Fortinet black logo

FortiSIEM Reference Architecture Using ClickHouse

Home FortiSIEM 6.7.0 FortiSIEM Reference Architecture Using ClickHouse
6.7.0
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0

Event Database Capacity, Archive and Purge

Event Database Capacity, Archive and Purge

FortiSIEM supports the following archive database options. Refer to the user guide for more information.

Event Database

Retention Policy Options

Online

Archive

Online

Archive

FortiSIEM EventDB (local or NFS)

FortiSIEM EventDB (NFS)

Policy-based

Space-based

Policy-based

Space-based

Elasticsearch

FortiSIEM EventDB (NFS)

Space-based

Policy-based

Space-based

Elasticsearch

HDFS

Space-based

Space-based

ClickHouse

FortiSIEM EventDB

(NFS)

Policy-based Space-based

Policy-based

Space-based

Design the online event database storage solution with sufficient capacity to store all events that must be available for regular querying and reporting. FortiSIEM will automatically purge old events from the online database once it reaches the retention threshold.

If an archive location is configured, the events will be copied to the archive location before the online database is purged. FortiSIEM will also automatically purge events from the archive location when the archive retention threshold is reached.

Estimate the maximum database size by calculating the EPS the system will ingest, the average log size, and the required log retention period. Then consult the FortiSIEM sizing guides at https://docs.fortinet.com/product/fortisiem/ for sizing examples for each archive option.

Previous
Next

Event Database Capacity, Archive and Purge

FortiSIEM supports the following archive database options. Refer to the user guide for more information.

Event Database

Retention Policy Options

Online

Archive

Online

Archive

FortiSIEM EventDB (local or NFS)

FortiSIEM EventDB (NFS)

Policy-based

Space-based

Policy-based

Space-based

Elasticsearch

FortiSIEM EventDB (NFS)

Space-based

Policy-based

Space-based

Elasticsearch

HDFS

Space-based

Space-based

ClickHouse

FortiSIEM EventDB

(NFS)

Policy-based Space-based

Policy-based

Space-based

Design the online event database storage solution with sufficient capacity to store all events that must be available for regular querying and reporting. FortiSIEM will automatically purge old events from the online database once it reaches the retention threshold.

If an archive location is configured, the events will be copied to the archive location before the online database is purged. FortiSIEM will also automatically purge events from the archive location when the archive retention threshold is reached.

Estimate the maximum database size by calculating the EPS the system will ingest, the average log size, and the required log retention period. Then consult the FortiSIEM sizing guides at https://docs.fortinet.com/product/fortisiem/ for sizing examples for each archive option.

Previous
Next