FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.
Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.
This mode can be configured in both the GUI and CLI.
As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.
FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.
The client must provide super user log in credentials to get authenticated by the server to aggregate logs.
Aggregation mode can only be configured with the
log-forward-service CLI commands. See the FortiAnalyzer CLI Reference for more information.