How do i get devices not sending logs in last 24 hours in report?

bhinangt · ‎05-07-2024

I can use nested query to search the devices not sending logs, but when I save this query as report results are coming wrong.

How everyone else here gets devices not sending logs in last 24 hours?

Anthony_E · ‎05-09-2024

Hello bhinangt,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎05-14-2024

Hello bhinangt,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Anthony-Fortinet Community Team.

bhinangt · ‎05-14-2024

So far what I have done is:

Step 1: Created report for reporting device using event count

But this report will only fetch devices who are sending logs and not all devices

Step 2: I used CMDB search for nested report to search reporting IP not in Step 1 report.

Results are perfect if i use search, but same query when saved as report is giving in correct data.

Why i need report?

Because I need to generate alert by running one report every 24 hours in automated manner and sending it to my ticketing tool, I cannot rely on staff to do this search query manually every day.

adem_netsys · ‎05-14-2024

Hi @bhinangt

So far I have used FortiSIEM's default "no logs from a device" rule, but I haven't tested it much, have you tried turning it into a report and using it?