Fortinet white logo
Fortinet white logo

FortiSIEM Reference Architecture Using ClickHouse

FortiSIEM Node Types

FortiSIEM Node Types

FortiSIEM solutions have three node types:

  • Supervisor

    • The Supervisor node is mandatory in all deployments. It runs the core services and manages the other nodes in the cluster.

  • Workers

    • Worker nodes are optional. They are used in larger deployments to increase log processing and query performance, and to scale the ClickHouse database. There is no hard limit on the number of Worker nodes that can be deployed.

  • Collectors

    • Collector nodes are optional. They are used in small and large deployments to offload log collection and performance monitoring from the Supervisor node, to support distributed remote site log collection, and to collect logs from FortiSIEM Agents. There is no hard limit on the number of Collector nodes that can be deployed.

Several innovative and powerful technologies underpin the solution, including:

  • Distributed event correlation

  • Distributed querying and reporting

  • An integrated, distributed, high performance ClickHouse based event storage database

Distributed event correlation delivers scalable event processing by enabling the Worker nodes to evaluate logs against the FortiSIEM rule base in a distributed manner. Each Worker evaluates the rules it processes and generates partial match reports. These are sent to the Supervisor, which aggregates the partial matches and, if relevant, triggers the rule.

Distributed querying and reporting ensure the solution scales for analyst queries and reports, as well as event ingestion. The Supervisor node automatically distributes large queries across multiple worker nodes, aggregates results and presents them to the user.

FortiSIEM Node Types

FortiSIEM Node Types

FortiSIEM solutions have three node types:

  • Supervisor

    • The Supervisor node is mandatory in all deployments. It runs the core services and manages the other nodes in the cluster.

  • Workers

    • Worker nodes are optional. They are used in larger deployments to increase log processing and query performance, and to scale the ClickHouse database. There is no hard limit on the number of Worker nodes that can be deployed.

  • Collectors

    • Collector nodes are optional. They are used in small and large deployments to offload log collection and performance monitoring from the Supervisor node, to support distributed remote site log collection, and to collect logs from FortiSIEM Agents. There is no hard limit on the number of Collector nodes that can be deployed.

Several innovative and powerful technologies underpin the solution, including:

  • Distributed event correlation

  • Distributed querying and reporting

  • An integrated, distributed, high performance ClickHouse based event storage database

Distributed event correlation delivers scalable event processing by enabling the Worker nodes to evaluate logs against the FortiSIEM rule base in a distributed manner. Each Worker evaluates the rules it processes and generates partial match reports. These are sent to the Supervisor, which aggregates the partial matches and, if relevant, triggers the rule.

Distributed querying and reporting ensure the solution scales for analyst queries and reports, as well as event ingestion. The Supervisor node automatically distributes large queries across multiple worker nodes, aggregates results and presents them to the user.