FortiAnalyzer Analyzer-Collector configuration

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting. 

FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format and sends the logs to the Analyzer. The following table shows a comparison of the supported features of the Analyzer and Collector modes:

 

Analyzer Mode

Collector Mode

FortiView

Yes

No

Event Monitor

Yes

No

Reports

Yes

No

Log View

Yes

Compressed logs only; indexed logs not available

Device Manager

Yes

Yes

System Settings

Yes

Yes

In this example, Company A has a branch network with a FortiGate and a FortiAnalyzer 400E deployed in Collector mode. In its head office, Company A has another FortiGate and a FortiAnalyzer 3000D deployed in Analyzer mode. Collector mode forwards the FortiGate logs in the remote branch to the Analyzer in the head office for data analysis and report generation. The Collector will also be used to archive logs.

1. Setting up the Collector

Configure the Operation Mode.

Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Collector.

 

Check the storage policy of the Collector. 

Go to Device Manager, and click the Storage Used tab in the quick status bar.

Configure the storage policy of the Collector

To edit the date policy when ADOMs are enabled:

Go to System Settings > All ADOMs, double-click the ADOM your Analyzer/Collector belongs to .

On the Edit ADOM Storage Configurations page, edit the log storage policy. 

To edit log storage settings when ADOMs are disabled:

Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box, change the settings. 

 

A configuration example of the Collector storage policy 

Note: For the Collector, you should allocate most of the disk space for compressed logs. You should keep the compressed logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go.

Prepare an Analyzer administrator account with a Super_User profile

You can use the default admin account of the Analyzer, or create a custom administrator account on the Analyzer. The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer for log aggregation.  

Configure log forwarding

Go to System Settings > Log Forwarding. Click Create New.

Set Server Name to a name you prefer. Set branch Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device of the branch office. 

Select both Enable Real-time Forwarding and Enable Log Aggregation. Provide the user name and password of the Administrator account of the Analyzer. See “Prepare an administrator account with a Super_User profile” below.

 

Notes:

We recommend that you enable real-time forwarding to optimize performance. If you want the Collector to upload content files, which include DLP (data leak prevention) files, antivirus quarantine files, and IPS (intrusion prevention system) packet captures, you should also enable Log Aggregation so the Collector will send content files to the Analyzer at a scheduled time.

Log forwarding is enabled by default. If you cannot see System Settings > Log Forwarding in the GUI, you will have to enable it first.  Go to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:

 config system admin setting
  set show-log-forwarding enable
 end

2. Setting up the Analyzer

Configure the Operation Mode.

Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Analyzer.

 

Check and configure the storage policy of the Analyzer. 

See the corresponding instructions above for the Collector. 

 

A configuration example of the Analyzer storage policy 

 

Note: For the Analyzer, you should allocate most of the disk space for indexed logs.
You may want to keep the indexed logs for 30–90 days. After this initial
configuration, you can monitor the storage usage and adjust it as you go.

Add the branch office FortiGate to the Analyzer.

Go to Device Manager, and click Unregistered Device in the quick status bar. Select the FortiGate device, and click Add.

In the Add Device dialog box, select the ADOM you want to to add to the FortiGate device (if ADOM is disabled, select root), and give the device a name.

Once the FortiGate device is added, you can see it under the Device Total tab. 

 

Make sure that the log aggregation service is enabled on the Analyzer. 

Go to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:
 config system aggregation-service
  set accept-aggregation enable
 end 

Make sure the Analyzer interface receiving the logs allows aggregator access.

Go to System Settings > Network. In the System Network Management Interface pane, select Aggregator under Administrative Access.

 

4. Results

At this point, the Collector will start to forward logs to the Analyzer. Log in to the Analyzer GUI and go to Log View. Select the branch office FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs arriving from the branch office FortiGate. 
Ying Deng

Ying Deng

Technical Writer at Fortinet
Ying Deng works in Vancouver as part of the Fortinet technical documentation team. She has a Master's degree from School of Interactive Arts and Technology (SIAT) of Simon Fraser University in Human-Computer Interaction, and a bachelor's degree from Tongji University in Electronics and Information Engineering. She strives to design useful, simple, and elegant information, and is a firm believer of user-centered design.
Ying Deng

Latest posts by Ying Deng (see all)

  • Was this helpful?
  • Yes   No
  • Rio Wijaya Manalu

    Hi Ying Deng,

    please help me,
    How i can add FortiAP to FortiAnalyzer ?
    i want to manage event and syslog from FrotiAP in my FortiAnalyzer.

    Thank you

  • vjaxxy Mourya

    fortigateanalyzer stored information related youtube video logs?