Reports showing no results after upgrading to 5.2

Christopher · ‎10-24-2014

Hello,

I recently upgraded from 5.0.6 to 5.2 on our FortiAnalyzer.

My upgrade path was:

5.0.6 >5.0.7>5.0.8>5.2

I did not upgrade directly from 5.0.6 to 5.2

I have manually rebuilt the sql-db and I have restored the system configuration from backup.

Since the upgrade, every report I run, whether stock or custom gives me no information.

----------------

According to the release notes it says:

Bug ID 0250679 : After upgrade, FortiAnalyzer may not be able to generate reports due to

missing default datasets.

-----------------

It does not however say how to correct this issue or restore missing default datasets.

How can I replace the default datasets and is that the fix to get reports working again?

Without reporting capabilities, the FortiAnalyzer is practically useless for our purposes. Any help would be appreciated in resolving this issue.

Thank you

Christopher · ‎10-24-2014

I'm attempting to build a new SQL database.

I'll let you all know if that does anything to resolve this issue.

Christopher · ‎10-27-2014

It looks like doing a rebuild of the SQL DB did not work but doing a completely new SQL DB build got most of my reports back.

hzhao_FTNT · ‎10-27-2014

Hi Christopher, How did you do "a completely new SQL DB build"? Could you check if you had any crash logs under CLI?

dia debug crashlog read

christopher.duffield wrote:
It looks like doing a rebuild of the SQL DB did not work but doing a completely new SQL DB build got most of my reports back.

Christopher · ‎10-28-2014

Opened an SSL connection in Putty

# dia debug crashlog read

#

--- It just went to another prompt and didn't do anything

Logged into the FortiAnalyzer>System Settings tab> CLI

# dia debug crashlog read

#

---Same results, it didn't give any returns.

The odd thing is, now the button I saw to that said "Build SQL DB" is no longer visible.

The other thing I've noticed is there are no events in the Event logs still.

Event Management>All Events = No Data to Display.

Seems 5.2 on the FortiAnalyzer is missing a lot of information.

hzhao_FTNT · ‎10-28-2014

RebuildDB can only be done under CLI by: "exe sql-local rebuildDB", and the status icon in GUI will be disappeared after rebuildDB finished.

Christopher · ‎10-28-2014

Thank you, I did the "exe sql-local rebuild DB" command but it didn't seem to do anything. When I clicked on the icon it gave me a status so I thought it was the icon I needed to click on in order to do the rebuild.

Things still aren't working correctly, but at least I have "some" of the data now instead of nothing. There are several stock datasets that don't work and successful SSL VPN user logs don't seem to be pulling over from the FortiGate though SSL VPN user "failed login" attempts do come across as well as IPSEC information. It is really very strange.

hzhao_FTNT · ‎10-28-2014

RebuildDB status can also be checked under CLI by:

dia sql status rebuild-db

or

dia test application sqllogd 70

For VPN report, please also check your FGT and see if FGT will send tunnel-stats VPN log:

config system settings set vpn-stats-log ipsec ssl set vpn-stats-period 300 end

Christopher · ‎10-28-2014

# show system settings config system settings set vpn-stats-log ipsec ssl set vpn-stats-period 300 set sip-tcp-port 5060 set sip-udp-port 5060 end

I also ran a config log, get, but can't find any reference to VPN even though IPSEC goes to the FortiAnalyzer just fine and so does failed SSLVPN login attempts or event management data. It really is odd. Are there any other diagnostics I can run that you know of that might help me track down the issue? I'm thinking I may need to rebuild the db on the Fortigate but since it is in production I won't be able to do that until I can get it scheduled.

#config log fortianalyzer filter

# get app-ctrl : enable attack : enable dlp : enable dlp-archive : enable email : enable forward-traffic : enable local-traffic : enable netscan : enable severity : notification traffic : enable virus : enable voip : enable web : enable analytics : enable anomaly : enable app-ctrl-all : enable blocked : enable discovery : enable dlp-all : enable dlp-docsource : enable email-log-google : enable email-log-imap : enable --More-- email-log-msn : enable email-log-pop3 : enable email-log-smtp : enable email-log-yahoo : enable ftgd-wf-block : enable ftgd-wf-errors : enable infected : enable multicast-traffic : enable oversized : enable scanerror : enable signature : enable suspicious : enable switching-protocols : enable url-filter : enable vulnerability : enable web-content : enable web-filter-activex : enable web-filter-applet : enable web-filter-command-block: enable web-filter-cookie : enable web-filter-ftgd-quota: enable

hzhao_FTNT · ‎10-28-2014

Hi Christopher,

Let's make sure if your FAZ get correct logs from FGT first.

1. Can you browse VPN logs in Fortiview -> Log View->Event->VPN? if yes, pls try filter: action=tunnel-stats

2. If no logs there, can you see event log in log view->log browse?

If still not, pls run "diag test app fortilogd 2"， "diag test app fortilogd 3" to see if fortilogd is working properly.

hz