Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi there,
`status` field was changed to `action` after FAZ 5.0.7.
For FOS 5.0 log, please query traffic log use utmaction!='blocked' for allowed traffic
For FOS 5.2&4.3 log, please query webfilter log and use action!='blocked' for allowed traffic
To generate a report based on the blocked URL's and source user, please try:
select hostname, user_src, sum(requests) as requests from (###(select hostname, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and utmaction='blocked' group by hostname, user_src order by requests desc)### union all ###(select hostname, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver = 52) and action='blocked' group by hostname, user_src order by requests desc)###) t group by hostname, user_src order by requests desc
This dataset should work for 4.3,5.0&5.2 log
Regards,
hz
AtiT
ORIGINAL: AtiT SELECT TO_TIMESTAMP(`itime`)::timestamp AS time, TO_CHAR((`duration` || ' second' )::interval, ' HH24:MI:SS' ) AS dur, COALESCE(NULLIFNA(`user`), `srcip`) AS user_src, COALESCE(`app`,' Unknown Application' ) AS apl, COALESCE(`appcat`,' Unknown Category' ) AS apc, SUM(COALESCE(`sentbyte`, 0)+COALESCE(`rcvdbyte`, 0)) AS bandwidth FROM $log WHERE $filter AND `status` IN (' accept' ,' close' ) AND `utmaction`=' passthrough' GROUP BY time, dur, user_src, apl, apc HAVING SUM(COALESCE(`sentbyte`, 0)+COALESCE(`rcvdbyte`, 0))>0 ORDER BY bandwidth DESCI copied your syntax line per line but when I tried to test it I got this result.See attached file
Fortigate Newbie
AtiT
-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC
Fortigate Newbie
####################################################################################### # Timestamp # User # App # Hostname # Bandwidth # ####################################################################################### | 2014/02/20 11:55:00 | MAT | Youtube.HD | youtube.com | 56 MB | ——————————————————————————————————————————————————————————————————————————————————————— | 2014/02/20 09:55:00 | MAT | BitTorrent | N/A | 45 MB | ——————————————————————————————————————————————————————————————————————————————————————— | 2014/02/20 10:55:00 | MAT | Youtube.HD | youtube.com | 35 MB | ——————————————————————————————————————————————————————————————————————————————————————— | 2014/02/20 08:55:00 | MAT | BitTorrent | N/A | 24 MB | ———————————————————————————————————————————————————————————————————————————————————————This is sorted reversed by the bandwidth transferred. Is that what you want? If so, how many records do you need?
-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC
Fortigate Newbie
-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1081 | |
752 | |
446 | |
224 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.