Skip to main content
markcoupe
markcoupe
Explorer
April 2, 2025
Question

Forticlient Logging in FortiAnalyzer

  • April 2, 2025
  • 5 replies
  • 1315 views

I'm running some automated reporting against FortiClient logging in FortiAnalzyer and I have a few questions.

 

First, around the 'Username' field.  Our organization uses alias for the client's domain username, meaning Joe.Sixpack@company.com or JoeS@co.com are equally viable for logging in.  FortiClient users are unverified and authenticate using SAML against Azure EntraID.  For some users I see the username 'joe.sixpack' and others I see 'JoeS@co.com'.  The question is, how is that information being logged?  What is being used in the System Event logs for example.  Ideally, I'd have the username not the alias.

 

Secondly, there is other information being gleaned from the SAML authentication i.e. employee number and email address that I do not see in the logs. When I attempted to add the field to my custom report because when I hover over the 'source' variable $log, I see a field like euid which appears invalid when I try to test the query.

 

Any insight would be very helpful.  Thanks in advance, -Mark 

5 replies

Anthony_E
Staff
Anthony_E
Staff
April 7, 2025

Hello Mark,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
April 9, 2025

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Best Regards
    Anthony_E
    Staff
    Anthony_E
    Staff
    April 10, 2025

    Hi Mark,

     

    Did you already check this Document?: https://docs.fortinet.com/document/forticlient/7.4.1/ems-quickstart-guide/751889/communication-with-fortianalyzer-for-logging

     

    Regards,

    Best Regards
      markcoupe
      markcoupeAuthor
      Explorer
      April 10, 2025

      Thanks Anthony, getting logs, even Web Filter logs isn't the issue.  It's more what *is* logged and "filterable" in the log view versus what is logged in the underlying FortiAnalyzer database.  When I'm writing a custom sql query there is indication of more data being logged than can be filtered.

       

      I'm not a sql guy and some of the sql functions are Forti-specific and not well documented.  So it's difficult to muddle my way through to try to find what I need to fill the request I've been given.

      Anthony_E
      Staff
      Anthony_E
      Staff
      April 10, 2025

      Hi Mark,

       

      Oh ok. I will try then to look for an expert for this specific question.

      Thank you.

       

      Regards,

      Best Regards
      Terms & ConditionsAccessibility statement