02. Defining FortiSOAR, Collectors And Agents Flashcards
Function of collector
collect logs and performance metrics from geographically disparate networks.
Data collection protocols (SNMP, WMI) are chatty
Syslog uses UDP and thus unreliable
Collector solves this problems
Who serves as Syslog and snmp trap destination for local devices?
Collector
FortiSIEM collector formats
- Appliance
- VM
- ISO image
Advantage of using collector VM image
Can increase vCPU and memory to handle higher loads
FortiSIEM collector minimum requirement for appliance
4 CPU
16 GB RAM
3 TB DISK
FortiSIEM collector minimum requirement for ISO image
4 vCPU
8GB RAM
40 GB disk
FortiSIEM collector minimum requirement for VM
4 vCPU
4 GB RAM
Os - 25 GB disk
OPT - 100 GB disk
Collector processes
Collectors run a reduced set of system processes
The processes that run on a collector are for specific functions, such as discovery, performance monitoring, event parsing, and log data collection.
Admin > Health > Collector Health
phMonitorAgent
phParser
phCheckpoint
phEventPackager
phAgentManager
phPerfMonitor
phEventForwarder
phDiscover
Collector Operations
The collector
1. parses the logs
2. forwards the compressed logs to the supervisor or worker nodes over an encrypted HTTPS channel.
3. buffers the logs locally for a period of time, if the network connection to the super or worker is not available.
How frequently collector is uploading data?
every five seconds or 10 MB, whichever is reached first
five seconds for low EPS environments, and 10 MB for high EPS environments.
compression ratio
8:1 ratio
Uses standard zlib
Data enrichment
collector enriches each event with a collector ID, organization ID, and org name. The collector name is not added during the event enrichment process.
a built-in mechanism to buffer events in case there is WAN link failure
By default, there are a maximum of 10,000 event files that are buffered on the collector. Each event file contains five seconds’ worth of events and is limited to 10 MB in size before compression. The average event size is estimated to be 200 Bytes, which depends on the device type and event.
Buffer size is dependent upon the EPS being received
The collector drops events when the buffer is full
Buffer calculation examples
Revisit later and fill card with examples
What state is collector when deployed
Unconfigured state
Collector registration process includes
which customer it belongs to
where it will upload data
how long it is valid
Single virtual appliance (va) setup
Supervisor is only node collectors can upload data to.
Not recommended for large deployments due to performance strain
FortiSIEM cluster setup
specify one or more worker nodes using the worker IP addresses.
The collectors load balance across the specified worker nodes.
streaming analytics, like inline reports and rules, are distributed over the worker nodes.
FortiSIEM cluster best practice
The best practice is to upload all the data to the worker nodes and leave the supervisor node for performing other important tasks.
Worker upload setting
cannot define collectors before you set the worker upload address.
Admin > Settings > System > Worker upload
Collector receive this data during registration
Installing worker
Deploy image
At the command prompt go to /usr/local/bin
Run configFSM.sh script
Configure time zone
Select worker for config target
Select fips options
Configure network
Workers on hardware based appliances
Can’t add workers to hardware appliances
What port worker listen on
TCP/443
Communication between collector and worker
Is one way Collector to worker. Need to define VIP on fw in front of worker and add rule to allow outbound traffic from collectors to VIP on port 443
Best practice is to use FQDN for upload address
