Created on 03-26-2021 07:19 AM Edited on 04-05-2022 07:28 AM By Anonymous
Description
This article describes how does the Linux/Windows agent caches event when the collector is not reachable.
Solution
1) The agents (Both Windows/Linux) has a caching mechanism in case the collector is down/not reachable from the agents.
2) The cache for Linux agent is stored in the following directory/file:
/opt/fortinet/fortisiem/linux-agent/upload
3) The cache for Windows agent is stored in the following directory/file:
C:\ProgramData\AccelOps\Agent\Database\AoWinAgt.db
4) The maximum cache size is 1GB for both windows/Linux agents.
5) To increase/reduce the cache size, it can be done for both Windows/Linux agents.
6) For windows agent, it can be modified in the following registry entry:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent\MaxLogSizeInMB
7) For linux agent, the cache size can be modified by changing the EVENT_CACHE_DIR_SIZE_LIMIT under the following directory:
/opt/fortinet/fortisiem/linux-agent/config/linux-agent-config.txt/EVENT_CACHE_DIR_SIZE_LIMIT
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.