Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theG
New Contributor III

Help with custom report

Hi Guys... SoI' ve gone through the standard charts / datasets and I can' t seem to find one that will give me browsing history. I' m running Fortianalyzer 100c with v5.0.5 I need to be able to check on browsing history for specific users. What websites and when...can anybody help me with this please?? thanks
1 Solution
hzhao_FTNT

Hi there,

 

`status` field was changed to `action` after FAZ 5.0.7.

For FOS 5.0 log, please query traffic log use utmaction!='blocked' for allowed traffic

For FOS 5.2&4.3 log, please query webfilter log and use action!='blocked' for allowed traffic

To generate a report based on the blocked URL's and source user, please try:

 

select hostname, user_src, sum(requests) as requests from (###(select hostname, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and utmaction='blocked' group by hostname, user_src order by requests desc)### union all ###(select hostname, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver = 52) and action='blocked' group by hostname, user_src order by requests desc)###) t group by hostname, user_src order by requests desc

 

This dataset should work for 4.3,5.0&5.2 log

 

Regards,

hz

View solution in original post

44 REPLIES 44
Fullmoon

hi ede thanks for your attention. I guess it was rectified already. I should use Traffic Logs Under Log Type rather than selecting App Control

Fortigate Newbie

Fortigate Newbie
mnantel_FTNT

Fullmoon, do let me know if you still require assistance producing those reports. I will check with the forum admins if we can have a sticky capability in here for those posts that may contain good reports.

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

Fullmoon

hi mnantel, for a favor pls provide 2 sets of datasets 1.)Top Allowed Applications including users/ip,including timestamps 2.) Top Block Applications inlcuding users/ip. thank you very much!

Fortigate Newbie

Fortigate Newbie
mnantel_FTNT

I cannot provide a Top at the same time as providing you with a timestamp, unless you intend to view the top *individual* sessions. Is that your objective? Let me give you an example of why this isn' t effective: BitTorrent. Bundled together, all bit torrent individual transfers will result in large amounts of bandwidth and yet individually, not so much.

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

Fullmoon

hi mnantel, is this feasible on your part? 1.) Top Allowed Applications including users/ip 2.) Top Block Applications inlcuding users/ip

Fortigate Newbie

Fortigate Newbie
mnantel_FTNT

Yes, this is rather simplistic, and already on some of our default reports. Did you see my previous question?

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

Fullmoon

If you can provide these including top *individuals* with their sessions then much appreciated on my part. 1.) Top Allowed Applications including users/ip 2.) Top Block Applications inlcuding users/ip

Fortigate Newbie

Fortigate Newbie
mnantel_FTNT

Fullmoon, For individuals sessions, there cannot be a Top as I am going to list you each session independently - by Top, do you mean me to sort them by bandwidth? Top Blocked however, what do you want exactly? Each single instance of a blocked app, with timestamp, is going to require a very very long list as there is no sorting possibility, as opposed to Top Allowed in which I have bandwidth. When we block applications, there is by definition not going to be any bandwidth amount allowed, right?

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

Fullmoon

are we clear for 1.) Top Allowed Applications including users/ip ? Top Block Applications means user/s tried to use or access block applications (torrent,Facebook,games,proxies) even though they knew these applications are blocked already. Is the possible to generate? hope you get my point. apology if my request not clear on your part

Fortigate Newbie

Fortigate Newbie
mnantel_FTNT

1) is indeed clear! We can do a graph for blocked apps, but I won' t include the timestamp or you will have an excruciatingly long list. What I propose for the blocked is to sort it by largest count of attempts blocked, and then to list you the sourceip/user, app, app category. This way you have your top offenders in a relatively concise manner. I can give you a listing of 10, 100 or 500 records for this - its really up to you. Does this makes sense?

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors