Fortinet black logo

FortiSIEM Reference Architecture Using ClickHouse

Home FortiSIEM 6.7.0 FortiSIEM Reference Architecture Using ClickHouse
6.7.0
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0

Agent Architecture - SMB / Enterprise

Agent Architecture - SMB / Enterprise

The FortiSIEM Windows and Linux agent provides advanced log collection features, including:

  • High performance log collection (compared to WMI / OMI)

  • Compression and secure upload via TLS

  • File integrity monitoring

  • Custom log file monitoring

  • Registry change detection (Windows)

  • Additional log source collection, DHCP, DNS (Windows)

  • Removable drive detection (Windows)

  • Additional WMI class monitoring (Windows)

  • Custom Windows Event ID collection

  • Central log collection profile configuration via FortiSIEM GUI

There are many use-cases where the FortiSIEM agent is beneficial. Some of the scenarios where the FortiSIEM agent should be deployed include the following:

  • High log rate servers, such as Domain Controllers and other core servers

  • Devices which require secure log upload

  • Devices which require the advanced features listed above

Additionally, the FortiSIEM Windows agent will reduce the overhead on the FortiSIEM Collector infrastructure as it reduces the requirement for resource intensive WMI / OMI monitoring.

At least one Collector node must be deployed when using the FortiSIEM agent. The FortiSIEM agent logs are uploaded to a Collector node directly and cannot be uploaded to a worker or Supervisor node. The agent configuration and health information are sent to the Supervisor directly, unless the Collector is configured to proxy the health and registration status to the Super (see the Agent Install Guide for more details). This architecture is shown below, Worker nodes are optional, the Collector can upload directly to the Supervisor in a small deployment or all-in-one solution.

The agent virtual Collector feature allows the use of a load balancer virtual IP as an agent log upload target in larger or more advanced agent deployments. Using a load balancer provides a range of benefits:

  • A single target IP in the agent log configuration

  • Support of very high log rate servers that generate more than 10k EPS per device

  • Additional resilience by allowing inbound agent traffic redirection in the event of a collector failure

  • Additional flexibility by allowing easy addition of more collectors without requiring extensive agent reconfiguration

Previous
Next

Agent Architecture - SMB / Enterprise

The FortiSIEM Windows and Linux agent provides advanced log collection features, including:

  • High performance log collection (compared to WMI / OMI)

  • Compression and secure upload via TLS

  • File integrity monitoring

  • Custom log file monitoring

  • Registry change detection (Windows)

  • Additional log source collection, DHCP, DNS (Windows)

  • Removable drive detection (Windows)

  • Additional WMI class monitoring (Windows)

  • Custom Windows Event ID collection

  • Central log collection profile configuration via FortiSIEM GUI

There are many use-cases where the FortiSIEM agent is beneficial. Some of the scenarios where the FortiSIEM agent should be deployed include the following:

  • High log rate servers, such as Domain Controllers and other core servers

  • Devices which require secure log upload

  • Devices which require the advanced features listed above

Additionally, the FortiSIEM Windows agent will reduce the overhead on the FortiSIEM Collector infrastructure as it reduces the requirement for resource intensive WMI / OMI monitoring.

At least one Collector node must be deployed when using the FortiSIEM agent. The FortiSIEM agent logs are uploaded to a Collector node directly and cannot be uploaded to a worker or Supervisor node. The agent configuration and health information are sent to the Supervisor directly, unless the Collector is configured to proxy the health and registration status to the Super (see the Agent Install Guide for more details). This architecture is shown below, Worker nodes are optional, the Collector can upload directly to the Supervisor in a small deployment or all-in-one solution.

The agent virtual Collector feature allows the use of a load balancer virtual IP as an agent log upload target in larger or more advanced agent deployments. Using a load balancer provides a range of benefits:

  • A single target IP in the agent log configuration

  • Support of very high log rate servers that generate more than 10k EPS per device

  • Additional resilience by allowing inbound agent traffic redirection in the event of a collector failure

  • Additional flexibility by allowing easy addition of more collectors without requiring extensive agent reconfiguration

Previous
Next