FortiSIEM stores events in an event database.
- For a single node deployment, the event database resides locally on the FortiSIEM node.
- For multi-node deployments, the event database will be either on an NFS server or on Elasticsearch cluster.
This section describes the steps to configure these storage options. This needs to be done when the system is setup for the first time.
- Go to ADMIN > Setup > Storage tab.
- In the Event Database Storage dialog box, select the type of storage:
Storage type Settings Guidelines Local Disk Disk Name Local disk name.
During FortiSIEM installation, you can add a 'Local' data disk of appropriate size as the 4th disk. Use the command
fdisk -lto find the disk name.
NFS Mount Point [Required] NFS Mount Point Server IP [Required] IP address of the NFS server Elastic Search Cluster Name [Required] Name of the Elasticsearch Cluster Cluster IP/Host [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node HTTP Port [Required] HTTP port number Java Port [Required] Java port number Shards [Required] Number of shards Replicas [Required] Number of replicas User Name [Optional] User name Password [Optional] Password
- Click Test to test whether the parameters in Step 2 are correct.
The Test button displays the progress with the label change to Testing..Click to Stop. If required, you can click this button to stop testing anytime.
- Click Save to save the changes.
At this point the event database is properly setup.
For more information about Sizing, see the FortiSIEM Sizing Guide here.