Log Forwarding
You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server when you use the default forwarding mode in log forwarding.
The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs.
In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. See Log storage on page 21 for more information.
To see a graphical view of the log forwarding configuration, and to see details of the devices involved, go to System Settings > Logging Topology. For more information, see Logging Topology on page 166.
Modes
FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.
Forwarding
Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.
This mode can be configured in both the GUI and CLI.
Aggregation
As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.
FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.
Aggregation mode can only be configured with the log-forward and log-forward-service CLI commands. See the FortiAnalyzerCLI Reference for more information.