Help
FortiSIEM Discussions
Secusaurus
Contributor

Created on ‎12-06-2023 12:36 AM

FortiSIEM: Moving database to another instance

Hello all,

 

We are in discussion with a customer that likes to host the FortiSIEM on prem but considers moving to our multi-tenant-cloud-environment some day in future.

As we are just setting up the SIEM, I would like to build the environment in a way that this migration might be possible. Most interesting thing would be the eventdb for me here (as the parsers, reports, etc. might just be ex- and imported).

 

Has anyone done a similar thing before? Moving the eventdb to another (already running) FortiSIEM?

 

The target system is on ClickHouse. The on-prem system can be anything as we have not set it up yet: Local, NFS, ClickHouse; we can also set it up as enterprise oder service provider mode.

It would also be enough to just have the eventdb in archive-format for the transfer, since it's all just about "keeping logs for 365 days".

 

Thanks already for any kind of input :)

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Labels:
515
0 Kudos
1 Solution
sioannou
Contributor
In response to Secusaurus

Created on ‎12-13-2023 12:21 AM

Hi Christian, 

 

So if I understood your question correctly is that in the future you will be looking for a way to migrate the online events to your multi-tenant environment. 

 

How I would do it: 

The Archive can be copied across you need to modify the CUSTOMER folder. For the online data, I would install the new collector that connects to your MSSP infra and use log forwarding from the on-prem SIEM. Please refer to event forwarding here https://help.fortinet.com/fsiem/7-1-0/Online-Help/HTML5_Help/Event_Handling_Settings.htm 

 

The issue with the above is that the agents will have to be re-installed on all servers. There is no formal way for the online data to be forced to the Archive. And given that the Archive retention has to be equal or greater than the online this adds a limitation. 

The online retention period is your migration window. 

If the  retention periods are not set, I would set the online retention to something like 60 - 90 days and then keep the archive for the rest of the 365 days. 

 

A second option would be FortiSIEM Manager. You maintain the infra at the customer but you take the ownership and running the platform. Not sure if the Enterprise deployment supports FortiSIEM Manager. 

 

Regards, 

 

Sotiris

View solution in original post

486
4 REPLIES 4
Secusaurus
Contributor

Created on ‎12-06-2023 05:03 AM

I found this documentation:

https://help.fortinet.com/fsiem/7-1-0/Online-Help/HTML5_Help/config-storage-changing-event-database....

Which is using the import tool: https://help.fortinet.com/fsiem/7-1-0/Online-Help/HTML5_Help/appendix-import-tools.htm#phClickH2

 

This import tool allows importing events from a flat event db to ClickHouse. Only thing I need to make sure to integrate this into another instance is that I need to make sure the customer id is not overwriting one of my existing customer ids. Probably, simply renaming the directory could already do the trick.

So, first impression would be: Use All-on-one deployment for the customer.

 

That's very theoretical. Has anyone done this kind of transfer yet?

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
502
0 Kudos
sioannou
Contributor
In response to Secusaurus

Created on ‎12-13-2023 12:21 AM

Hi Christian, 

 

So if I understood your question correctly is that in the future you will be looking for a way to migrate the online events to your multi-tenant environment. 

 

How I would do it: 

The Archive can be copied across you need to modify the CUSTOMER folder. For the online data, I would install the new collector that connects to your MSSP infra and use log forwarding from the on-prem SIEM. Please refer to event forwarding here https://help.fortinet.com/fsiem/7-1-0/Online-Help/HTML5_Help/Event_Handling_Settings.htm 

 

The issue with the above is that the agents will have to be re-installed on all servers. There is no formal way for the online data to be forced to the Archive. And given that the Archive retention has to be equal or greater than the online this adds a limitation. 

The online retention period is your migration window. 

If the  retention periods are not set, I would set the online retention to something like 60 - 90 days and then keep the archive for the rest of the 365 days. 

 

A second option would be FortiSIEM Manager. You maintain the infra at the customer but you take the ownership and running the platform. Not sure if the Enterprise deployment supports FortiSIEM Manager. 

 

Regards, 

 

Sotiris

487
Secusaurus
Contributor
In response to sioannou

Created on ‎12-13-2023 03:38 AM

Hi Sotiris,

 

Thanks for your thoughts, especially about the migration window connected to the retention time, which I did not have in mind before!

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
473
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎12-14-2023 04:40 AM

Hi Christian, Sotiris,

 

Interesting topic.

Just not there is an update to the import instructions in 7.1.1 https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/appendix-import-tools.htm

 

This is what the tool was designed for.

I'll check if there are any other options available.

 

Thanks

461
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.