Fortinet black logo

FortiSIEM Reference Architecture Using ClickHouse

Home FortiSIEM 6.7.0 FortiSIEM Reference Architecture Using ClickHouse
6.7.0
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0

Network Infrastructure

Network Infrastructure

The Supervisor and Worker cluster should be interconnected by a data center class LAN that provides line rate, uncontended switching of at least 1 Gbps. Larger deployments should provide 10Gbps to each node to support large scale data transfer.

Collector nodes should have a connection to the main Supervisor / Worker cluster of sufficient bandwidth to meet the anticipated log volume. The Collector nodes have two features to help with traffic bursts on lower bandwidth uplink connections:

  • Local log buffering allows the Collector to temporarily store logs on the local hard drive if it cannot upload them to the Supervisor or Worker node

  • Collector upload bandwidth limiting allows the administrator to configure a maximum upload bandwidth the Collector can use to upload logs to the supervisor or worker node

Consider the following when using these features:

  • The average log ingestion rate compared to the available or configured log upload bandwidth must be such that the Collector can clear any buffered logs over time before the collector local storage becomes full. If the collector storage becomes full, then logs will be lost

  • Buffering logs will affect rule behavior. Logs will only be considered by the rule correlation engine when they are uploaded to the supervisor or worker, not when they are received by the collector

Previous
Next

Network Infrastructure

The Supervisor and Worker cluster should be interconnected by a data center class LAN that provides line rate, uncontended switching of at least 1 Gbps. Larger deployments should provide 10Gbps to each node to support large scale data transfer.

Collector nodes should have a connection to the main Supervisor / Worker cluster of sufficient bandwidth to meet the anticipated log volume. The Collector nodes have two features to help with traffic bursts on lower bandwidth uplink connections:

  • Local log buffering allows the Collector to temporarily store logs on the local hard drive if it cannot upload them to the Supervisor or Worker node

  • Collector upload bandwidth limiting allows the administrator to configure a maximum upload bandwidth the Collector can use to upload logs to the supervisor or worker node

Consider the following when using these features:

  • The average log ingestion rate compared to the available or configured log upload bandwidth must be such that the Collector can clear any buffered logs over time before the collector local storage becomes full. If the collector storage becomes full, then logs will be lost

  • Buffering logs will affect rule behavior. Logs will only be considered by the rule correlation engine when they are uploaded to the supervisor or worker, not when they are received by the collector

Previous
Next