FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 191372


There may be occurences when a SQL dataset query unexpectedly returns "No Data", this may be due to the use of hcache.

The hcache is a feature on the FortiAnalyzer that helps to speed up creating reports by using stored queried data in a cache. When more than one similar reports are requesting the same information it will be pulled from the cache rather than by querying the information again directly from the database.


FortiAnalyzer v4.x, v5.x


The current workaround is to disable the hcache.

Problem Verification

FortiAnalyzer v5.x

In v5.x it is possible to re-create the hcache but it cannot be disabled.

# diagnose sql remove hcache
All hcache tables will be erased!
Do you want to continue? (y/n) y

FortiAnalyzer v4.x

# conf sql-report dataset
(dataset)# edit <dataset name>
(dataset name)# get
(dataset name)# hcache enable <default setting>
(dataset name)# end

<disable hcache setting>

# conf sql-report dataset
(dataset)# edit <dataset name>
(dataset name)# set hcache disable
(dataset name)# end