Setting Organizations and Collectors (Service Provider)
FortiSIEM supports multi-tenancy via Organizations in a Service Provider deployment. The devices and logs belonging to two Organizations are kept separate. Incidents trigger separately for Organizations.
A Collector enables FortiSIEM to collect logs and performance metrics from geographically disparate networks. Data collection protocols such as SNMP and WMI are often chatty and the devices may only be reachable from the Supervisor node via Internet and behind a firewall. Syslog protocol specially over UDP is unreliable and insecure. A Collector can be deployed behind the firewall to solve these issues. The Collector registers with FortiSIEM Supervisor node and then receives commands from the Supervisor regarding discovery and data collection. The Collector parses the logs and forwards the compressed logs to Supervisor/Worker nodes over an encrypted HTTPS channel. The Collector also buffers the logs locally for a period of time if the network connection to the Super/Worker is not available.
Organizations can be defined in one of two ways:
- Associating one or more Collectors to an Organization – the devices monitored by the Collector or the events sent to the Collector automatically belong to the associated Organization.
- Defining an IP range for an Organization – if the sending IP of a device belongs to the IP range, then the device and logs belong to that Organization.
This section provides the procedures to configure an Organization for a multi-tenant FortiSIEM deployment.
Make sure the Worker Upload has been configured prior to defining the Collectors.
Complete these steps to add an Organization:
- Go to ADMIN > Setup > Organizations tab.
- Click New.
- In the Organization Definition dialog box, enter the information below.
Settings Guidelines Organization [Required] Name of the Organization Full Name Full name of the Organization Admin User [Required] User name that will be used two purposes: (a) Users logging in to FortiSIEM Supervisor GUI for that Organization and (b) Collector registration to Supervisor. This user has 'Full Admin' role. Admin Password/Confirm Admin Password [Required] Password of the Admin user. Admin Email [Required] Email id of the Admin user for the Organization. Phone Contact number for the Organization Include IP/IP Range IP range for the Organization in case the Organization is defined by IP addresses. Allowed format is comma-separated individual IPs or IP range 10.10.10.1-10.10.10.8 Exclude IP/IP Range IP range to be excluded for the Organization. Allowed format is comma-separated individual IPs or IP range 10.10.10.1-10.10.10.8 Agent User
User name used by FortiSIEM Windows and Linux Agents to register to FortiSIEM Supervisor.
Note: An Agent User cannot be used to log into the UI.
Agent Password/Confirm Agent Password Password of Agent User. Max Devices Maximum number of monitored CMDB devices for the Organization Address Contact address for the Organization
- If your Organization uses Collectors, click New under Collectors and enter the information below.
Settings Guidelines Name [Required] Name of the Collector Guaranteed EPS [Required] Events from this Collector are always accepted when its event rate is below this Guaranteed EPS. FortiSIEM will re-allocate excess EPS (license minus the sum of Guaranteed EPS over all the collectors) based on need but the allocation will never go below the Guaranteed EPS. Upload Rate Limit (Kbps) Maximum rate limit (in Kbps) at which a Collector can send events to all Workers. Start Time [Required] Select a specific start date or check 'Unlimited'. Collectors will not work outside of start and end dates if specific dates are chosen. End Time [Required] Select a specific end date or check 'Unlimited'. Collectors will not work outside of start and end dates if specific dates are chosen.
- Enter the Description about the Organization.
- Click Save.
Once a Collector has been created in the GUI, the Collector needs to be installed and registered.
For registering a Collector, follow these steps:
- SSH to the Collector.
- Run the following command:
phProvisionCollector --add <user> '<password>' <super IP or host> <organization> <collectorName>
The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped. In Enterprise mode, use
superas the organization .
Refer to the tables in steps 3 and 4 here for more information about these settings: