Technical Tip: Forwarding logs between FortiAnalyzers
Description
This article explains how to forward logs from one FortiAnalyzer to another FortiAnalyzer.
Scope
FortiAnalyzer 5.4 and earlier
Solution
The source FortiAnalyzer has to be able to reach the destination FortiAnalyzer on TCP 3000.
If the option is available, it would be preferable if both devices could be directly connected by unused interfaces. It will make this interface designated for log forwarding. It will save bandwidth and speed up the aggregation time.
The following is a basic example of how to enable this option:
If the option is available, it would be preferable if both devices could be directly connected by unused interfaces. It will make this interface designated for log forwarding. It will save bandwidth and speed up the aggregation time.
The following is a basic example of how to enable this option:
- Configuring the client FortiAnalyzer:
config system aggregation-client
edit 1
set mode aggregation
set agg-password <----- This is a pre-shared key. It must match the settings on the destination.
set agg-time 1 <----- Log aggregation starting time. It is daily and represents hour of the day.
set server-ip <----- Specifies where the logs will be forwarded. Destination FortiAnalyzer IP.
set server-name "" <----- Optional. Destination FortiAnalyzer device name.
next
end
edit 1
set mode aggregation
set agg-password <----- This is a pre-shared key. It must match the settings on the destination.
set agg-time 1 <----- Log aggregation starting time. It is daily and represents hour of the day.
set server-ip <----- Specifies where the logs will be forwarded. Destination FortiAnalyzer IP.
set server-name "" <----- Optional. Destination FortiAnalyzer device name.
next
end
- Configuring the server side:
config system aggregation-service
set accept-aggregation enable
set password <----- This is a pre-shared key. It must match the settings of the password on the source from step 1.
end
set accept-aggregation enable
set password <----- This is a pre-shared key. It must match the settings of the password on the source from step 1.
end
Note: In later versions, the command syntax changes slightly. Refer to Technical Tip: FortiAnalyzer log aggregation.