FortiSIEM -Information Request on agent/syslog Log Continuity in network outage

Forum|Forum|11 months ago
June 18, 2025
1 reply
566 views

We want to understand how FortiSIEM handles log collection from agents and syslog sources during network outages. In particular, we are looking for technical guidance on the following points:

How agents and syslog sources manage logs during network outages in FortiSIEM

For example; we request a guiding evaluation with technical explanations especially on the following issues:

How long the agents can keep the logs in the buffer when the network connection is lost, the maximum size definition that the local disk can be used at this point,

What kind of log losses can be experienced in case of buffer overflow,

Can you help with issues such as the process of forwarding delayed logs in case of reconnection?

Fortisiem

marakji

Staff

For the collector, check this article that explains how you can increase the maximum size of the buffer. Obviously, the longer the outage, the larger the buffer, if you want to run some estimations, you can check your EPS on the collector, then consider each event size as 1000KB and do the math.

https://docs.fortinet.com/document/fortisiem/7.4.0/user-guide/289207/increasing-collector-event-buffer-size

For the windows agent, you can change the regestry settings under "HKEY_LOCAL_MACHINE\Software\Fortinet\FortiSIEM", I think it's called "MaxDBSizeInMB"

https://docs.fortinet.com/document/fortisiem/7.4.0/user-guide/68278/configuring-windows-agent#Configur2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded