Collectors and Analyzers – FortiAnalyzer – FortiOS 6.2.3

Collectors and Analyzers

This topic describes how to configure two FortiAnalyzer units as the Analyzer and Collector and make them work together. In the scenario shown in the diagram below, Company A has a remote branch network with a FortiGate unit and a FortiAnalyzer 400E in Collector mode. In its head office, Company A has another FortiGate unit and a

FortiAnalyzer 3000D in Analyzer mode. The Collector forwards the logs of the FortiGate unit in the remote branch to the Analyzer in the head office for data analysis and reports generation. The Collector is also used for log archival.

For related concepts, see Two operation modes on page 19 and Analyzer–Collector collaboration on page 21. You need to complete the initial setup for your FortiAnalyzer units first. See Initial setup on page 16.

Configuring the Collector

To configure the Collector:

  1. Ensure the FortiAnalyzer Operation Mode is Collector. See Configuring the operation mode on page 161.
  2. Check and configure the storage policy for the Collector. See Log storage information on page 57.

For the Collector, you should allocate most of the disk space for Archive logs. You should keep the Archive logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go.

Collectors and Analyzers

Following is a storage configuration example of the Collector.

  1. Set up log forwarding to enable the Collector to forward the logs to the Analyzer. See Log Forwarding on page 190.

In particular,

l Set Remote ServerType to FortiAnalyzer. l Set ServerIP to the IP address of the Analyzer that this Collector will forward logs to. l Click Select Device and select the FortiGate device that the Collector will forward logs for.

Configuring the Analyzer

To configure the Analyzer:

  1. Ensure the FortiAnalyzer Operation Mode is Analyzer. See Configuring the operation mode on page 161
  2. Check and configure the storage policy for the Analyzer. See Log storage information on page 57.

Collectors and Analyzers

  1. Make sure that the aggregation service is enabled on the Analyzer. If not, use this CLI command to enable it:

config system log-forward-service set accept-aggregation enable

end

  1. Add the FortiGate device of the remote office that the Collector will forward logs for. See Authorizing devices on page 26.

Once the FortiGate of the remote office is added, the Analyzer starts receiving its logs from the Collector.

Fetching logs from the Collector to the Analyzer

At times, you might want to fetch logs from the Collector to the Analyzer. The Collector will perform the role of the fetch server, and the Analyzer will perform the role of fetch client. For information about how to conduct log fetching, see Fetcher Management on page 195.

 

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.