Help
FortiSIEM Discussions
yans
New Contributor II

Created on ‎11-20-2025 05:30 AM

Seeing EPS on Supervisor despite it not being configured in Event Upload Workers

Dear FortiSIEM community, 

 

I am planning a deployment with two workers, two collectors in HA and supervisor. 

I don't want the supervisor to store any logs, I just want it to control and manage the cluster.

Initially I did not use any disk for ClickHouse, but I learnt in this post that it is a requirement even though supervisor will not store any logs. I provisioned a 60 GB ClickHouse disk and formed the cluster - see in the screenshots.  When I checked the EPS distributed to the cluster nodes, I noticed that supervisor is receiving logs even though in is not defined in the Event Upload Workers and there is no shard assigned to it (no data node). I also configured the collectors to send logs only to the worker nodes. 

 

Could you please explain whether this is expected behavior? 

Does supervisor distribute the logs it collects to worker nodes to store in this case? 

 

Many thanks,

Jan

 

cluster_config.pngcollector_config.pngeps.pngsystem_cluster_config.png

 

25
0 Kudos
0 REPLIES 0
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.