What is the difference between Log Forward and Log Aggregation modes?
Log Forwarding: Logs are forwarded to a remote server in real-time or near real-time as they are received as specified by a device filter, log filter, and log format.
Log Aggregation: As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs to a remote FortiAnalyzer at a specified time every day.
Log Forwarding and Log Aggregation appear as different modes in the system log-forwarding configuration:
FAZVM64 # config system log-forward
(log-forward)# edit 1
(1)# set mode
aggregration Aggregate logs and archives to Analyzer.
disable Do not forward or aggregate logs.
forwarding Realtime or near realtime forwarding logs to servers.
The following table lists the differences between the two modes:
|
Log Forwarding |
Log Aggregation |
---|---|---|
Configuration Portal | GUI or CLI |
CLI |
Remote Server Type |
FortiAnalyzer
Syslog/CEF |
FortiAnalyzer |
Device Filter Support | Yes |
Yes |
Log Filter Support | Yes |
No |
Log Archive Support | Yes |
Yes |
Server Port customization | Yes (Except for FortiAnalyzer) |
No |
Log Field Exclusion | Yes |
No |
Log Delay | Real-time (max 5 minutes delay) |
Max 1 day |
Meta-data synchronization |
Yes |
No |
Secure channel support |
Yes (SSL as reliable connection) |
Yes (rsync + SSH) |
Network bandwidth |
Normal (as log traffic received) |
Peak hour as aggregation starts to finish |
Impact on remote FortiAnalyzer |
Normal (as log volume received) |
Potentially large table (If there is a mix of incoming real-time and real-time logs.) |