FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rsingla
Staff
Staff

Description
FortiAnalyzer can have an issue where the reports after generation are not visible in GUI, but it is sent to email recipients without any issue

Scope
Generated Reports on FortiAnalyzer GUI

Solution

Check the below points to fix the issue when FortiAnalyzer might have an issue where the reports after generation are not visible in the GUI, but the same report is sent to the Email Recipient without any issue.

1) If the FortiAnalyzer received by customer either as RMA or a new device was on a newer version, for example 6.2.x, and it was downgraded to lower version, for e.g. 6.0.x, without formatting the flash, in that case the issue might occur, where the generated reports are not visible in GUI.

2) To verify this problem, Please do the following steps

-  If the FortiAnalyzer having report visibility issue is on any version, let's say 6.0.x, and you have another FortiAnalyzer on a same series version (6.0.x), on which reports are fine. Please run the below commands on each FortiAnalyzer

- Enable Shell Access

    # config system admin setting
         set shell-access enable
         Enter new password: <enter a password>
         Confirm new password: <enter same password>
    end

Once the complete operation given below is completed, you may chose to disable the shell access by using the command:

# config system admin setting
set shell-access disable
end
 

- Login to shell and execute these commands.

      # execute shell
     sqlite3 /drive0/private/faz_idb/report.db
     select count(*) from report;
     PRAGMA table_info(report);

 

The output of this command will look like this, you will notice that this command shows Columns from 0-16.

sqlite> PRAGMA table_info(report);
0|name|varchar(256)|0||3
1|mtime|integer|0||0
2|start|integer|0||0
3|end|integer|0||0
4|period_start|integer|0||0
5|period_end|integer|0||0
6|formats|integer|0||0
7|status|integer|0||0
8|schedule_color|varchar(16)|0||0
9|dev_type|integer|0||0
10|title|varchar(256)|0||0
11|adom_oid|integer|0||1
12|date|varchar(12)|0||2
13|layout_id|integer|0||0
14|uuid|varchar(40)|0||0
15|adminuser|varchar(36)|0||0
16|profileid|varchar(36)|0||0

sqlite> .exit   >> use .exit to come out of SQL

sh-4.3# exit    >> use exit to come out of shell

Run the same commands on the other FortiAnalyzer which does not have the issue of reports visibility in GUI, and you will notice the number of columns might be different. If you dont have a spare FAZ to verify this information, You can ask Fortinet Support Engineer to verify this information for you in lab device. The difference in the number of columns confirms that the Report DB file has been migrated from a different OS version.

3) To fix this issue, simply delete the DB file with below commands, this deletion of DB is non-impacting and does not delete any logs/data from FortiAnalyzer.

- To delete this file enter the shell again.

# execute shell
rm /drive0/private/faz_idb/report.db
exit 

- After this file is deleted, Please generate some reports and the DB will be created after some time (maybe about 1 hour) automatically and all the reports will be visible now.

- If in any case, even after some time the DB file is not generated, Please reboot the FAZ and this DB file that we deleted above, will be created immediately after reboot.

- For any further queries, please get in touch with Fortinet Technical Support and you can get assistance in this activity.

 

Contributors