Dashboards. In the System Information widget, go to Operation Mode, and select Collector. Once the FortiAnalyzer device is set to work in the Collector mode, features such as FortiView, Event Monitor, and Reports are disabled. Only Device Manager, System Settings, and Log View are available. |
 |
|
Configure Log Forwarding. Go to System Settings > Log Forwarding. Click Create New. Set Server Name to a name you prefer. Set Remote Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device. Select both Enable Real-time forwarding and Enable Log Aggregation. Provide the user name and password of the Administrator account of the Analyzer. |
 |
|
Note: By enabling real-time forwarding, the Collector will forward logs to the Analyzer in real-time. By enabling log aggregation, the Collector will upload log archive files, which include DLP (data leak prevention) files, antivirus quarantine files, and IPS (intrusion prevention system) packet logs, to the Analyzer daily at the scheduled time. |
|
|
Log forwarding is enabled by default. If you cannot see System Settings > Log Forwarding in the GUI, you will have to enable it first. Go to System Settings > Dashboard. In the CLI Console widget, enter the following CLI commands:
|
|
4. Results |
|
| At this point, the Collector starts to forward logs to the Analyzer. Log onto the Analyzer GUI and go to Log View. Select the FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs flowing into the log message list. | |
The post FortiAnalyzer Analyzer-Collector configuration appeared first on Fortinet Cookbook.