I was asked to run user detailed browsing log and web usage report for the last 45 days.
when I run the reports, it only goes back 10 days.
I checked the device log settings on the analyzer, and it was set to roll log file at 200 MB, and I changed that to the maximum of 500.
under file management nothing is checked to automatically delete.
how can I view how far back my logs go?
is there someplace else I need to check settings?
Verify the Disk Log Quota
On Device Manager Right Click and select EDIT
very the Disk Log Quota (min. 100MB)
Hello!
You can check the logs @ Log View->Log Browse
okay, so I have found that I can run the report for any 10 day period, going back more than 45 days, and I can see the report for those 10 days.
but it appears that if I try to run the report for more than 12 days, it only gives me the last 12 days.
I have ran reports for 15 days, 20 days, 30 days, and each only returns the last 12 days.
BUT- I can specify the date, make it over 30 days ago, and I have that information in the report, as long as the time period is less than 12 days.
I have tried running reports for N days, N weeks, custom days, it all works the same.
is there a setting I am missing?
or, is it that the report runs just over 400 pages?
maybe the limit is in the page count?
The limit is the record count. as soon as you hit 10000 records, it terminates the query.
I have the same problem with fortianalyzer vm v.6.0.3. When I create a report, it only shows me the last x days.
I am not sure if this is a problem with "disk quota" since I can filter all the expected logs in FortiView/Log View to what extent I want.
I also ran the query manually but the same problem still persisted:
select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and ( ( lower(`app`) = lower('YouTube')) AND (`srcip` <<= inet('X.Y.Z.0/24'))) group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Do "Datasets" queries default to some value and once it hits x# of records, they terminate the queries?
@jamestiberius did you find a resolution or workaround?
Every issue I have ever run into where logs were only showing for the past x number of days was related to log quota size.
Either that, or someone only kicked on UTM / logging that long ago and before it was running without it.
Mike Pruett
I´ve seen issues where Fortianalyzers with low performance will not give you good reports even if the data is present.
For example, you have data for periods 1-30 but the report gives you output for say day 3-6, 15, 28-30.
Really strange and inconsistent results.
If I restored the logs in a VM, the report generated OK.
You could try and setup a free VM and try a restore there.
The same issue as Mikael.A described above.
We are using approx. 80 ADOMS. We sometimes had a problem mainly with the webfilter log that no result was generated or only for some days but only under some ADOM. When I backed up the logs for the specific ADOM to FTP and uploaded them back the report was OK.
Probably corrupted database? (version was 5.0.10)
Now we are on 5.2.7 (1 month) and it is OK. We will see.
AtiT
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.