FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 193570
This article explains how to create a user report in 4.0 in order to report on a specific user's web browsing habits. (This is similar to the forensic style report in 3.0).

This article is applicable only until v4.0 MR3 patch 8.  It does not apply to later versions of firmware.

1. Go to Log > Browse, then open the log file for the web filter of the desired FortiGate device.


2. Click on User filter and find the LDAP string of the user name by looking for user name as shown.


3. In the log display, highlight and copy the full LDAP user name string.

sotoole_FD30897_username string.JPG

4. Open the report schedule for User_Forensic_Report


5. In the USER field, paste the user name string copied earlier. Put double quotes around the user name string: (That is: "CN=JMEIXNER,OU=IMC,OU=GH,O=GSD").

Change the schedule, time period, and output outions as required.

sotoole_FD30897_FortiGate PRI.JPG

6. Finally, Run the scheduled report.