Fortinet white logo
Fortinet white logo

Administration Guide

Log synchronization

Log synchronization

To ensure logs are synchronized among all HA units, FortiAnalyzer HA synchronizes logs in two states: initial logs synchronization and real-time log synchronization.

Initial Logs Sync

When you add a unit to an HA cluster, the primary unit synchronizes its logs with the new unit. After initial sync is complete, the backup unit automatically reboots. After the reboot, the backup unit rebuilds its log database with the synchronized logs.

You can see the status in the Cluster Status pane Initial Logs Sync column.

Log Data Sync

After the initial log synchronization, the HA cluster goes into real-time log synchronization state.

Log Data Sync is turned on by default for all units in the HA cluster.

When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all backup units. This ensures that the logs in the primary and backup units are synchronized.

Log Data Sync is turned on by default in backup units so that if the primary unit fails, the backup unit selected to be the new primary unit will continue to synchronize logs with backup units.

If you want to use a FortiAnalyzer unit as a standby unit (not as a backup unit), then you don't need real-time log synchronization so you can turn off Log Data Sync.

Log synchronization

Log synchronization

To ensure logs are synchronized among all HA units, FortiAnalyzer HA synchronizes logs in two states: initial logs synchronization and real-time log synchronization.

Initial Logs Sync

When you add a unit to an HA cluster, the primary unit synchronizes its logs with the new unit. After initial sync is complete, the backup unit automatically reboots. After the reboot, the backup unit rebuilds its log database with the synchronized logs.

You can see the status in the Cluster Status pane Initial Logs Sync column.

Log Data Sync

After the initial log synchronization, the HA cluster goes into real-time log synchronization state.

Log Data Sync is turned on by default for all units in the HA cluster.

When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all backup units. This ensures that the logs in the primary and backup units are synchronized.

Log Data Sync is turned on by default in backup units so that if the primary unit fails, the backup unit selected to be the new primary unit will continue to synchronize logs with backup units.

If you want to use a FortiAnalyzer unit as a standby unit (not as a backup unit), then you don't need real-time log synchronization so you can turn off Log Data Sync.