Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rajamanickam
Contributor

Fortianalayzer Log Forwarding

Hello,

 

  I have this query. From Fortianalyzer, if I forward logs to two syslog servers (SIEM, network syslog server separately) will it cause any impact to Fortianalyzer resources?. We are using Fortianalyzer VM environment, expected logs per second is around 8000 logs/sec. All these 8000 logs will be forwarded to couple of servers, will it cause any impact to Resources (RAM/CPU). I understand, since this is just log forwarding , it shouldn't stress much like doing index locally. Your suggestion/feedback on this?? Currently for 8000logs/sec we have considered 16 GB RAM/8 CPU core as per Fortinet suggestion in their website

https://docs.fortinet.com/document/fortianalyzer-private-cloud/7.0.0/vmware-esxi-administration-guid...

 

 

Regards

Raja

9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Hello Raja,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Raja,

 

We are still looking for an answer to your question.

Once We will get it, we will provide it to you.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hi Raja,

 

Could you please indicate us which version you are using?

 

Regards,

Anthony-Fortinet Community Team.
rajamanickam

Hi, It is 7.0.4 version.

 

Regards

Raja

Anthony_E
Community Manager
Community Manager

Hello Raja,

 

Thanks a lot! 

 

We will come back to you as soon as we find a solution.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Raja,

 

I have found the document for your version:

 

https://docs2.fortinet.com/document/fortianalyzer/7.0.4/administration-guide/621804/log-forwarding

 

Could you please tell me if this document is helping?

 

Regards,

Anthony-Fortinet Community Team.
rajamanickam

Hi, Thanks for your reply. This URL is not helping much with the information I am looking for.

Cajuntank
Contributor II

Can't really provide you an answer to your specific question; however, I can offer some insight to my environment and maybe that will help. I also run mine on a VM as well, but using Hyper-V; however, minimum system requirements look to be the same. At 8000 logs/sec, it shows me 16GB of RAM and 8 CPU cores. I doubled this to be on the safe side of things, so I'm running mine at 32GB RAM and 16 CPU cores. Originally, I had mine set to those minimum requirements and my storage infrastructure was spindle based SATA (a few years back). I had nothing but issues with this setup, mostly due to the added processor tax on the slower storage subsystem. Once I doubled the RAM and CPU cores (how I have it now) and replaced my spindle SATA based storage (RAID10) to SSD storage (RAID10), life has been fine outside of minor code bugs encountered. My typical average CPU during the workday runs about 28% and memory is at 30% usage.

I would imagine in your situation, incorporating an additional NIC to use as your outgoing interface might be beneficial, thus one NIC for ingress logs and one NIC for egress logs. Give that a shot and after a few days, you can make tweaks if need be...great thing about using a VM in that you can adjust RAM and CPU easily enough (assuming you have the resources to pull from). Again, make sure your storage sub-system is on point as well.

rajamanickam

Hi @Cajuntank  That's very useful insight.. In my case CPU/RAM looks to be normal.. But I can try having two NICs.. One for receiving and another interface for forwarding. This is a good suggestion, will try and update..

Labels
Top Kudoed Authors