FortiSIEM -Information Request on agent/syslog Log Continuity in network outage

Nwx46412 · ‎06-18-2025

We want to understand how FortiSIEM handles log collection from agents and syslog sources during network outages. In particular, we are looking for technical guidance on the following points:

How agents and syslog sources manage logs during network outages in FortiSIEM

For example; we request a guiding evaluation with technical explanations especially on the following issues:

How long the agents can keep the logs in the buffer when the network connection is lost, the maximum size definition that the local disk can be used at this point,

What kind of log losses can be experienced in case of buffer overflow,

Can you help with issues such as the process of forwarding delayed logs in case of reconnection?

marakji · ‎06-19-2025

For the collector, check this article that explains how you can increase the maximum size of the buffer. Obviously, the longer the outage, the larger the buffer, if you want to run some estimations, you can check your EPS on the collector, then consider each event size as 1000KB and do the math.

https://docs.fortinet.com/document/fortisiem/7.4.0/user-guide/289207/increasing-collector-event-buff...

For the windows agent, you can change the regestry settings under "HKEY_LOCAL_MACHINE\Software\Fortinet\FortiSIEM", I think it's called "MaxDBSizeInMB"

https://docs.fortinet.com/document/fortisiem/7.4.0/user-guide/68278/configuring-windows-agent#Config...

HTH
Mustapha

FortiSIEM -Information Request on agent/syslog Log Continuity in network outage

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website