Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
markwen
New Contributor

Created on ‎05-22-2013 05:31 PM

Single user usage report query

Oh hai! I' ve been tasked with a mighty quest to retrieve a report of destinations, ranked by bandwidth usage for a specific user. So far I' ve created a report with a user filter for the user in question. However, I' m unsure if there' s a relevant dataset which will give me this information (FAz 5.0.2). Does such a thing exist? Or is it custom query time? Thanks in advance, Mark.
8702
0 Kudos
7 REPLIES 7
alexandru_serghie1
New Contributor

Created on ‎05-23-2013 12:15 AM

I' m having the same problem. I' m also struggling with the 5.0 P1 that has lots of bugs and I don' t have a support account so I can download the newest firmware by myself.
2160
0 Kudos
billp
Contributor

Created on ‎05-23-2013 10:06 AM

From what I understand, the FAZ 5.03 update will be a significant improvement with better user reporting. I think it' s due in June.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
2160
0 Kudos
AtiT
Valued Contributor

Created on ‎05-29-2013 04:25 AM

Hi, I' m not sure if there is any relevant dataset for you - I didn' t find one, but you can create some. It depends whether you want data directly from traffic log (destionation IP) or from the webfilter log (hostname). For hostname you can use something like this: SELECT COALESCE(NULLIFNA(`user`),`srcip`) AS user_src,`hostname`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND `type`=' webfilter' AND `status`=' passthrough' AND NULLIFNA(`hostname`) IS NOT NULL GROUP BY user_src, `hostname` HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC For destination IP: SELECT COALESCE(NULLIFNA(`user`),`srcip`) AS user_src,`dstip`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0)) AS bandwidth FROM $log WHERE $filter AND `type`=' traffic' AND NULLIFNA(`dstip`) IS NOT NULL GROUP BY user_src, `dstip` HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC After that just set a user filter in the report settings. In chart you can enable the user_src filed to check if the report is working correctly for the defined user and for the final report just delete it from the chart (not dataset). Some results are attached - see the image.

AtiT

AtiT
Preview file
88 KB
2160
0 Kudos
Ebenezer
New Contributor

Created on ‎06-24-2013 03:24 AM

Thanks for that post AtiT. Is there a way to display the bandwidth in MB or GB rather than in bytes when using the ranked format? If I use raw, I get the bandwidth in MB/GB but I only get one entry per user whereas in ranked I can get 5 hostnames per user.
2160
0 Kudos
AtiT
Valued Contributor
In response to Ebenezer

Created on ‎06-30-2013 01:13 PM

Hi Ebenezer, I' m a little bit confused or not understand what do you mean with: " I only get one entry per user whereas in ranked I can get 5 hostnames per user." Can you send some dataset/chart what you are using? I like the raw format because I can get more columns, in ranked format only 3. But I also use ranked format see the attached image below. In the dataset I set for the bandwidh bandwith/1024 for kB and bandwidh/1048576 for MB (1024*1024) etc. And in the chart I write the column title: Bandwidth [MB]. I know that it is not the best solution but I didn' t figure out how to do it automaticaly in ranked format - is it possible? My dataset: SELECT `dstcountry`, SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))/1048576 AS bandwidth FROM $log WHERE `status`=' accept' GROUP BY `dstcountry` HAVING SUM(COALESCE(`sentbyte`,0)+COALESCE(`rcvdbyte`,0))>0 ORDER BY bandwidth DESC

AtiT

AtiT
Preview file
57 KB
2160
0 Kudos
Ebenezer
New Contributor
In response to AtiT

Created on ‎07-03-2013 01:06 AM

Thanks AtiT. I don' t get the bandwidth as MB/GB in raw format as well. In RAW format is it supposed to automatically show in MB/GB. Is it possible to get reports similar to the ones on Fortigate 100D where you get per user reports for top 5 users with top websites and applications?
2160
0 Kudos
AtiT
Valued Contributor
In response to Ebenezer

Created on ‎07-08-2013 02:44 AM

Hi Ebenezer, I have never tried to generate report directly on FTG. I didn' t find any dataset and chart configuration on FTG100D but I think it is possible via CLI: # config report dataset (dataset) # ? edit add/edit a table value delete delete a table value purge clear all table value rename rename a table entry get get dynamic and system information show show configuration end end and save last config (dataset) # edit test1 new entry ' test1' added (test1) # ? config config object set modify value unset set to default value get get dynamic and system information show show configuration next config next table entry abort end and discard last config end end and save last config (test1) # set ? query SQL query statement (test1) # set query ? <string> please input string value ...etc.. It seems that it is possible via CLI. (this is for FortiOS 4 MR3 Patch 12)

AtiT

AtiT
2160
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.