Dear community, We are implementing new NVMe disks in our cluster and
currently discussing about the best redundancy methods. As these disks
are not meant to be managed by a hardware controller, we have multiple
disks (in fact 4), that can only be mo...
Hi everyone, I'd just like to exchange thoughts or practices about
baseline-focused rules on the FortiSIEM:At the moment, about 80% of our
Incidents are "Sudden increase in ...", as we narrowed down all the
other rules to not trigger on False Positiv...
Hello everyone, We are continuously experiencing the incident "High
performance monitoring delay from Collector or Worker SIEM Supervisor"
on our FortiSIEM platform. That one is triggered as soon as the Event
Type "PH_DEV_MON_PERFMON_ALL_DEVICE_DELAY...
Dear Community support, I've had a custom avatar image a while (think,
I've set this two-three years ago) and tried to update it recently. But
my finger was too fast, so I got one of the "community avatars" now.Now,
my question is: How can set a cust...
Hello all, We are in discussion with a customer that likes to host the
FortiSIEM on prem but considers moving to our
multi-tenant-cloud-environment some day in future.As we are just setting
up the SIEM, I would like to build the environment in a way ...
Yes, this applies to most of the Fortinet products. Although, from our
experience, for complex products, it is usually a good idea to do the
setup again after learning from the PoC/evaluation. You usually find a
lot of ways to improve the initial des...
Hello @adityacs95, You should be able to change the license from
evaluation to final without needing to set up the cluster again. If you
cannot apply the license to the same serial number (in the registering
process, you should be asked on which seri...
Hi @AEH, We usually size the system depending on what the customer likes
to invest into (fast!) storage. So, I can only rely on the documentation
as well and would assume 1:10 is a good average. And yes, using
ClickHouse, the formula should include t...
HI @AEH, If you have three Keepers, a majority decision (one is down,
two remaining) will enable writing to the tables and therefore, yes, the
logs will be received and stored in this scenario.I was talking about
the case if you only use the Supervis...
Hi @AEH, Yes, having redundancy for Keepers can make sense. However,
best practice is to have separate machines (see also:
https://clickhouse.com/docs/architecture/replication). So, if you go for
redundancy, you should also go the full way of keeping...
