Description
This article describes FortiAnalyzer's two modes of operation: analyzer and collector.
The ideal mode of operation depends on the network topology and individual requirements.
Scope
Any version of FortiAnalyzer.
Solution
When operating in analyzer mode, the unit acts as a central log aggregator for one or more log collectors, such as a FortiAnalyzer operating in collector mode, or any supported unit sending logs.
Analyzer is the default operating mode.
When operating in collector mode, the unit collects logs from multiple units and then forwards those logs in the original binary format to another unit, such as a FortiAnalyzer operating in analyzer mode.
It can also send them to a syslog server or a common event format (CEF) server, depending on the forwarding mode.
A collector does not have the same feature-rich options as an analyzer, because its only purpose is to collect and forward logs.
It does not allow event management or reporting. So it contains only Archive logs and does not have Analytic logs.
It is possible to change the operating mode in the System Information widget on the dashboard.
Using both analyzer and collector modes increases FortiAnalyzer performance: Collectors off-load the task of receiving logs from multiple units from the analyzer so it can expend its resources collating and storing those logs in a fashion that makes it easy to search and run reports.
Furthermore, because a collector is strictly dedicated to log collection, its log receiving rate and speed are maximized.
If bandwidth is an issue, it is possible to use the store and upload option to send logs only during low-bandwidth periods.
Related articles:
Operation modes -> Analyzer mode & Collector mode
