FortiAnalyzer Analyzer-Collector configuration

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting. 

FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format and sends the logs to the Analyzer. The following table shows a comparison of the supported features of the Analyzer and Collector modes:

 

Analyzer Mode

Collector Mode

FortiView

Yes

No

Event Monitor

Yes

No

Reports

Yes

No

Log View

Yes

Compressed logs only; indexed logs not available

Device Manager

Yes

Yes

System Settings

Yes

Yes

In this example, Company A has a branch branch network with a FortiGate unit and a FortiAnalyzer 400E in the Collector mode deployed. In its head office, Company A has another FortiGate unit and a FortiAnalyzer 3000D in the Analyzer mode deployed. The Collector forwards the logs of the FortiGate unit in the remote branch to the Analyzer in the head office for data analysis and reports generation. The Collector will also be used for log archival.

1. Setting up the Collector

Configure the Operation Mode.

Go to System Settings > Dashboards. In the System Information widget, go to Operation Mode, and select Collector.

 

Check the storage policy of the Collector. 

Go to Device Manager, and click the Storage Used tab on the quick status bar.

Configure the storage policy of the Collector

To edit the date policy when ADOMs are enabled:

Go to System Settings > All ADOMs, double-click the ADOM to which your Analyzer/Collector belongs.

On the Edit ADOM Storage Configurations page that opens, edit the log storage policy. 

To edit log storage settings when ADOMs are disabled:

Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box that opens, change the settings. 

 

A configuration example of the Collector storage policy 

Note: For the Collector, you should allocate most of the disk space for compressed logs. You should keep the compressed logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go.

Prepare an Analyzer administrator account with a Super_User profile

You can use the default admin account of the Analyzer, or create a custom administrator account on the Analyzer. The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer for log aggregation.  

Configure log forwarding

Go to System Settings > Log Forwarding. Click Create New.

Set Server Name to a name you prefer. Set branch Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device of the branch office. 

Select both Enable Real-time Forwarding and Enable Log Aggregation. Provide the user name and password of the Administrator account of the Analyzer. See “Prepare an administrator account with a Super_User profile” below.

 

Notes:

We recommend that you enable real-time forwarding to optimize performance. If you want the Collector to upload content files, which include DLP (data leak prevention) files, antivirus quarantine files, and IPS (intrusion prevention system) packet captures, you should also enable Log Aggregation so that the Collector will send content files the Analyzer daily at the scheduled time.

Log forwarding is enabled by default. If you cannot see System Settings > Log Forwarding in the GUI, you will have to enable it first.  Go to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:

 config system admin setting
  set show-log-forwarding enable
 end

2. Setting up the Analyzer

Configure the Operation Mode.

Go to System Settings > Dashboard. In the System Information widget, go to Operation Mode, and select Analyzer.

 

Check and configure the storage policy of the Analyzer. 

See the corresponding instructions above for the Collector. 

 

A configuration example of the Analyzer storage policy 

 

Note: For the Analyzer, you should allocate most of the disk space for indexed logs.
You may want to keep the indexed logs for 30–90 days. After this initial
configuration, you can monitor the storage usage and adjust it as you go.

Add the branch office FortiGate to the Analyzer.

Go to Device Manager, and click Device Unregistered in the quick status bar. Select the FortiGate device, and click Add.

In the Add Device dialog box that opens, select the ADOM to which to add the FortiGate device (if ADOM is disabled, select root), and give the device a name you prefer.

Once the FortiGate device is added, you can see it under the Device Total tab. 

 

Make sure that the log aggregation service is enabled on the Analyzer. 

Go to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:
 config system aggregation-service
  set accept-aggregation enable
 end 

Make sure the Analyzer interface that will receive the logs allows aggregator access.

Go to System Settings > Network. In the System Network Management Interface pane, select Aggregator under Administrative Access.

 

4. Results

At this point, the Collector will start to forward logs to the Analyzer. Log in to the Analyzer GUI and go to Log View. Select the branch office FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs arriving from the branch office FortiGate. 
Ying Deng

Ying Deng

Technical Writer at Fortinet
Ying Deng works in Vancouver as part of the Fortinet technical documentation team. She has a Master's degree from School of Interactive Arts and Technology (SIAT) of Simon Fraser University in Human-Computer Interaction, and a bachelor's degree from Tongji University in Electronics and Information Engineering. She strives to design useful, simple, and elegant information, and is a firm believer of user-centered design.
Ying Deng

Latest posts by Ying Deng (see all)

  • Was this helpful?
  • Yes   No
  • Rio Wijaya Manalu

    Hi Ying Deng,

    please help me,
    How i can add FortiAP to FortiAnalyzer ?
    i want to manage event and syslog from FrotiAP in my FortiAnalyzer.

    Thank you

  • vjaxxy Mourya

    fortigateanalyzer stored information related youtube video logs?