FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
MartiskaM
Staff
Staff
Article Id 206939

Description

 

This article describes how to resolve empty reports.
 
Scope
 
FortiAnalyzer.


Solution

 

  1. Validate that the FortiAnalyzer is not running a lower version than the FortiGates (refer to the latest Compatibility Tool).
  2. Validate the time frame set for the report and verify it is possible to see logs in 'Log View' for that period. If there is none, it is possible to generate some log using: 'diag log test' from the FortiGate CLI.
 
MartiskaM_0-1647417770916.png

 

 

MartiskaM_1-1647417770917.png

 

 
 
  1. In the case of User reports, ensure to type the username the same way as in the Log View, the reason is case sensitivity.
  2. Test the dataset that is related to the report. To find the dataset that underlies the report, navigate to Layout, select the table, and choose Chart properties. 
Save or remember the name of the chart as depicted below, navigate to Chart Library and search for the chart, open the chart and find the dataset as in the screenshot below, search for the dataset under the Datasets section, confirm that the correct time frame is applied, and use the TEST button to generate output. 
Be informed that the dataset values may differ from the real numbers, as this option only serves for testing purposes.
 
 
MartiskaM_2-1647417770920.png
 
MartiskaM_3-1647417770921.png

 

 

MartiskaM_4-1647417770921.png

 

 
MartiskaM_5-1647417770922.png

 

 
 
  1. For filter usage and no output, ensure that the correct filter and value are used. These values can be found after displaying raw logs.
 
 
MartiskaM_6-1647417770922.png
 
Raw view.
 
MartiskaM_7-1647417770923.png

 

 
 
Debug Section
  1. Once starting to run a report, FortiAnalyzer creates a log of the report generation status and system performance. Use this diagnostic log to troubleshoot and report performance issues. For example, if the report is very slow to generate, it is possible to use this log to check system performance and see which charts take the longest time to generate. For information on how to interpret the report diagnostic log and troubleshoot report performance issues, see the FortiAnalyzer Report Performance Troubleshooting Guide

     To retrieve report generation logs:

  • In Reports -> Generated Report, 'right-click' the report and select Retrieve Diagnostic to download the log to the computer.
  • Use a text editor to open the log.
 
  1. Debug the reporting process using the commands below:

    diagnose debug application sqlreportd 255
    diagnose debug enable

    While the debug is running, execute the report via GUI or CLI as described in step 3. After the debug output is generated, close the debugging in CLI via commands:

    diagnose debug disable
    diagnose debug reset

  2. Execute the report manually via CLI, in this example, 'User Detailed Browsing Log' is used from the root ADOM.

    exe sql-report run root ?
    <schedule-name>    <----- Select one of the available SQL report schedule names.
    ADOM: root
    NAME    TITLE
    10012  - User Detailed Browsing Log
    10017  - User Top 500 Websites by Bandwidth
    10018  - User Top 500 Websites by Session
    10019  - Application Risk and Control
    10025  - Cyber Threat Assessment
    10037  - Secure SD-WAN Report
    10039  - SOC Incident Report
    10041  - Throughput Utilization Billing Report
    22001  - FortiClient Default Report
    30001  - FortiDDos Default Report
     
    uranium-esx50 # exe sql-report run root 10012
     
  1. Run the following command:

    diagnose system fsck harddisk
    This operation will check and repair the file system, then reboot the system.
    Do you want to continue? (y/n)y

  2. Manually rebuild hcache tables for the reports: See related articles.

  3. Rebuild the database. See related articles.

  4. If the issue remains, contact Fortinet TAC Support and provide additional details to the ticket, such as the output of the following commands:

    diag test application sqlreportd 99
    exe tac report

Also, the output of the commands ran in step 2 of the debug section.
In case Chrome is used, it is also possible to download the Fortinet Chrome extension to capture more details: FortiManager/FortiAnalyzer Debugger.

 

Related documents:

Reporting: When is a manual rebuild of hcache tables advisable?

Technical Tip: FortiAnalyzer SQL database delete and rebuild

Technical Tip: How to Validate Event Handler in FortiManager and FortiAnalyzer