Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiAdam
Contributor II

FortiAnalyzer Collector Mode Pros and Cons

Hi Everyone.  I'm considering my options for log collecting and analysis using the FortiAnalyzer product.  I had been using a 1000c in analyzer mode but am finding that my device is overwhelmed and overworked.  I'm averaging around 1200 logs per second with bursts going into 3000+.  In my infrastructure I have two 1000c's and one Analyzer VM at my disposal to achieve success.

 

What exactly are the benefits to running collector mode instead of analyzer mode?  

 

I was under the impression that collector mode wasn't necessarily building a database as it collects logs but when I review my disk usage I'm noticing my devices are still using a significant amount of disk space for database.  Should I expect to still have to use disk space for database even if in collector mode?

2 REPLIES 2
L_FTNT
Staff
Staff

Which firmware version you are running on the collector? After 5.0.6, Log Viewer is enabled on the Collector by default, so it will need disk storage for the SQL database. if you don't need to view the logs from the Collectors, a possible workaround could be manually disabling the SQL on them. 

 

What's your deployment configuration looks like? Are the logs from the collectors forwarded to the Analyzer in real-time or via scheduled batch-upload?

 

 

FortiAdam
Contributor II

My deployment includes about 50 fortigates uploading logs in realtime back to the fortianalyzer.  Live troubleshooting of logs is required so it sounds like I will need that database storage after all (I was testing collector mode with 5.2.2).  The primary FAZ runs 5.0.6 Analyzer for now but will most likely be getting upgraded to 5.2.2 for the additional features it brings.  I am comfortable using aggregation-client and aggregation-service to forward logs to other Fortianalyzers for testing.

 

On a monthly basis we run a very extensive report for each customer which can take up to 2 days.

 

The analyzer could have as many as 5 administrators accessing it at once doing log analysis.  

 

 

 

Labels
Top Kudoed Authors