Fortinet black logo

Cookbook

What is the difference between Log Forward and Log Aggregation modes?

6.2.0
Copy Link
Copy Doc ID 8ee8a6b6-7281-11e9-81a4-00505692583a:63238
Download PDF

What is the difference between Log Forward and Log Aggregation modes?

Log Forwarding: Logs are forwarded to a remote server in real-time or near real-time as they are received as specified by a device filter, log filter, and log format.

Log Aggregation: As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs to a remote FortiAnalyzer at a specified time every day.

Log Forwarding and Log Aggregation appear as different modes in the system log-forwarding configuration:

FAZVM64 # config system log-forward

(log-forward)# edit 1

(1)# set mode

aggregration Aggregate logs and archives to Analyzer.

disable Do not forward or aggregate logs.

forwarding Realtime or near realtime forwarding logs to servers.

The following table lists the differences between the two modes:

Log Forwarding

Log Aggregation

Configuration Portal GUI or CLI

CLI

Remote Server Type FortiAnalyzer

Syslog/CEF

FortiAnalyzer

Device Filter Support Yes

Yes

Log Filter Support Yes

No

Log Archive Support Yes

Yes

Server Port customization Yes (Except for FortiAnalyzer)

No

Log Field Exclusion Yes

No

Log Delay Real-time (max 5 minutes delay)

Max 1 day

Meta-data synchronization

Yes

No

Secure channel support

Yes (SSL as reliable connection)

Yes (rsync + SSH)

Network bandwidth

Normal (as log traffic received)

Peak hour as aggregation starts to finish

Impact on remote FortiAnalyzer

Normal (as log volume received)

Potentially large table

(If there is a mix of incoming real-time and real-time logs.)

What is the difference between Log Forward and Log Aggregation modes?

Log Forwarding: Logs are forwarded to a remote server in real-time or near real-time as they are received as specified by a device filter, log filter, and log format.

Log Aggregation: As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs to a remote FortiAnalyzer at a specified time every day.

Log Forwarding and Log Aggregation appear as different modes in the system log-forwarding configuration:

FAZVM64 # config system log-forward

(log-forward)# edit 1

(1)# set mode

aggregration Aggregate logs and archives to Analyzer.

disable Do not forward or aggregate logs.

forwarding Realtime or near realtime forwarding logs to servers.

The following table lists the differences between the two modes:

Log Forwarding

Log Aggregation

Configuration Portal GUI or CLI

CLI

Remote Server Type FortiAnalyzer

Syslog/CEF

FortiAnalyzer

Device Filter Support Yes

Yes

Log Filter Support Yes

No

Log Archive Support Yes

Yes

Server Port customization Yes (Except for FortiAnalyzer)

No

Log Field Exclusion Yes

No

Log Delay Real-time (max 5 minutes delay)

Max 1 day

Meta-data synchronization

Yes

No

Secure channel support

Yes (SSL as reliable connection)

Yes (rsync + SSH)

Network bandwidth

Normal (as log traffic received)

Peak hour as aggregation starts to finish

Impact on remote FortiAnalyzer

Normal (as log volume received)

Potentially large table

(If there is a mix of incoming real-time and real-time logs.)