Description
This article describes how does the Linux/Windows agent caches event when the collector is not reachable.
Solution
1) The agents (Both Windows/Linux) has a caching mechanism in case the collector is down/not reachable from the agents.
2) The cache for Linux agent is stored in the following directory/file:
/opt/fortinet/fortisiem/linux-agent/upload
3) The cache for Windows agent is stored in the following directory/file:
C:\ProgramData\AccelOps\Agent\Database\AoWinAgt.db
4) The maximum cache size is 1GB for both windows/Linux agents.
5) To increase/reduce the cache size, it can be done for both Windows/Linux agents.
6) For windows agent, it can be modified in the following registry entry:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent\MaxLogSizeInMB
7) For linux agent, the cache size can be modified by changing the EVENT_CACHE_DIR_SIZE_LIMIT under the following directory:
/opt/fortinet/fortisiem/linux-agent/config/linux-agent-config.txt/EVENT_CACHE_DIR_SIZE_LIMIT
