Hi there,
I need help with a dataset/report on FortiAnalyzer.
What I need:
Detailled Report about Application Category "Video/Audio"
- See which Applications (In appcat=Video/Audio) consumed which bandwith
- Which users connected to which application (in appcat=Audio/Video)
- Top 30 users for every Application with Bandwith usage (in appcat=Video/Audio)
Is there anybody who can help me?
Thanks and best regards
Mattias
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
try the datasets below. All data is generated from the traffic log.
- See which Applications (In appcat=Video/Audio) consumed which bandwith
SELECT `appid`, COALESCE(NULLIFNA(`app`),'Unknown Application') AS app_name, `appcat`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY `appid`, app_name, `appcat` HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC
- Which users connected to which application (in appcat=Audio/Video)
SELECT COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, `appid`, COALESCE(NULLIFNA(`app`),'Unknown Application') AS app_name, `appcat`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY user_src, `appid`, app_name, `appcat` HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY user_src ASC, bandwidth DESC
- Top 30 users for every Application with Bandwith usage (in appcat=Video/Audio)
SELECT * FROM ( SELECT RANK() OVER (PARTITION BY app_name ORDER BY bandwidth DESC) AS ranked, app_name, `appcat`, user_src, bandwidth FROM ( SELECT `appid`, COALESCE(NULLIFNA(`app`),'Unknown Application') AS app_name, `appcat`, COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY `appid`, app_name, `appcat`, user_src HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY app_name ASC, bandwidth DESC ) t ) t WHERE ranked<=30
The datasets were tested on FAZ VM 5.0.10 and the FGT is running on 5.2.
If you have FGT on 5.0 probably you will need to set the utmaction`='allow' to 'passthrough' and maybe some other value.
AtiT
Sorry it is my fault. I just run the dataset I did not created a report.
The problem is wiht the "*" in the first select. I also forgot the "appid" to choose a Icon-Application in the chart.
So the correct dataset should be:
SELECT `appid`, app_name, `appcat`, user_src, bandwidth FROM ( SELECT RANK() OVER (PARTITION BY app_name ORDER BY bandwidth DESC) AS ranked, `appid`, app_name, `appcat`, user_src, bandwidth FROM ( SELECT `appid`, COALESCE(NULLIFNA(`app`),'Unknown Application') AS app_name, `appcat`, COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY `appid`, app_name, `appcat`, user_src HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY app_name ASC, bandwidth DESC ) t ) t WHERE ranked<=30
I also attach the chart settings I tested.
AtiT
Hi,
I have a new dataset. Only the first 5 application is shown. The "others" is not added - I need to find out how to do it.
DROP TABLE IF EXISTS users_tmp; DROP TABLE IF EXISTS usrappbw_tmp; DROP SEQUENCE IF EXISTS temp_seq; CREATE TEMP SEQUENCE temp_seq; CREATE TEMPORARY TABLE users_tmp AS ( SELECT uid, user_src, bandwidth FROM ( SELECT NEXTVAL('temp_seq') AS uid, user_src, bandwidth FROM ( SELECT COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY user_src HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC LIMIT 30 ) t ) s ); CREATE TEMPORARY TABLE usrappbw_tmp AS ( SELECT COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, `appid`, COALESCE(NULLIFNA(`app`),'Unknown Application') AS app_name, `appcat`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY `appid`, app_name, `appcat`, user_src HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY user_src ASC, bandwidth DESC ); SELECT ranked, uid, CASE WHEN ranked>1 THEN '' ELSE usr END AS usr, aid, aname, bw FROM ( SELECT RANK() OVER (PARTITION BY uid ORDER BY bw DESC) AS ranked, uid, usr, aid, aname, bw FROM ( SELECT users_tmp.uid AS uid, usrappbw_tmp.user_src AS usr, usrappbw_tmp.appid AS aid, usrappbw_tmp.app_name AS aname, usrappbw_tmp.bandwidth AS bw FROM usrappbw_tmp, users_tmp WHERE usrappbw_tmp.user_src=users_tmp.user_src GROUP BY uid, usr, aid, aname, bw ORDER BY uid ASC, bw DESC ) t ) s WHERE ranked<=5
It sould look like in the attached picture.
AtiT
Hi guys,
For this kind of chart, I do suggest to write a simple query like:
SELECT COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, app AS app_name, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY user_src, app_name HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC
Then create a drilldown table chart base on this query, please check attached screen shot for chart setting (base on 5.2.2/5.2.3)
Regards,
hz
Hi,
I added the Others to the dataset. If someone could test it it will be great.
DROP TABLE IF EXISTS users_tmp; DROP TABLE IF EXISTS usrappbw_tmp; DROP SEQUENCE IF EXISTS temp_seq; CREATE TEMP SEQUENCE temp_seq; CREATE TEMPORARY TABLE users_tmp AS ( SELECT uid, user_src, bandwidth FROM ( SELECT NEXTVAL('temp_seq') AS uid, user_src, bandwidth FROM ( SELECT COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY user_src HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC LIMIT 30 ) t ) s ); CREATE TEMPORARY TABLE usrappbw_tmp AS ( SELECT COALESCE(NULLIFNA(UPPER(`user`)), IPSTR(`srcip`)) AS user_src, `appid`, COALESCE(NULLIFNA(`app`),'Unknown Application') AS app_name, `appcat`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND LOGID_TO_INT(`logid`) NOT IN (4, 7, 14) AND `appcat`='Video/Audio' AND `action` IN ('accept','close') AND `utmaction`='allow' AND NULLIFNA(`app`) IS NOT NULL GROUP BY `appid`, app_name, `appcat`, user_src HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY user_src ASC, bandwidth DESC ); SELECT ranked, uid, usr, aid, aname, SUM(bw) AS bw FROM ( SELECT CASE WHEN ranked>5 THEN 6 ELSE ranked END AS ranked, uid, CASE WHEN ranked>1 THEN '' ELSE usr END AS usr, CASE WHEN ranked>5 THEN 0 ELSE aid END AS aid, CASE WHEN ranked>5 THEN 'Others' ELSE aname END AS aname, bw FROM ( SELECT RANK() OVER (PARTITION BY uid ORDER BY bw DESC) AS ranked, uid, usr, aid, aname, bw FROM ( SELECT users_tmp.uid AS uid, usrappbw_tmp.user_src AS usr, usrappbw_tmp.appid AS aid, usrappbw_tmp.app_name AS aname, usrappbw_tmp.bandwidth AS bw FROM usrappbw_tmp, users_tmp WHERE usrappbw_tmp.user_src=users_tmp.user_src GROUP BY uid, usr, aid, aname, bw ORDER BY uid ASC, bw DESC ) t ) s GROUP BY ranked, uid, usr, aid, aname, bw ORDER BY uid ASC, ranked ASC ) u GROUP BY ranked, uid, usr, aid, aname ORDER BY uid ASC, ranked ASC
AtiT
I did exactly what hzhao_FTNT described and it works like a charm!
Lots of thanks to both of you guys.
Cheers,
Mattias
When i run this query....
ERROR: column "utmaction" does not exist
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.