Help
FortiSIEM Discussions
AliHaider
New Contributor

Created on ‎11-05-2020 03:49 AM

Analytics using two different log sources

Hello,

I am trying to create a report which would require data from two different log sources or events.

One event is the initial login of the VPN user, which has their username, login success/failure and their Source IP (which is their actual public IP allocated by the ISP).
The other logs contain their general traffic logs, and the important info in these logs is the tunnel IP they have been allocated once they have connected to the corporate VPN.

I can do the reports and dashboards for both these events individually.

Is there anyone to combine these two logs or events and extract the important info from both and present it as one output/report. 

Regards,
Ali.
243
0 Kudos
2 REPLIES 2
KarnGriffen
New Contributor III

Created on ‎11-09-2020 09:28 AM

Ali,

It's not perfect, but you can take your two existing report criteria and put them into one query using OR.  (1st Report Parameters) OR (2nd Report Parameters).  Then use the displayed columns to display the fields you would like.-------------------------------------------
Original Message:
Sent: Nov 05, 2020 03:49 AM
From: Ali Haider
Subject: Analytics using two different log sources

Hello,

I am trying to create a report which would require data from two different log sources or events.

One event is the initial login of the VPN user, which has their username, login success/failure and their Source IP (which is their actual public IP allocated by the ISP).
The other logs contain their general traffic logs, and the important info in these logs is the tunnel IP they have been allocated once they have connected to the corporate VPN.

I can do the reports and dashboards for both these events individually.

Is there anyone to combine these two logs or events and extract the important info from both and present it as one output/report. 

Regards,
Ali.
243
0 Kudos
DanielHanman
Staff
Staff
In response to KarnGriffen

Created on ‎11-09-2020 10:41 AM

Hi Ali,

To build on Karn suggestion, you can also use a Nested search. Check here https://help.fortinet.com/fsiem/6-1-0/Online-Help/HTML5_Help/Nested_queries.htm

If you are able to share the events from both your searches, I can have a go at building the nested search for you.

Cheers

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 09, 2020 09:28 AM
From: Karn Griffen
Subject: Analytics using two different log sources

Ali,

It's not perfect, but you can take your two existing report criteria and put them into one query using OR.  (1st Report Parameters) OR (2nd Report Parameters).  Then use the displayed columns to display the fields you would like.
Original Message:
Sent: Nov 05, 2020 03:49 AM
From: Ali Haider
Subject: Analytics using two different log sources

Hello,

I am trying to create a report which would require data from two different log sources or events.

One event is the initial login of the VPN user, which has their username, login success/failure and their Source IP (which is their actual public IP allocated by the ISP).
The other logs contain their general traffic logs, and the important info in these logs is the tunnel IP they have been allocated once they have connected to the corporate VPN.

I can do the reports and dashboards for both these events individually.

Is there anyone to combine these two logs or events and extract the important info from both and present it as one output/report. 

Regards,
Ali.
243
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.