Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

New Contributor

Related to SIEM Implementation Concerns

Dear Friends,

I need your support to find answers/recommendations from FortiSIEM.

Description Implementation Concerns
 Log Archival Process When restoration is required, is this happened in a bulk or can we add parameters i.e: like firewall, device, etc.
When in restoration, is this restored into the storage of live box?
What will be the impact of the processing of Live SIEM afterward / Performance impact?  
When archiving is this comply with PCI-DSS. Is this RAW log or Normalized log?
The customer has requested to retain application logs  for 31 days and the rest for 12 months. If the auditors request to generate a report for 4,5 devices for 12Months, how this can be achieved / estimated time for such request?  
Endpoint Agent Is this only for endpoints like desktops, laptops or can we use this for servers?
If we can install this in an application server like IIS, is it enough to forward the logs for main  SIEM ?
What are the log types collected by, these agents?
Are there any limitations on a collection of logs with this agent?
Is an agent forwarding logs to a collector or all in one node or both? 
All in one feature concept SIEM(Ex. As SIEM like Supervisor, Worker, Collector ) Please explain the All in one concept
Collector device count limits Limitation number of device per collector, or based on EPS count
If the collector has a maximum EPS rate exceeds what is the method to continue the BAU The queue is being cleared after 3 days, what will happen to the logs for the in-between 2 days? Is SIEM being capable enough to flag the timelines and look up for a log in the sending device?
Need a better explanation about this procedure(Are there any queuing methods applied)
Any disaster situation loss of collector connectivity and after back to normal status. Need know  how this can be achieved.
 Lost of a device connectivity to SIEM and  reconnection procedure If a devicelost its conection for 2,3 days and connected back, what is the mechanism of thisreconnection
 Saving location for logs What are the Log storing locations for Raw logs and normalised logs



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.