Setting Collectors (Enterprise)

A Collector enables FortiSIEM to collect logs and performance metrics from geographically disparate networks. Data collection protocols such as SNMP and WMI are often chatty and the devices may only be reachable from the Supervisor node via Internet and behind a firewall. Syslog protocol, especially over UDP, is unreliable and insecure. A Collector can be deployed behind the firewall to solve these issues. The Collector registers with FortiSIEM Supervisor node and then receives commands from the Supervisor regarding discovery and data collection. The Collector parses the logs and forwards the compressed logs to Supervisor/Worker nodes over an encrypted HTTPS channel. The Collector also buffers the logs locally for a period of time if the network connection to the Super/Worker is not available.

This section provides the procedures to configure a Collector in Enterprise deployment.

Make sure the Worker Upload has been configured prior to defining the Collectors.

Adding a Collector

Complete these steps to add an Collector:

  1. Go to ADMIN > Setup > Collector tab.
  2. Click New
  3. In the Event Collector Definition dialog box, enter the information below.

    SettingsGuidelines
    Name[Required] Collector name
    Guaranteed EPS[Required] Events from this Collector are always accepted when its event rate is below this Guaranteed EPS. FortiSIEM will re-allocate excess EPS (license minus the sum of Guaranteed EPS over all the collectors) based on need but the allocation will never go below the Guaranteed EPS.
    Upload Rate Limit (Kbps)Maximum rate limit (in Kbps) at which a Collector can send events to all Workers. Rate limit is enforced at periodic 3 minute intervals. When either the upload rate limit or EPS limit are hit, events are buffered at the Collector and sent later.
    Upload EPS Limit Maximum events per second at which a Collector can send events to all Workers. EPS limit is enforced at periodic 3 minute intervals. When either the upload rate limit or EPS limit are hit, events are buffered at the Collector and sent later.
    Start Time[Required] Select a specific start date or check 'Unlimited'. Collectors will not work outside of start and end dates if specific dates are chosen.
    End Time[Required] Select a specific end date or check 'Unlimited'. Collectors will not work outside of start and end dates if specific dates are chosen.
    Agent UserUser name used by FortiSIEM Windows and Linux Agents to register to FortiSIEM Supervisor.
    Agent Password/Confirm Agent PasswordPassword of Agent User
  4. Click Save.

Installing a Collector

For installing Collectors, see the "Install Collector" sections in the specific Installation Guides. See also the Upgrade and Sizing Guides here.

Registering a Collector

Once a Collector has been created in the GUI, the Collector needs to be installed and registered.

For registering a Collector, follow these steps:

  1. SSH to the Collector.
  2. Run the following command:

    phProvisionCollector --add <user> '<password>' <super IP or host> <organization> <collectorName>

    The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped. In Enterprise mode, use super as the organization .

    Refer to the tables in steps 3 and 4 here for more information about these settings: <user>, <password>, <organization> and <collectorName>