What's the difference between Analyzer and Collector mode in FortiAnalyzer?
Differentiating the operating modes for FAZ.
Today's topic is short and sweet. FortiAnalyzer (FAZ) can operate in a couple different modes. Each mode has a defined purpose and use case.
- Analyzer mode - In this state/mode, the FortiAnalyzer functions as a primary destination for log data. It can receive this log data from a variety of upstream sources including various Fortinet products and log forwarders. Its primary function is to examine and process the log data that it's sent.
- Collector mode - In this state/mode, the FortiAnalyzer purely relays the log data without analyzing it. The log data is forwarded in the original binary format.
When I was first learning about it, a thought crossed my mind: If a FortiAnalyzer running in Analyzer mode can technically do everything, what's the point of collector mode? Doesn't that make it useless? Well, as with everything, "it depends" 😄. It all comes down to scale and demand.
Sure, in a simple environment with relatively few Fortinet assets, a collector might not be necessary... but what if we had hundreds (or thousands) of FortiGates that needed to forward logs to a FortiAnalyzer? All of those direct connections could be taxing on resources. Having a distributed architecture flow (Fortinet asset --> FortiAnalyzer (collector mode) --> FortiAnalyzer (analyzer mode)) helps the data forward more, cleanly, reliably and at scale. It basically offloads the high-I/O tasks of log reception.
For more information on this topic, check out the following resources:
