Fortinet black logo

Administration Guide

Log synchronization

Log synchronization

To ensure logs are synchronized among all HA units, FortiAnalyzer HA synchronizes logs in two states: initial logs synchronization and real-time log synchronization.

Initial Logs Sync

When you add a unit to an HA cluster, the primary unit synchronizes its logs with the new unit. After initial sync is complete, the secondary unit automatically reboots. After the reboot, the secondary unit rebuilds its log database with the synchronized logs.

You can see the status in the Cluster Status pane Initial Logs Sync column.

Log Data Sync

After the initial log synchronization, the HA cluster goes into real-time log synchronization state.

Log Data Sync is turned on by default for all units in the HA cluster.

When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all secondary units. This ensures that the logs in the primary and secondary units are synchronized.

Log Data Sync is turned on by default in secondary units so that if the primary unit fails, the secondary unit selected to be the new primary unit will continue to synchronize logs with secondary units.

If you want to use a FortiAnalyzer unit as a standby unit (not as a secondary unit), then you don't need real-time log synchronization so you can turn off Log Data Sync.

Log synchronization

To ensure logs are synchronized among all HA units, FortiAnalyzer HA synchronizes logs in two states: initial logs synchronization and real-time log synchronization.

Initial Logs Sync

When you add a unit to an HA cluster, the primary unit synchronizes its logs with the new unit. After initial sync is complete, the secondary unit automatically reboots. After the reboot, the secondary unit rebuilds its log database with the synchronized logs.

You can see the status in the Cluster Status pane Initial Logs Sync column.

Log Data Sync

After the initial log synchronization, the HA cluster goes into real-time log synchronization state.

Log Data Sync is turned on by default for all units in the HA cluster.

When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all secondary units. This ensures that the logs in the primary and secondary units are synchronized.

Log Data Sync is turned on by default in secondary units so that if the primary unit fails, the secondary unit selected to be the new primary unit will continue to synchronize logs with secondary units.

If you want to use a FortiAnalyzer unit as a standby unit (not as a secondary unit), then you don't need real-time log synchronization so you can turn off Log Data Sync.