Help
FortiSIEM Discussions
bhinangt
New Contributor III

Created on ‎05-07-2024 07:27 AM

How do i get devices not sending logs in last 24 hours in report?

I can use nested query to search the devices not sending logs, but when I save this query as report results are coming wrong.

 

How everyone else here gets devices not sending logs in last 24 hours?

Bhinang Tejani
Bhinang Tejani
Labels:
2407
0 Kudos
1 Solution
cdurkin_FTNT
Staff
Staff
In response to bhinangt

Created on ‎07-01-2024 03:02 PM

I have quickly tested as follows, let me know if it meets your criteria or not.

 

To get your result you can use a Nested Query, which as you said uses an Event Query to return devices reporting events during a time period, ie: last 24 hours and a CMDB Query to report on Assets in the CMDB.

 

1) Create Event Report .. (Inner Query) .. and save as "Reporting Devices Last Day"

Query .. Empty

Display Fields : Reporting IP, Reporting Device, COUNT(Matched Events)

 

2) CMDB Devices (Main/Outer Query)

 

Choose Query Type of "CMDB Attribute" 

Device IP NOT_IN Report: Reporting Devices Last Day. (and choose Attribute to map to be Reporting IP)

 

nested_query.png

 

For Display Fields use: Device IP, Device Name

 

Save your new report and remember it will be a CMDB Report, which can be scheduled as required.

 

cmdb_scheduled_report.png

 

I tested scheduling the CMDB report, and the results were as expected .. (on 7.2)

 

Is this what you did also?

View solution in original post

2024
8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Created on ‎05-09-2024 09:07 PM

Hello bhinangt,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
2351
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎05-14-2024 12:36 AM

Hello bhinangt,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
2321
bhinangt
New Contributor III

Created on ‎05-14-2024 02:15 AM

So far what I have done is:

Step 1: Created report for reporting device using event count

But this report will only fetch devices who are sending logs and not all devices

 

Step 2: I used CMDB search for nested report to search reporting IP not in Step 1 report.

 

Results are perfect if i use search, but same query when saved as report is giving in correct data.

 

Why i need report?

Because I need to generate alert by running one report every 24 hours in automated manner and sending it to my ticketing tool, I cannot rely on staff to do this search query manually every day.

Bhinang Tejani
Bhinang Tejani
2315
0 Kudos
adem_netsys
Contributor II
In response to bhinangt

Created on ‎05-14-2024 03:08 AM

Hi @bhinangt 

 

So far I have used FortiSIEM's default "no logs from a device" rule, but I haven't tested it much, have you tried turning it into a report and using it?

2299
0 Kudos
nisse
New Contributor II
In response to bhinangt

Created on ‎07-01-2024 07:25 AM

I'm dealing with the same issue. Care to share your queries?

Nisse
Nisse
2048
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to bhinangt

Created on ‎07-01-2024 03:02 PM

I have quickly tested as follows, let me know if it meets your criteria or not.

 

To get your result you can use a Nested Query, which as you said uses an Event Query to return devices reporting events during a time period, ie: last 24 hours and a CMDB Query to report on Assets in the CMDB.

 

1) Create Event Report .. (Inner Query) .. and save as "Reporting Devices Last Day"

Query .. Empty

Display Fields : Reporting IP, Reporting Device, COUNT(Matched Events)

 

2) CMDB Devices (Main/Outer Query)

 

Choose Query Type of "CMDB Attribute" 

Device IP NOT_IN Report: Reporting Devices Last Day. (and choose Attribute to map to be Reporting IP)

 

nested_query.png

 

For Display Fields use: Device IP, Device Name

 

Save your new report and remember it will be a CMDB Report, which can be scheduled as required.

 

cmdb_scheduled_report.png

 

I tested scheduling the CMDB report, and the results were as expected .. (on 7.2)

 

Is this what you did also?

2025
adem_netsys
Contributor II
In response to cdurkin_FTNT

Created on ‎06-19-2025 10:00 AM

Hi @cdurkin_FTNT 

I am still looking for an answer to this thread, I tried the nested query you wrote but it was not successful, did you find a new development or are you still using it?

506
0 Kudos
bhinangt
New Contributor III
In response to adem_netsys

Created on ‎06-19-2025 10:58 AM

Suggested query by @cdurkin_FTNT surely worked for me!
While my next concern was how to get last reporting time for devices not reporting in given period of time.

So i did different work around.

Bhinang Tejani
Bhinang Tejani
489
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.