Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theG
New Contributor III

Created on ‎01-25-2014 04:20 AM

Help with custom report

Hi Guys... SoI' ve gone through the standard charts / datasets and I can' t seem to find one that will give me browsing history. I' m running Fortianalyzer 100c with v5.0.5 I need to be able to check on browsing history for specific users. What websites and when...can anybody help me with this please?? thanks
23054
0 Kudos
1 Solution
hzhao_FTNT
Staff
Staff
In response to fsheriff

Created on ‎12-29-2014 08:20 AM

Hi there,

 

`status` field was changed to `action` after FAZ 5.0.7.

For FOS 5.0 log, please query traffic log use utmaction!='blocked' for allowed traffic

For FOS 5.2&4.3 log, please query webfilter log and use action!='blocked' for allowed traffic

To generate a report based on the blocked URL's and source user, please try:

 

select hostname, user_src, sum(requests) as requests from (###(select hostname, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and utmaction='blocked' group by hostname, user_src order by requests desc)### union all ###(select hostname, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver = 52) and action='blocked' group by hostname, user_src order by requests desc)###) t group by hostname, user_src order by requests desc

 

This dataset should work for 4.3,5.0&5.2 log

 

Regards,

hz

View solution in original post

12508
0 Kudos
44 REPLIES 44
AtiT
Valued Contributor
In response to Fullmoon

Created on ‎02-21-2014 07:19 AM

Hi, I' m actually testing a dataset for application usage, it looks like this: SELECT TO_TIMESTAMP(`itime`)::timestamp AS time, TO_CHAR((`duration` || ' second' )::interval, ' HH24:MI:SS' ) AS dur, COALESCE(NULLIFNA(`user`), `srcip`) AS user_src, COALESCE(`app`,' Unknown Application' ) AS apl, COALESCE(`appcat`,' Unknown Category' ) AS apc, SUM(COALESCE(`sentbyte`, 0)+COALESCE(`rcvdbyte`, 0)) AS bandwidth FROM $log WHERE $filter AND `status` IN (' accept' ,' close' ) AND `utmaction`=' passthrough' GROUP BY time, dur, user_src, apl, apc HAVING SUM(COALESCE(`sentbyte`, 0)+COALESCE(`rcvdbyte`, 0))>0 ORDER BY bandwidth DESC

AtiT

AtiT
1096
0 Kudos
Fullmoon
Contributor III
In response to AtiT

Created on ‎02-21-2014 05:02 PM

ORIGINAL: AtiT SELECT TO_TIMESTAMP(`itime`)::timestamp AS time, TO_CHAR((`duration` || ' second' )::interval, ' HH24:MI:SS' ) AS dur, COALESCE(NULLIFNA(`user`), `srcip`) AS user_src, COALESCE(`app`,' Unknown Application' ) AS apl, COALESCE(`appcat`,' Unknown Category' ) AS apc, SUM(COALESCE(`sentbyte`, 0)+COALESCE(`rcvdbyte`, 0)) AS bandwidth FROM $log WHERE $filter AND `status` IN (' accept' ,' close' ) AND `utmaction`=' passthrough' GROUP BY time, dur, user_src, apl, apc HAVING SUM(COALESCE(`sentbyte`, 0)+COALESCE(`rcvdbyte`, 0))>0 ORDER BY bandwidth DESC
I copied your syntax line per line but when I tried to test it I got this result.See attached file

Fortigate Newbie

Fortigate Newbie
Preview file
95 KB
1096
0 Kudos
AtiT
Valued Contributor
In response to Fullmoon

Created on ‎02-21-2014 11:55 PM

Hi, The dataset is for the Traffic log.

AtiT

AtiT
1096
0 Kudos
Fullmoon
Contributor III
In response to AtiT

Created on ‎02-22-2014 04:11 AM

hi, Is this normal unknown application and unknown category? How to fix this? I enbaled Log in my App Control profile including my web profile as well as my egress policy

Fortigate Newbie

Fortigate Newbie
Preview file
128 KB
1096
0 Kudos
mnantel_FTNT
Staff
Staff

Created on ‎02-20-2014 05:46 AM

I' ve created something quick for you. Do note that I am limiting the number of records to 500. This reports isn' t an actual audit trail with timestamps - it is aggregating data common to each combination of user+ip+website and presenting the bandwidth consumed in decrementing order. Let me know what tweaks you need! (And please, run 5.0.6 with this report - there are sometimes incompatibility in between versions) Go to the report section, and simply import the file and run it. https://www.dropbox.com/s/1j8sym6nooy1wmh/Websites%20-%20Top%20500%20by%20Bandwidth.dat I believe the OP wanted a report that has the timestamp, so I will wait for him to respond back...

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

1096
0 Kudos
Fullmoon
Contributor III
In response to mnantel_FTNT

Created on ‎02-20-2014 07:22 AM

Hi mnantel, thanks for that file appreciate it and its working. Pls can you add more template like top allowed applications including the user/ip and timestamps and top blocked applications including the user/ip and timestamps. your help is highly appreciated

Fortigate Newbie

Fortigate Newbie
1096
0 Kudos
mnantel_FTNT
Staff
Staff
In response to Fullmoon

Created on ‎02-20-2014 10:19 AM

I can definitely provide that however if I provide you with a timestamp, aggregation is no longer possible because each row with a different timestamp is a new entry. What I can produce is a report which will basically end up listing the largest flows over the specific time interval - is that what you want? For instance: 
 
 #######################################################################################
 # Timestamp                 #  User     # App            # Hostname     #  Bandwidth  #
 #######################################################################################
 | 2014/02/20 11:55:00       |  MAT      | Youtube.HD     | youtube.com  | 56 MB       |
 ———————————————————————————————————————————————————————————————————————————————————————
 | 2014/02/20 09:55:00       |  MAT      | BitTorrent     | N/A          | 45 MB       |
 ———————————————————————————————————————————————————————————————————————————————————————
 | 2014/02/20 10:55:00       |  MAT      | Youtube.HD     | youtube.com  | 35 MB       |
 ———————————————————————————————————————————————————————————————————————————————————————
 | 2014/02/20 08:55:00       |  MAT      | BitTorrent     | N/A          | 24 MB       |
 ———————————————————————————————————————————————————————————————————————————————————————
This is sorted reversed by the bandwidth transferred. Is that what you want? If so, how many records do you need?

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

1096
0 Kudos
Fullmoon
Contributor III
In response to mnantel_FTNT

Created on ‎02-20-2014 08:09 PM

Give me atleast 100 records/entries if possible. Thanks

Fortigate Newbie

Fortigate Newbie
1096
0 Kudos
mnantel_FTNT
Staff
Staff

Created on ‎02-21-2014 04:13 AM

Great dataset AtiT - i' m afraid your Postgres-fu is much more advanced than mine! To your question, there are not that many behind the scene macros - I' ve revealed one of them, root_domain(hostname), the other one you can find in some dataset is the $browse_time macro which calculates a browsing time column for the aggregated row' s criteria. You can find examples in the existing datasets.

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

1096
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎02-22-2014 04:14 AM

@fullmoon: Simple syntax error: you' ve used ' double quotes' instead of the correct ' back ticks' when you quoted the ' duration' keyword.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1096
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.