This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting.
The types of logs forwarded are: log files and log related archive files.
FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format and sends the logs to the Analyzer. The following table shows a comparison of the supported features of the Analyzer and Collector modes:
|
Analyzer Mode |
Collector Mode |
|
|
FortiView |
Yes |
No |
|
Event Monitor |
Yes |
No |
|
Reports |
Yes |
No |
|
Log View |
Yes |
Compressed logs only; indexed logs not available |
|
Device Manager |
Yes |
Yes |
|
System Settings |
Yes |
Yes |
In this example, Company A has a branch network with a FortiGate and a FortiAnalyzer 400E deployed in Collector mode. In its head office, Company A has another FortiGate and a FortiAnalyzer 3000D deployed in Analyzer mode. Collector mode forwards the FortiGate logs in the remote branch to the Analyzer in the head office for data analysis and report generation. The Collector will also be used to archive logs.
1. Setting up the Collector |
|
Configure the Operation Mode.Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Collector. |
|
Check the storage policy of the Collector.Go to Device Manager, and click the Storage Used tab in the quick status bar. |
 |
Configure the storage policy of the CollectorTo edit the date policy when ADOMs are enabled:Go to System Settings > All ADOMs, double-click the ADOM your Analyzer/Collector belongs to . On the Edit ADOM Storage Configurations page, edit the log storage policy. To edit log storage settings when ADOMs are disabled:Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box, change the settings. |
A configuration example of the Collector storage policy
|
| Note: For the Collector, you should allocate most of the disk space for compressed logs. You should keep the compressed logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go. | |
Prepare an Analyzer administrator account with a Super_User profileYou can use the default admin account of the Analyzer, or create a custom administrator account on the Analyzer. The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer for log aggregation. |
|
Configure log forwardingGo to System Settings > Log Forwarding. Click Create New. Set Name to a name you prefer. Set branch Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device of the branch office. |
 |
2. Setting up the Analyzer |
|
Configure the Operation Mode.Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Analyzer. |
|
Check and configure the storage policy of the Analyzer.See the corresponding instructions above for the Collector. |
A configuration example of the Analyzer storage policy
|
|
Note: For the Analyzer, you should allocate most of the disk space for indexed logs. |
|
Add the branch office FortiGate to the Analyzer.Go to Device Manager, and click Unregistered Device in the quick status bar. Select the FortiGate device, and click Add. In the Add Device dialog box, select the ADOM you want to to add to the FortiGate device (if ADOM is disabled, select root), and give the device a name. Once the FortiGate device is added, you can see it under the Device Total tab. |
|
4. Results |
|
| At this point, the Collector will start to forward logs to the Analyzer. Log in to the Analyzer GUI and go to Log View. Select the branch office FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs arriving from the branch office FortiGate. | |
The post FortiAnalyzer Analyzer-Collector Configuration for 5.6.0 and later appeared first on Fortinet Cookbook.