Configuring Event Collector

A FortiSIEM Collector allows efficient data collection from geographically disparate networks. Data collection protocols such as SNMP and WMI are often chatty and the devices may only be reachable from the Supervisor node via Internet and behind a firewall. A FortiSIEM Collector can be deployed to solve these issues. The collector is deployed close to the devices behind the firewall. The Collector registers with FortiSIEM Supervisor node and then receives commands from the Supervisor regarding discovery and data collection. The Collector parses the logs and forwards the compressed logs to Supervisor/Worker nodes over an encrypted HTTPS channel. The Collector also buffers the logs locally for a period of time if the network connection to the Super/Worker is not available.

This section provides the procedures to configure an Event Collector.

Adding an Event Collector

Follow the procedure below to add an Event Collector:

  1. On the top-right corner of the UI, click the setting icon and select Change scope
  2. Select Admin View > Local and click Change View.
  3. Go to ADMIN > Setup > Collector.
  4. Click New.
  5. In the Event Collector Definition dialog box, enter the information below.

    SettingsGuidelines
    Name[Required] Name of the Collector
    Guaranteed EPS[Required] Events from this Collector are always accepted when its event rate is below this Guaranteed EPS. FortiSIEM will re-allocate excess EPS (license minus the sum of Guaranteed EPS over all the collectors) based on need but the allocation will never go below the Guaranteed EPS.
    Start TimeSelect a specific start date or check Unlimited. Collectors will not work outside of start and end dates if specific dates are chosen.
    End TimeSelect a specific end date or check Unlimited. Collectors will not work outside of start and end dates if specific dates are chosen.
  6. Click Save. The Collector details appear in the table.

Modifying an Event Collector

Follow the procedure below to modify an Event Collector:

  1. Select one or more Event Collectors from the list.
  2. Select the required action from the table below.
    • Edit - to edit Event Collector settings.
    • Delete - to delete an Event Collector.
  3. Click Save.