FortiAnalyzer Key Concepts – FortiOS 6.2.3

FortiAnalyzer Key Concepts

Two operation modes

FortiAnalyzer can run in two operation modes: Analyzer and Collector. Choose the operation mode for your FortiAnalyzer units based on your network topology and requirements.

Analyzer mode

Analyzer mode is the default mode that supports all FortiAnalyzer features. Use this mode to aggregate logs from one or more Collectors.

The following diagram shows an example of deploying FortiAnalyzer in Analyzer mode.

Collector mode

When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. Instead of writing logs to the database, the Collector retains logs in their original binary format for uploading. In this mode, most features are disabled.

Analyzer and Collector feature comparison

Feature Analyzer Mode Collector Mode
Device Manager Yes Yes
FortiView Yes No
Feature Analyzer Mode Collector Mode
Log View Yes Raw archive logs only
Incidents & Events Yes No
Monitoring devices Yes No
Reporting Yes No
System Settings Yes Yes
Log Forwarding Yes Yes

Analyzer–Collector collaboration

You can deploy Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. The Analyzer offloads the log receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log receiving performance.

For an example of setting up Analyzer–Collector collaboration, see Collectors and Analyzers on page 256.

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain the access privileges of other FortiAnalyzer unit administrators to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific VDOM for a device.

Enabling ADOMs alters the available functions in the GUI and CLI. Access to the functions depends on whether you are logged in as the admin administrator. If you are logged in as the admin administrator, you can access all ADOMs. If you are not logged in as the admin administrator, the settings in your administrator account determines access to ADOMs.

For information on enabling and disabling ADOMs, see Enabling and disabling the ADOM feature on page 179. For information on working with ADOMs, see Administrative Domains on page 176. For information on configuring administrator accounts, see Managing administrator accounts on page 223.

Log storage

Logs and files are stored on the FortiAnalyzer disks. Logs are also temporarily stored in the SQL database.

You can configure data policy and disk utilization settings for devices. These are collectively called log storage settings.

You can configure global log and file storage settings. These apply to all logs and files in the FortiAnalyzer system regardless of log storage settings.

SQL database

FortiAnalyzer supports Structured Query Language (SQL) for logging and reporting. The log data is inserted into the SQL database to support data analysis in SOC > FortiView, Log View, and Reports. Remote SQL databases are not supported.

For more information, see FortiView on page 98, Types of logs collected for each device on page 42, and Reports on page 111.

The log storage settings define how much FortiAnalyzer disk space to use for the SQL database.

When FortiAnalyzer is in Collector mode, the SQL database is disabled by default. If you want to use logs that require SQL when FortiAnalyzer is in Collector mode, you must enable the SQL database. See Two operation modes on page 19.

Analytics and Archive logs

Logs in FortiAnalyzer are in one of the following phases. Use a data policy to control how long to retain Analytics and Archive logs.

l Real-time log: Log entries that have just arrived and have not been added to the SQL database, i.e., have not been rolled. l Analytics logs or historical logs: Indexed in the SQL database and online. l Archive logs: Compressed on hard disks and offline.

In the indexed phase, logs are indexed in the SQL database for a specified length of time for the purpose of analysis.

Logs in the indexed phase in the SQL database are considered online and you can view details about these logs in SOC > FortiView, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Logs in the compressed phase are considered offline and you cannot immediately view details about these logs in the SOC > FortiView, Log View, and Incidents & Events panes. You also cannot generate reports about the logs in the Reports pane.

Data policy and automatic deletion

Use a data policy to control how long to keep compressed and indexed logs. When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to all managed devices.

A data policy specifies:

  • How long to keep Analytics logs indexed in the database

When the specified length of time in the data policy expires, logs are automatically purged from the database but remain compressed in a log file on the FortiAnalyzer disks.

  • How long to keep Archive logs on the FortiAnalyzer disks

When the specified length of time in the data policy expires, Archive logs are deleted from the FortiAnalyzer disks.

See also Log storage information on page 57.

Disk utilization for Archive and Analytic logs

You can specify how much of the total available FortiAnalyzer disk space to use for log storage. You can specify what ratio of the allotted storage space to use for logs that are indexed in the SQL database and for logs that are stored in a compressed format on the FortiAnalyzer disks. Then you can monitor how quickly device logs are filling up the allotted disk space.

Analytic logs indexed in the SQL database require more disk space than Archive logs (purged from the SQL database but remain compressed on the FortiAnalyzer disks). An average indexed log is 400 bytes and an average compressed log is 50 bytes. Keep this difference in mind when specifying the storage ratio for Analytics and Archive logs.

When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to all managed devices. See Log storage information on page 57.

SOC dashboard

FortiAnalyzer provides dashboard for Security Operations Center (SOC) administrators. SOC includes monitors which enhance visualization for real-time activities and historical trends for analysts to effectively monitor network activities and security alerts. See SOC Monitoring on page 87.

In high capacity environments, the SOC module can be disabled to improve performance. See Enabling and disabling SOC on page 109.

 

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.