Configuring Storage

FortiSIEM stores events in an event database. For a single node deployment, the event database resides locally on the FortiSIEM node. For multi-node deployments, the event database will be either on an external NFS server or on Elasticsearch cluster. .You can deploy your own Elasticsearch or choose AWS managed Elasticsearch.

Setting Event Storage

The event storage settings must be defined when the system is setup for the first time.

Complete these steps to set up event storage:

  1. Go to ADMIN > Setup > Storage tab.
  2. Select the type of storage:

    3. Local Disk Options

    You must use this option when you have one Supervisor node and no Workers deployed.

    Settings Guidelines
    Disk Name [Required] Local disk name.
    During FortiSIEM installation, you can add a 'Local' data disk of appropriate size as the 4th disk. Use the command fdisk -l to find the disk name.

    If you want to configure Local Disk for the physical 2000F or 3500F appliances, enter "hardware" in this field. This prompts a script to run that will configure local storage.

    NFS Options

    You must choose this option when you have multiple Workers deployed and you plan to use FortiSIEM EventDB.

    Settings Guidelines
    Mount Point [Required] NFS Mount Point
    Server IP/Host [Required] IP address/Host name of the NFS server

    Elasticsearch Options-Java Transport Client

    You must choose this option when:

    • you have multiple Workers deployed and
    • you plan to deploy your own Elasticsearch and
    • you want FortiSIEM to use the Java Transport Client to communicate with Elasticsearch

    Settings Guidelines
    Cluster Name [Required] Name of the Elasticsearch Cluster
    Cluster IP/Host [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node. The IP/Host must contain http.
    HTTP Port [Required] HTTP port number
    Java Port [Required] Java port number
    User Name [Optional] User name
    Password [Optional] Password associated with the user
    Shard Allocation
    • Fixed - Enter the number of Shards and Replicas
    • Dynamic - Dynamically shards data using the Elasticsearch rollover API
    Per Organization Index Select to create an index for each organization

    Elasticsearch Options-REST API Client

    You must choose this option when:

    • you have multiple Workers deployed and
    • you plan to deploy your own Elasticsearch and
    • you want FortiSIEM to use the REST API Client to communicate with Elasticsearch

    Settings Guidelines
    URL [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node. The IP/Host must contain https.
    Port [Required] The port number
    User Name [Optional] User name
    Password [Optional] Password associated with the user
    Shard Allocation
    • Fixed -Enter the number of Shards and Replicas
    • Dynamic-Dynamically shards data using the Elasticsearch rollover API
    Per Organization Index Select to create an index for each organization

     

    Elasticsearch Options-REST API Client, AWS=Yes

    You must choose this option when:

    • you have multiple Workers deployed and
    • you plan to use AWS-managed Elasticsearch

    Settings

    Description

    URL

    [Required] AWS Elasticsearch domain endpoint URL. It must contain https.

    Port

    [Required] The port number

    AWS

    Yes-Enables AWS as a managed service. AWS service will be used to manage and scale the cluster.

    Access Key ID

    The AWS Access Key associated with your AWS account.

    Secret Key

    The AWS Secret Key associated with your AWS account.

    Shard Allocation
    • Fixed -Enter the number of Shards and Replicas.
    • Dynamic-Dynamically shards data using the Elasticsearch rollover API.

    Per Organization Index

    Select to create an index for each organization.

  3. Click Test to test whether the parameters in Step 2 are correct.
    The Test button displays the progress with the label change to Testing..Click to Stop. If required, you can click this button to stop testing anytime.
  4. Click Save to save the changes.
    At this point the event database is properly setup.

For more information about Sizing, see the FortiSIEM Sizing Guide here.

Changing Event Storage options

It is highly recommended to chose a specific event storage option and retain it. However, it is possible to switch to a different storage type.

Note: In all cases of storage type change, the old event data is not migrated to the new storage. Contact FortiSIEM Support if this is needed - some special cases may be supported.

For the following three cases, simply choose the new storage type from ADMIN > Setup > Storage.

  • Local to Elasticsearch
  • NFS to Elasticsearch
  • Elasticsearch to Local

The following four storage change cases need special considerations:

Elasticsearch to NFS

  1. Log in to FortiSIEM GUI.
  2. Select and delete the existing Workers from ADMIN > License > Nodes > Delete.
  3. Go to ADMIN > Setup > Storage and update the Storage type as NFS server
  4. Go to ADMIN > License > Nodes and Add the recently deleted Workers in step #2.

Local to NFS

  1. SSH to the Supervisor and stop FortiSIEM processes by running:
    phtools --stop all
  2. Unmount /data by running:
    umount /data
  3. Validate that /data is unmounted by running:
    df –h
  4. Edit /etc/fstab and remove /data mount location.
  5. Log in to FortiSIEM GUI, go to ADMIN > Setup > Storage and update the Storage type as NFS server.

NFS to Local

  1. SSH to the Supervisor and stop FortiSIEM processes by running:
    phtools --stop all
  2. Unmount /data by running:
    umount /data
  3. Validate that /data is unmounted by running:
    df –h
  4. Edit /etc/fstab and remove /data mount location.
  5. Connect the new disk to Supervisor VM.
  6. Log in to FortiSIEM GUI, go to ADMIN > Setup > Storage and update the Storage type as Local Disk.

NFS to Elasticsearch to NFS

  1. SSH to the Supervisor and stop FortiSIEM processes by running:
    phtools --stop all
  2. Unmount /data by running:
    umount /data
  3. Validate that /data is unmounted by running:
    df –h
  4. Edit /etc/fstab and remove /data mount location.
  5. Repeat steps #1 to #4 on all Workers.
  6. Log in to FortiSIEM GUI, select and delete all the existing Workers from ADMIN > License > Nodes > Delete.
  7. Go to ADMIN > Setup > Storage and update the Storage type as appropriate.
  8. Go to ADMIN > License > Nodes and add all recently deleted Workers in step #6.