Re: FortiSIEM: Reducing Worker Node Disk Size – Fe...

Rob_SIEM · 10-14-2025

Cleanest solution would be to spin up a new worker VM, add the smaller many vdisks. 4x6TB. Then add this new worker to the same shard as the other workers. Give it time to sync a copy of the data in the shard. Then retire one of the older worker node...

Rob_SIEM · 06-22-2025

Hi Adem, Any custom logs we can build parsers for in FortiSIEM, you just need a distinct header format of the log to make it distinguishable from other logs. If the data first hits logstash then you have full control to modify how the data appears. T...

Rob_SIEM · 01-28-2025

Hi Karl and Team, Just as a heads up, we already have a nice field name to map for this called "requestType (display name: Request Type)". In the corrected system parser we will use this attribute if you would like to update yours to match. Thanks,

Rob_SIEM · 10-29-2024

When you see this error, it means that the test log given, we "expected" it to use the parser we are testing, but in fact it did not match this parser, or any other parser. This indicates that the regex does not match the header of this log. I can c...

Rob_SIEM · 10-15-2024

Hi Karl, The attached example parser worked for the full sample log you provided. The important part of this parser is this section: replaceStringByRegex($msg, ":\s*\"\[\\", ":") replaceStringByRegex($msg, "\\\"\]\",", "\",") Remember that each of t...

User Statistics

User Activity