Analyzer and collector mode
The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.
In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.
As illustrated in
Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000A in standalone mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer-4000A, the company deploys a FortiAnalyzer 400B in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the analyzer during the low traffic period.
To set up the analyzer/collector configuration
1. On the FortiAnalyzer unit, go to System > Dashboard > Status.
2. In the System Information widget, in the Operation Mode field, select Change.
The Change Operation Mode dialog box opens.
3. Select Analyzer.
4. To enable log aggregation service, select enable Log Aggregation Service, enter the desired disk quota, then enter a password for the analyzer server and confirm it.
5. Select OK.
6. On the first collector unit, go to System > Dashboard > Status.
7. In the System Information widget, in the Operation Mode field, select Change.
The Change Operation Mode dialog box opens.
8. Select Collector.
9. Enter the following information:
Remote Server IP | Enter the IP address of the analyzer unit to which this log collector uploads logs. |
Enable Log Aggregation | Select to enable log aggregation. |
| Password | Enter the password of the analyzer unit. |
| Confirm Password | Reenter the password if the analyzer unit. |
| Upload Daily at | Select a time from the drop-down list to upload logs on a daily basis. The collector archives all logs that are uploaded. During the uploading, if the connection with the analyzer fails, the collector will keep trying to reconnect until the connection restores. |
Enable Real-time Forwarding | Select to upload logs in real-time. This action will upload log if the selected level and logs of the levels more serious than the select level. |
| Minimum Log Level | Select the minimum log level to be uploaded in real-time. |
10. Select OK.
11. On the second collector unit, repeat step
6 to
10.
