Configuring Storage
FortiSIEM stores events in an event database. For a single node deployment, the event database resides locally on the FortiSIEM node. For multi-node deployments, the event database will be either on an external NFS server or on Elasticsearch cluster. .You can deploy your own Elasticsearch or choose AWS managed Elasticsearch.
Setting Event Storage
The event storage settings must be defined when the system is setup for the first time.
Complete these steps to set up event storage:
- Go to ADMIN > Setup > Storage tab.
- Select the type of storage:
- you have multiple Workers deployed and
- you plan to deploy your own Elasticsearch and
- you want FortiSIEM to use the Java Transport Client to communicate with Elasticsearch
- Fixed - Enter the number of Shards and Replicas
- Dynamic - Dynamically shards data using the Elasticsearch rollover API
- you have multiple Workers deployed and
- you plan to deploy your own Elasticsearch and
- you want FortiSIEM to use the REST API Client to communicate with Elasticsearch
- Fixed -Enter the number of Shards and Replicas
- Dynamic-Dynamically shards data using the Elasticsearch rollover API
- you have multiple Workers deployed and
- you plan to use AWS-managed Elasticsearch
- Fixed -Enter the number of Shards and Replicas.
- Dynamic-Dynamically shards data using the Elasticsearch rollover API.
- Click Test to test whether the parameters in Step 2 are correct.
The Test button displays the progress with the label change to Testing..Click to Stop. If required, you can click this button to stop testing anytime. - Click Save to save the changes.
At this point the event database is properly setup.
Local Disk Options
You must use this option when you have one Supervisor node and no Workers deployed.
Settings | Guidelines |
---|---|
Disk Name | [Required] Local disk name. During FortiSIEM installation, you can add a 'Local' data disk of appropriate size as the 4th disk. Use the command fdisk -l to find the disk name. If you want to configure Local Disk for the physical 2000F or 3500F appliances, enter " hardware " in this field. This prompts a script to run that will configure local storage. |
NFS Options
You must choose this option when you have multiple Workers deployed and you plan to use FortiSIEM EventDB.
Settings | Guidelines |
---|---|
Mount Point | [Required] NFS Mount Point |
Server IP/Host | [Required] IP address/Host name of the NFS server |
Elasticsearch Options-Java Transport Client
You must choose this option when:
Settings | Guidelines |
---|---|
Cluster Name | [Required] Name of the Elasticsearch Cluster |
Cluster IP/Host | [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node. The IP/Host must contain http . |
HTTP Port | [Required] HTTP port number |
Java Port | [Required] Java port number |
User Name | [Optional] User name |
Password | [Optional] Password associated with the user |
Shard Allocation |
|
Per Organization Index | Select to create an index for each organization |
Elasticsearch Options-REST API Client
You must choose this option when:
Settings | Guidelines |
---|---|
URL | [Required] IP address or DNS name of the Elasticsearch cluster Coordinating node. The IP/Host must contain https . |
Port | [Required] The port number |
User Name | [Optional] User name |
Password | [Optional] Password associated with the user |
Shard Allocation |
|
Per Organization Index | Select to create an index for each organization |
Elasticsearch Options-REST API Client, AWS=Yes
You must choose this option when:
Settings |
Description |
URL |
[Required] AWS Elasticsearch domain endpoint URL. It must contain https. |
Port |
[Required] The port number |
AWS |
Yes-Enables AWS as a managed service. AWS service will be used to manage and scale the cluster. |
Access Key ID |
The AWS Access Key associated with your AWS account. |
Secret Key |
The AWS Secret Key associated with your AWS account. |
Shard Allocation |
|
Per Organization Index |
Select to create an index for each organization. |
For more information about Sizing, see the FortiSIEM Sizing Guide here.
Changing Event Storage options
It is highly recommended to chose a specific event storage option and retain it. However, it is possible to switch to a different storage type.
Note: In all cases of storage type change, the old event data is not migrated to the new storage. Contact FortiSIEM Support if this is needed - some special cases may be supported.
For the following three cases, simply choose the new storage type from ADMIN > Setup > Storage.
- Local to Elasticsearch
- NFS to Elasticsearch
- Elasticsearch to Local
The following four storage change cases need special considerations:
Elasticsearch to NFS
- Log in to FortiSIEM GUI.
- Select and delete the existing Workers from ADMIN > License > Nodes > Delete.
- Go to ADMIN > Setup > Storage and update the Storage type as NFS server
- Go to ADMIN > License > Nodes and Add the recently deleted Workers in step #2.
Local to NFS
- SSH to the Supervisor and stop FortiSIEM processes by running:
phtools --stop all - Unmount /data by running:
umount /data - Validate that /data is unmounted by running:
df –h - Edit /etc/fstab and remove /data mount location.
- Log in to FortiSIEM GUI, go to ADMIN > Setup > Storage and update the Storage type as NFS server.
NFS to Local
- SSH to the Supervisor and stop FortiSIEM processes by running:
phtools --stop all - Unmount /data by running:
umount /data - Validate that /data is unmounted by running:
df –h - Edit /etc/fstab and remove /data mount location.
- Connect the new disk to Supervisor VM.
- Log in to FortiSIEM GUI, go to ADMIN > Setup > Storage and update the Storage type as Local Disk.
NFS to Elasticsearch to NFS
- SSH to the Supervisor and stop FortiSIEM processes by running:
phtools --stop all - Unmount /data by running:
umount /data - Validate that /data is unmounted by running:
df –h - Edit /etc/fstab and remove /data mount location.
- Repeat steps #1 to #4 on all Workers.
- Log in to FortiSIEM GUI, select and delete all the existing Workers from ADMIN > License > Nodes > Delete.
- Go to ADMIN > Setup > Storage and update the Storage type as appropriate.
- Go to ADMIN > License > Nodes and add all recently deleted Workers in step #6.