Reports – FortiAnalyzer – FortiOS 6.2.3

Reports

You can generate data reports from logs by using the Reports feature. You can do the following:

l Use predefined reports. Predefined report templates, charts, and macros are available to help you create new reports. l Create custom reports.

Report files are stored in the reserved space for the FortiAnalyzer device. See Automatic deletion on page 56.

For more information on FortiAnalyzer report technology and troubleshooting report performance issues, see the FortiAnalyzerReport Performance Troubleshooting Guide.

How ADOMs affect reports

When ADOMs are enabled, each ADOM has its own reports, libraries, and advanced settings. Make sure you are in the correct ADOM before selecting a report. See Switching between ADOMs on page 15.

Some reports are available only when ADOMs are enabled. For example, ADOMs must be enabled to access FortiCarrier, FortiCache, FortiClient, FortiDDoS, FortiMail, FortiSandbox, and FortiWeb reports. In a Security Fabric ADOM, all reports are displayed.

You can configure and generate reports for these devices within their respective default ADOM or a Security Fabric ADOM. These devices also have device-specific charts and datasets.

Predefined reports, templates, charts, and macros

FortiAnalyzer includes a number of predefined elements you can use to create and/or build reports.

Predefined… GUI Location Purpose
Reports Reports > Report Definitions > All Reports You can generate reports directly or with minimum setting configurations. Predefined reports are actually report templates with basic default setting configurations.
Templates Reports > Report Definitions > Templates You can use directly or build upon. Report templates include charts and/or macros and specify the layout of the report. A template populates the Layout tab of a report that is to be created. See List of report templates on page 128.
Predefined… GUI Location Purpose
Charts Reports > Report Definitions > Chart

Library

You can use directly or build upon a report template you are creating, or in the Layout tab of a report that you are creating. Charts specify what data to extract from logs.
Macros Reports > Report Definitions > Macro

Library

You can use directly or build upon a report template that you are creating, or in the Layout tab of a report that you are creating. Macros specify what data to extract from logs.

Logs used for reports

Reports uses Analytics logs to generate reports. Archive logs are not used to generate reports. For more information, see Data policy and automatic deletion on page 22.

For reports about users, the FortiGate needs to populate the user field in the logs sent to FortiAnalyzer.

How charts and macros extract data from logs

Reports include charts and/or macros. Each chart and macro is associated with a dataset. When you generate a report, the dataset associated with each chart and macro extracts data from the logs and populates the charts and macros. Each chart requires a specific log type.

FortiAnalyzer includes a number of predefined charts and macros. You can also create custom charts and macros.

How auto-cache works

When you generate a report, it can take days to assemble the required dataset and produce the report, depending on the required datasets. Instead of assembling datasets at the time of report generation, you can enable the auto-cache feature for the report.

Auto-cache is a setting that tells the system to automatically generate hcache. The hcache (hard cache) means that the cache stays on disk in the form of database tables instead of memory. Hcache is applied to “matured” database tables. When a database table rolls, it becomes “mature”, meaning the table will not grow anymore. Therefore, it is unnecessary to query this database table each time for the same SQL query, so hcache is used. Hcache runs queries on matured database tables in advance and caches the interim results of each query. When it is time to generate the report, much of the datasets are already assembled, and the system only needs to merge the results from hcaches. This reduces report generation time significantly.

The auto-cache process uses system resources to assemble and cache the datasets and it takes extra space to save the query results. You should only enable auto-cache for reports that require a long time to assemble datasets.

Generating reports

You can generate reports by using one of the predefined reports or by using a custom report that you created. You can find all the predefined reports and custom reports listed in Reports > Report Definitions > All Reports.

To generate a report:

  1. Go to Reports > Report Definitions > All Reports.
  2. In the content pane, select a report from the list.
  3. (Optional) Click Edit in the toolbar and edit settings on the Settings and Layout For a description of the fields in the Settings and Layout tabs, see Reports Settings tab on page 117 and Creating charts on page 130 and Macro library on page 134.
  4. In the toolbar, click Run Report.

Viewing completed reports

After you generate reports, you can view completed reports in Reports > Generated Reports or Reports > Report Definitions > All Reports. You can view reports in the following formats: HTML, PDF, XML, and CSV.

To view completed reports in Generated Reports:

  1. Go to Reports > Generated Reports.

This view shows all generated reports for the specified time period.

  1. To sort the report list by date, click Orderby Time.To sort the report list by report name, click Orderby Name.
  2. Locate the report and click the format in which you want to view the report to open the report in that format. For example, if you want to review the report in HTML format, click the HTML

To view completed reports in All Reports:

  1. Go to Reports > Report Definitions > All Reports.
  2. On the report list, double-click a report to open it.
  3. In the View Report tab, locate the report and click the format in which you want to view the report to open the report in that format.

For example, if you want to review the report in HTML format, click the HTML link.

Enabling auto-cache

You can enable auto-cache to reduce report generation time for reports that require a long time to assemble datasets. For information about auto-cache and hcache, see How auto-cache works on page 112.

You can see the status of building the cache in Reports > Report Definitions > All Reports in the Cache Status column.

To enable auto-cache:

  1. Go to Reports > Report Definitions > All Reports.
  2. Select the report from the list, and click Edit in the toolbar.
  3. In the Settings tab, select the Enable Auto-cache
  4. Click Apply.

Grouping reports

If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Grouping reports has these advantages:

l Reduce the number of hcache tables. l Improve auto-hcache completion time. l Improve report completion time.

Step 1: Configure report grouping

For example, to group reports with titles containing string Security_Report by device ID and VDOM, enter the following CLI commands:

config system report group edit 0 set adom root config group-by edit devid next edit vd next

end

set report-like Security_Report

next

end

Notes:

  • The report-like field specifies the string in report titles that is used for report grouping. This string is casesensitive. l The group-by value controls how cache tables are grouped.
  • To view report grouping information, enter the following CLI command, then check the Report Group column of the table that is displayed.

execute sql-report list-schedule <ADOM>

Step 2: Initiate a rebuild of hcache tables

To initiate a rebuild of hcache tables, enter the following CLI command: diagnose sql hcache rebuild-report <start-time> <end-time>

Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.

Retrieving report diagnostic logs

Once you start to run a report, FortiAnalyzer creates a log about the report generation status and system performance. Use this diagnostic log to troubleshoot report performance issues. For example, if your report is very slow to generate, you can use this log to check system performance and see which charts take the longest time to generate.

For information on how to interpret the report diagnostic log and troubleshoot report performance issues, see the FortiAnalyzerReport Performance Troubleshooting Guide.

To retrieve report generation logs:

  1. In Reports > Generated Report, right-click the report and select Retrieve Diagnostic to download the log to your computer.
  2. Use a text editor to open the log.

Auto-Generated Reports

The CyberThreat Assessment report is automatically generated. By default, the report will run at 3:00AM every Monday. For more information on report scheduling, see Scheduling reports on page 115.

Schedules can be viewed in the Report Calendar. See Report calendar on page 141.

Scheduling reports

You can configure a report to generate on a regular schedule. Schedules can be viewed in the Report Calendar. See Report calendar on page 141.

To schedule a report:

  1. Go to Reports > Report Definitions > All Reports.
  2. Select a report and click Edit in the toolbar.
  3. Click Settings in the toolbar.
  4. Select the Enable Schedule checkbox and configure the schedule.
  5. Click Apply.
This entry was posted in Administration Guides, FortiAnalyzer on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.