Description
This article describes how does the Linux/Windows agent caches event when the collector is not reachable.

Solution
1) The agents (Both Windows/Linux) has a caching mechanism in case the collector is down/not reachable from the agents.

2) The cache for Linux agent is stored in the following directory/file:

/opt/fortinet/fortisiem/linux-agent/upload

3) The cache for Windows agent is stored in the following directory/file:

C:\ProgramData\AccelOps\Agent\Database\AoWinAgt.db

4) The maximum cache size is 1GB for both windows/Linux agents.

5) To increase/reduce the cache size, it can be done for both Windows/Linux agents.

6) For windows agent, it can be modified in the following registry entry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent\MaxLogSizeInMB

7) For linux agent, the cache size can be modified by changing the EVENT_CACHE_DIR_SIZE_LIMIT under the following directory:

/opt/fortinet/fortisiem/linux-agent/config/linux-agent-config.txt/EVENT_CACHE_DIR_SIZE_LIMIT