FortiAnalyzer Analyzer-Collector Configuration for 5.6.0 and later

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting.

The types of logs forwarded are: log files and log related archive files.

FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format and sends the logs to the Analyzer. The following table shows a comparison of the supported features of the Analyzer and Collector modes:

 

Analyzer Mode

Collector Mode

FortiView

Yes

No

Event Monitor

Yes

No

Reports

Yes

No

Log View

Yes

Compressed logs only; indexed logs not available

Device Manager

Yes

Yes

System Settings

Yes

Yes

In this example, Company A has a branch network with a FortiGate and a FortiAnalyzer 400E deployed in Collector mode. In its head office, Company A has another FortiGate and a FortiAnalyzer 3000D deployed in Analyzer mode. Collector mode forwards the FortiGate logs in the remote branch to the Analyzer in the head office for data analysis and report generation. The Collector will also be used to archive logs.

1. Setting up the Collector

Configure the Operation Mode.

Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Collector.

 

Check the storage policy of the Collector. 

Go to Device Manager, and click the Storage Used tab in the quick status bar.

Configure the storage policy of the Collector

To edit the date policy when ADOMs are enabled:

Go to System Settings > All ADOMs, double-click the ADOM your Analyzer/Collector belongs to .

On the Edit ADOM Storage Configurations page, edit the log storage policy. 

To edit log storage settings when ADOMs are disabled:

Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box, change the settings. 

 

A configuration example of the Collector storage policy 

Note: For the Collector, you should allocate most of the disk space for compressed logs. You should keep the compressed logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go.

Prepare an Analyzer administrator account with a Super_User profile

You can use the default admin account of the Analyzer, or create a custom administrator account on the Analyzer. The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer for log aggregation.  

Configure log forwarding

Go to System Settings > Log Forwarding. Click Create New.

Set Name to a name you prefer. Set branch Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device of the branch office. 

2. Setting up the Analyzer

Configure the Operation Mode.

Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Analyzer.

 

Check and configure the storage policy of the Analyzer. 

See the corresponding instructions above for the Collector. 

 

A configuration example of the Analyzer storage policy 

Note: For the Analyzer, you should allocate most of the disk space for indexed logs.
You may want to keep the indexed logs for 30–90 days. After this initial
configuration, you can monitor the storage usage and adjust it as you go.

Add the branch office FortiGate to the Analyzer.

Go to Device Manager, and click Unregistered Device in the quick status bar. Select the FortiGate device, and click Add.

In the Add Device dialog box, select the ADOM you want to to add to the FortiGate device (if ADOM is disabled, select root), and give the device a name.

Once the FortiGate device is added, you can see it under the Device Total tab. 

 

4. Results

At this point, the Collector will start to forward logs to the Analyzer. Log in to the Analyzer GUI and go to Log View. Select the branch office FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs arriving from the branch office FortiGate. 
  • Was this helpful?
  • Yes   No