Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Modes

FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.

Forwarding

Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.

This mode can be configured in both the GUI and CLI.

Aggregation

As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.

FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.

The client must provide super user log in credentials to get authenticated by the server to aggregate logs.

Aggregation mode can only be configured with the log-forward and log-forward-service CLI commands. See the FortiAnalyzer CLI Reference for more information.

The following table lists the differences between the two modes:

 

Log Forwarding

Log Aggregation

Configuration Portal GUI or CLI

CLI

Remote Server Type FortiAnalyzer

Syslog/CEF

FortiAnalyzer

Device Filter Support Yes

Yes

Log Filter Support Yes

No

Log Archive Support Yes

Yes

Server Port customization Yes (Except for FortiAnalyzer)

No

Log Field Exclusion Yes

No

Log Delay Real-time (max 5 minutes delay)

Max 1 day

Meta-data synchronization

Yes

No

Secure channel support

Yes (SSL as reliable connection)

Yes (rsync + SSH)

Network bandwidth

Normal (as log traffic received)

Peak hour as aggregation starts to finish

Impact on remote FortiAnalyzer

Normal (as log volume received)

Potentially large table

(If there is a mix of incoming real-time and real-time logs.)

Modes

FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.

Forwarding

Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.

This mode can be configured in both the GUI and CLI.

Aggregation

As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.

FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.

The client must provide super user log in credentials to get authenticated by the server to aggregate logs.

Aggregation mode can only be configured with the log-forward and log-forward-service CLI commands. See the FortiAnalyzer CLI Reference for more information.

The following table lists the differences between the two modes:

 

Log Forwarding

Log Aggregation

Configuration Portal GUI or CLI

CLI

Remote Server Type FortiAnalyzer

Syslog/CEF

FortiAnalyzer

Device Filter Support Yes

Yes

Log Filter Support Yes

No

Log Archive Support Yes

Yes

Server Port customization Yes (Except for FortiAnalyzer)

No

Log Field Exclusion Yes

No

Log Delay Real-time (max 5 minutes delay)

Max 1 day

Meta-data synchronization

Yes

No

Secure channel support

Yes (SSL as reliable connection)

Yes (rsync + SSH)

Network bandwidth

Normal (as log traffic received)

Peak hour as aggregation starts to finish

Impact on remote FortiAnalyzer

Normal (as log volume received)

Potentially large table

(If there is a mix of incoming real-time and real-time logs.)