Modes
FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.
Forwarding
Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.
This mode can be configured in both the GUI and CLI.
Aggregation
As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day. To avoid duplication, the client only sends logs that are not already on the server.
FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.
The client must provide super user log in credentials to get authenticated by the server to aggregate logs. |
Aggregation mode can only be configured with the log-forward
and log-forward-service
CLI commands. See the FortiAnalyzer CLI Reference for more information.
The following table lists the differences between the two modes:
|
Log Forwarding |
Log Aggregation |
---|---|---|
Configuration Portal | GUI or CLI |
CLI |
Remote Server Type | FortiAnalyzer Syslog/CEF |
FortiAnalyzer |
Device Filter Support | Yes |
Yes |
Log Filter Support | Yes |
No |
Log Archive Support | Yes |
Yes |
Server Port customization | Yes (Except for FortiAnalyzer) |
No |
Compression |
Yes (FortiAnalyzer only) |
No |
Log Field Exclusion | Yes |
No |
Log Delay | Real-time (max 5 minutes delay) |
Max 1 day |
Log Data Masking |
Yes |
No |
Meta-data synchronization |
Yes |
No |
Secure channel support |
Yes (SSL as reliable connection) |
Yes (rsync + SSH) |
Network bandwidth |
Normal (as log traffic received) |
Peak hour as aggregation starts to finish |
Impact on remote FortiAnalyzer |
Normal (as log volume received) |
Potentially large table (If there is a mix of incoming real-time and real-time logs.) |