Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

kcanalichio
New Contributor III

Created on ‎06-07-2021 02:18 PM

Total Interface Down time

You can pull events showing when an interface goes down and when it come backup, However there does not appear to be a way to total the time between the two events.  Is there a way to do this.   One way I have though about, is to setup a rule that create an event that will store the difference between the Down and Up events., rather than an incident, but I haven't found a way to do that
Labels:
957
0 Kudos
1 REPLY 1
KenMick
Staff
Staff

Created on ‎07-14-2021 09:24 AM

Hi Kevin,

You are correct, technically this operation could be completed in the parser by way of the collectAndSetAttrFromAnotherEvent function.

Example from IronportMailParser
<collectAndSetAttrFromAnotherEvent AnotherEventType="Cisco-IronPort-Mail-From">
   <when test="$ironportMailMID = $AnotherEvent.ironportMailMID">
      <setEventAttribute attr="receiverMailAddr">$AnotherEvent.receiverMailAddr</setEventAttribute>
   </when>
</collectAndSetAttrFromAnotherEvent>​


In your case, you would want to retrieve the last time the interface went up or down and calculate the time between the two events.  So you would want to use a function like calculateMSec once you assign the event receive time from the other event to a temp variable.

Example

<when test='$eventType IN "PH_DEV_MON_INTF_OPER_DOWN_TO_UP,PH_DEV_MON_INTF_OPER_DOWN_TO_UP"'>
   <collectAndSetAttrFromAnotherEvent AnotherEventType="PH_DEV_MON_INTF_OPER_DOWN_TO_UP OR PH_DEV_MON_INTF_OPER_DOWN_TO_UP">
      <when test="$intfName = $AnotherEvent.intfName">
         <setEventAttribute attr="_lastChanged">$AnotherEvent.phRecvTime</setEventAttribute>
         <setEventAttribute attr="durationMSec">calculateMSec($_lastChanged)</setEventAttribute>
      </when>
   </collectAndSetAttrFromAnotherEvent>
</when>

This example code is untested.  It is only provided as an example.  Please use at your own risk.

Word of advice

Be careful using this technique.  It will force the parser to keep an index of all matching event types in memory.  That said, the collectAndSetAttrFromAnotherEvent function is widely used in the default Windows parsers.  I would just monitor the memory utilization of phParser on any collectors (or your Supervisor) that are parsing events.

------------------------------
Ken
------------------------------
[FirstName]
[JobTitle]
950
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.