Configuring Storage
FortiSIEM stores events in an event database. For a single node deployment, the event database resides locally on the FortiSIEM node. For multi-node deployments, the event database will be either on an external NFS server or on Elasticsearch cluster.
Setting Event Storage
The event storage settings must be defined when the system is setup for the first time.
Complete these steps to set up event storage:
- Go to ADMIN > Setup > Storage tab.
- Select the type of storage, Local Disk, NFS, or Elasticsearch (Java Transport client or REST API client):
Local Disk Options
Settings Guidelines Disk Name [Required] Local disk name.
During FortiSIEM installation, you can add a 'Local' data disk of appropriate size as the 4th disk. Use the commandfdisk -l
to find the disk name.
If you want to configure Local Disk for the physical 2000F or 3500F appliances, enter "hardware
" in this field. This prompts a script to run that will configure local storage.NFS Options
Settings Guidelines Mount Point [Required] NFS Mount Point Server IP/Host [Required] IP address/Host name of the NFS server Elasticsearch Options-Java Transport Client
Settings Guidelines Cluster Name [Required] Name of the Elasticsearch Cluster Cluster IP/Host [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node. The IP/Host must contain http
.HTTP Port [Required] HTTP port number Java Port [Required] Java port number User Name [Optional] User name Password [Optional] Password associated with the user Shard Allocation - Fixed - Enter the number of Shards and Replicas
- Dynamic - Dynamically shards data using the Elasticsearch rollover API
Per Organization Index Select to create an index for each organization Elasticsearch Options-REST API Client
Settings Guidelines URL [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node. The IP/Host must contain https
.Port [Required] The port number User Name [Optional] User name Password [Optional] Password associated with the user Shard Allocation - Fixed -Enter the number of Shards and Replicas
- Dynamic-Dynamically shards data using the Elasticsearch rollover API
Per Organization Index Select to create an index for each organization - Click Test to test whether the parameters in Step 2 are correct.
The Test button displays the progress with the label change to Testing..Click to Stop. If required, you can click this button to stop testing anytime. - Click Save to save the changes.
At this point the event database is properly setup.
For more information about Sizing, see the FortiSIEM Sizing Guide here.
Changing Event Storage options
It is highly recommended to chose a specific event storage option and retain it. However, it is possible to switch to a different storage type.
Note: In all cases of storage type change, the old event data is not migrated to the new storage. Contact FortiSIEM Support if this is needed - some special cases may be supported.
For the following three cases, simply choose the new storage type from ADMIN > Setup > Storage.
- Local to Elasticsearch
- NFS to Elasticsearch
- Elasticsearch to Local
The following four storage change cases need special considerations:
Elasticsearch to NFS
- Log in to FortiSIEM GUI.
- Select and delete the existing Workers from ADMIN > License > Nodes > Delete.
- Go to ADMIN > Setup > Storage and update the Storage type as NFS server
- Go to ADMIN > License > Nodes and Add the recently deleted Workers in step #2.
Local to NFS
- SSH to the Supervisor and stop FortiSIEM processes by running:
phtools --stop all - Unmount /data by running:
umount /data - Validate that /data is unmounted by running:
df –h - Edit /etc/fstab and remove /data mount location.
- Log in to FortiSIEM GUI, go to ADMIN > Setup > Storage and update the Storage type as NFS server.
NFS to Local
- SSH to the Supervisor and stop FortiSIEM processes by running:
phtools --stop all - Unmount /data by running:
umount /data - Validate that /data is unmounted by running:
df –h - Edit /etc/fstab and remove /data mount location.
- Connect the new disk to Supervisor VM.
- Log in to FortiSIEM GUI, go to ADMIN > Setup > Storage and update the Storage type as Local Disk.
NFS to Elasticsearch to NFS
- SSH to the Supervisor and stop FortiSIEM processes by running:
phtools --stop all - Unmount /data by running:
umount /data - Validate that /data is unmounted by running:
df –h - Edit /etc/fstab and remove /data mount location.
- Repeat steps #1 to #4 on all Workers.
- Log in to FortiSIEM GUI, select and delete all the existing Workers from ADMIN > License > Nodes > Delete.
- Go to ADMIN > Setup > Storage and update the Storage type as appropriate.
- Go to ADMIN > License > Nodes and add all recently deleted Workers in step #6.