Hello @KarlH,

I think there is some knowledge missing concerning the database types.

As you can see in the screenshot, FSM supports different kinds of databases. EventDB (local, or on NFS), ClickHouse and Elasticsearch.

This database will be used for all the events (think of it like a SQL database, although SQL would not be the right one to serve here). Logs are sent or received through collectors and sent upstream to the workers (or, if no workers exist, to the supervisor). They then get parsed and stored in a database via the workers.

In a simple setup, this must be a single database to where every cluster member has access to. Obviously, an EventDB on local disk cannot be available for other members. So, for scaling reasons you'd prefer NFS, or (better!) ClickHouse.

The cluster members that have read or write access to the database need to have their daemons running to access the specific type of database. So, if you deployed ClickHouse, the workers and supervisor will usually run the ClickHouse-services.

In your case, as you do not use ClickHouse at all, there should not run any ClickHouse-related process, or, at least, not consume resources.

Have a look at the reference design: https://docs.fortinet.com/document/fortisiem/7.2.3/fortisiem-reference-architecture-using-clickhouse...

And I strongly recommend the Fortinet Training for that one, to learn more about how the cluster works: https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem

Best,

Christian

HI Christian we  send our customers instructions for the All in One installation portion of the pdf. Its only for them to install a single collector possibly more in a hypervisor environment.  I have not yet done a dry run of that installation to see what the customer sees. I have been told the collectors are not using clickhouse, whatever the workers and and  supervisor use is another matter,  A small portion of our customers collectors are getting filled with the log files of clickhouse, it is causing problems.  1) Some customers are not savvy Linux users and they don't know to run df -h or rm -rf commands, nor do they even check, they consider it a set it and forget scenario 2) the other problem is that they loose the credentials to the collector both of these require us as engineers to repeatedly contact them to log on, assuming they have the creds and clean up the disk.  I'm concerned that 1) clickhouse should even be running on the collector and 2 if the instructions should be forgoing that option for this simple scenario, because they wont know what to select  3) if the credential are lost we have to redeploy another collector, again giving them the installation instruction written by Fortinet.  I am trying to mitigate these maintenance issues.

Hi Karl

1) Collectors do not store data, other than caching if connectivity to the Super or Worker is lost. You cannot install an event database (eventDB or ClickHouse) on the collector.

There was an issue on some versions of FortiSIEM that was fixed in 7.1.5 where ClickHouse server was installed on Collectors. Upgrade to 7.1.5 or later to fix this if you are having this issue.

2) If the Collector registration to the Super is lost or becomes unregistered there may be something specific to the hypervisor. You should open a support case to investigate and provide the logs.

https://docs.fortinet.com/document/fortisiem/7.1.5/release-notes/46171/whats-new-in-7-1-5

See bug ID 1009809 for the ClickHouse installed on the Collector

Where are the notes to disable the service by the way?