Dynamic Distribution of Events per Second (EPS) across Collectors

Leave a reply
Dynamic Distribution of Events per Second (EPS) across Collectors

In multi-tenant deployments, the service provider is licensed a certain amount of EPS. The service provider distributes these EPS among the various collectors during collector setup by setting the Guaranteed EPS. Because an organization can have multiple collectors, the guaranteed EPS for an organization is the sum total of guaranteed EPS for all collectors belonging to that organization. This total must be no more than the total EPS licensed to the service provider. The remaining EPS (the difference between the service provider EPS and the total EPS across all collectors), if any, is allocated to the super-local organization, the service provider’s core system, if that needs to be monitored. To monitor this system, FortiSIEM recommends creating a new organization to monitor the service’s own network, and to install another Collector to monitor that organization.

The redistribution algorithm uses three metrics for each Collector.

Guaranteed

EPS

 Defined during the collector configuration process while setting up an organization, FortiSIEM ensures that the collector can always send EPS at this rate. This is a constant that never changes during the operation of the algorithm, unless you edit the Collector definition.
Incoming

EPS

 This is the EPS that the Collector sees. This changes continuously. You can view this metric for a Collector in Admin > Collector Health.
Allocated

EPS

 This is the EPS that is currently allocated to the Collector by the redistribution algorithm. You can view this metric for a Collector in Admin > Collector Health.

 

Each Collector periodically reports Incoming EPS to the Supervisor, which then determines the Allocated EPS and pushes this control down to the collectors. Allocated EPS is set to Guaranteed EPS initially, but if for some Collector, Incoming EPS is greater than Allocated EPS, the Supervisor examines all Collectors and determines excess capacity as sum total of max (0,Allocated – Incoming) for all Collectors. If there is a Collector with excess capacity, its Allocated EPS is reduced and the excess amount is given to the Collector that needs the excess EPS. If the collector that gave up EPS, that is, Allocated EPS is less than Guaranteed EPS, subsequently needs the EPS, then EPS is taken away from the collectors with Allocated greater than Guaranteed and given back. This continuous readjustment is centrally coordinated by the Supervisor node.

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.