FortiSIEM Managing Event Data Archive

Managing Event Data Archive

Prerequisites

Creating Archive Destination

Creating Offline (Archive) Retention Policy

Prerequisites

Make sure you read the section on Setting Archive and Purge Policies in the topic Creating Event Database Archives before you set up your policy. It is very important that you understand how FortiSIEM moves data into the archive, and purges archived data when the archive destination storage reaches capacity, before you create your policy.

Make sure that your Archive Destination has sufficient storage for your event data + 20GB. When the archive storage reaches 20GB of capacity, FortiSIEM will begin to purge archived data, in daily increments, starting with the oldest data, to maintain a 20GB overhead.

Creating Archive Destination

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management.
  3. Click Retention Policy.
  4. For Archive Destination, enter the full path of the file system directory where you want your event data to be archived, and then click Ap ply.

Offline Storage Capacity for Multi-Tenant Deployments

Note that all organizations will share the same Archive Destination. For this reason, you should make sure that the archive destination has enough capacity to hold the event data for both the number of organizations and the archive retention period that you set for each. If the archive destination does not have enough storage capacity, the archive operation may fail.

Creating Offline (Archive) Retention Policy

This enables you to control which customers data stays in event data archive and for how long.

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management.
  3. Click Retention Policy.
  4. Under Offline Retention Policies, click New.
  5. For multi-tenant installations, select the Organization for which this policy will apply.
  6. For Time Period, enter the number of days that event data should be held in the offline storage before it is purged.
  7. Click Save.
Managing Online Event Data

Creating Online Event Retention Policy

This enables you to control the content of online event data.

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management.
  3. Click Retention Policy.
  4. Under Online Retention Policies, click Add.
  5. Enter the following information
    1. Enabled – Check this box if the policy has to be enforced right away.
    2. Organizations – Choose the organizations for which the policy has to be applied (for Service Provide installs)
    3. Reporting Devices – Choose the reporting devices relevant to this policy
    4. Event Type – Choose the event types or event type groups
    5. Time period – enter the number of days that event data specified by the conditions (Organizations, Reporting Devices and Event Type) should be held in the online storage before it is moved to archive or purged.
    6. Description – enter a description for the policy
  6. Click Save.

Viewing Online Event Data Usage

This enables you to see a summarized view of online event data. These views enables you to manage storage more effectively by writing appropriate event dropping policies or online event retention policies.

Restoring Archived Data

Once your event data has been moved to an offline archive, you can no longer query that data from within FortiSIEM. However, you can restore it to your virtual appliance, and then proceed with any queries or analysis.

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management > Data Manager.
  3. Under Reserved Restore Space (GB), enter the amount of storage space that will be reserved for the restored data.

This should be equal to or larger than the size of the archive to be restored.

  1. Under Archived Data, select the archive that you want to restore.
  2. Click Restore.

The archive data will be moved to the restore space and can be queried in the usual ways.

 

Validating Log Integrity
  1. Security auditors can validate that archived event data has not been tampered with by using the Event Integrity function of Event DB Management.
  2. Log in to your Supervisor node.
  3. Go to Admin > Event DB Management > Event Integrity.
  4. Select the Begin Time and End Times for the time period during which log integrity needs to be validated.
  5. Click Show.

You will see a table of all the logs that are available for the specified time period

  1. Use Validation Status to filter the types of logs you want to validate.
  2. Select the log you want to validate, and click Validate.

A table showing the validation status of logs will be displayed.

Column Description
Start Time The earliest time of the messages in this file. The file does not contain messages that were received by FortiSIEM before this time.
End Time The latest time of the messages in this file. The file does not contain messages that were received by FortiSIEM after this time.
Category Internal: these messages were generated by FortiSIEM for its own use. This includes FortiSIEM system logs and monitoring events such as the ones that begin with PH_DEV_MON.

External: these messages were received by FortiSIEM from an external system

Incident: these corresponds to incidents generated by FortiSIEM

File Name The name of the log file
Event Count The number of events in the file
Checksum

Algorithm

The checksum algorithm used for computing message integrity
Message

Checksum

The value of the checksum
Validation

Status

Not Validated: the event integrity has not been validated yet

Successful: the event integrity has been validated and the return was success. This means that the logs in this file were not altered.

Failed: the event integrity has been validated and the return was failed. This means that the logs in this file were altered.

Archived: the events in this file were archived to offline storage

File

Location

Local: local to Supervisor node

External: means external to Supervisor node, for example on NFS storage

 

  1. Click Export to create a PDF version of the validation results.

 

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.