This example illustrates how to expand storage capacity to over 16 TB for a FortiAnalyzer 5.2.x VM or device.
You can use the Log Aggregation feature in aggregation mode to temporarily forward logs from one FortiAnalyzer unit to a temporary FortiAnalyzer unit while you increase the storage capacity of the FortiAnalyzer unit to over 16 TB.
You should also reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit to avoid losing any logs while you increase the storage capacity of your FortiAnalyzer unit.
After you increase storage capacity, you can use the Log Aggregation feature to return the logs from the temporary FortiAnalyzer to the FortiAnalyzer unit that now has increased storage capacity. Don't forget to reconfigure FortiGate to send logs to the FortiAnalyzer unit again.
You can use this procedure when upgrading the default 12 HDD (hard disk drive) for FAZ-4000B or FAZ-3500E to the maximum 24 HDD.
- Configure the temporary FortiAnalyzer to receive logs (server).
- Configure log forwarding on the unit for which you want to increase storage capacity (client).
- Reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit.
- Increase storage capacity for the FortiAnalyzer unit.
- Return logs to the unit with increased storage capacity.
- After log aggregation completes, rebuild the SQL database on the unit with increased storage capacity.
- Reconfigure FortiGate to send logs to the unit with increased storage capacity.
- Configure an administrator account with a Super_User profile. The client will need to provide the login credentials of this Administrator account to get authenticated by the server.
- You can use the default admin account, which is assigned the Super_User profile.
- Alternatively, you can create a custom administrator account by going to System Settings > Admin > Administrator.
- Add the FortiAnalyzer unit for which you want to increase storage capacity to the temporary FortiAnalyzer by going to Device Manager > Add Device.
The Add Device wizard is displayed. Follow the wizard to add the device.
- Enable the log aggregation service by going to System Settings > Dashboard.
- In the CLI Console widget, enter the following commands.
config system aggregation-service set accept-aggregation enable end get system aggregation-service accept-aggregation: enable aggregation-disk-quota: 20000 password: * <-- set for password config system interface edit port<number> set ip <ip address> <netmask> set allowaccess ping https ssh snmp telnet http webservice aggregator fgfm end
- Go to System Settings > Dashboard.
- In the CLI Console widget, enter the following commands:
config system aggregation-client edit 1 set mode aggregation set server-ip <ip address> set agg-password <password>
- Add new hard disks with a total size greater than 16 TB to FortiAnalyzer.
- Format the FortiAnalyzer disks to have more than 16 TB of storage capacity.
- Configure the FortiAnalyzer unit with the new storage capacity as the log-forwarding server.
- Configure the temporary FortiAnalyzer as the log-forwarding client.
The log forwarding client sends all of the logs to the log-forwarding server. As a result, the log-forwarding feature returns all of the logs to the FortiAnalyzer unit with increased storage capacity.
On FortiAnalyzer, run the following CLI command:
exec sql-local rebuild-db
You can perform this step while the FortiAnalyzer database is rebuilding. FortiAnalyzer can still receive new logs and insert them into the SQL database while the database is rebuilding.