Greetings friends! In the last lesson, we learned the basics of working with logs on FortiAnalyzer. Today we will go further and consider the main aspects of working with reports: what reports are, what they consist of, how you can edit existing and create new reports. As usual, first a little theory, and then we will work with reports in practice. Under the cut, the theoretical part of the lesson is presented, as well as a video tutorial that includes both theory and practice.
The main purpose of reports is to combine large amounts of data contained in the logs, and based on the available settings, present all the information received in a readable form: in the form of graphs, tables, diagrams. The figure below shows a list of predefined reports for FortiGate devices (not all reports fit in it, but I think this list already shows that even “out of the box” you can build many interesting and useful reports).
But the reports only represent the requested information in a readable form – they do not contain any recommendations for further actions with the detected problems.
The main components of the reports are charts. Each report consists of one or more charts. The charts determine what information needs to be extracted from the logs and in what format it should be presented. Datasets are responsible for retrieving information – SELECT queries to the database. It is in datasets that it is precisely defined from where and what information needs to be retrieved. After the required data appears as a result of the query, the format (or display) settings are applied to it. As a result, the obtained data is formatted into tables, graphs or diagrams of various types.
The SELECT query uses various commands to set conditions for the information being retrieved. The most important thing to consider is that these commands must be used in a specific order, in that order they are given below:
FROM is the only command that is required in a SELECT query. It indicates the type of logs from which to extract information;
WHERE – this command sets conditions for logs (for example, a specific name of an application / attack / virus);
GROUP BY – this command allows you to group information by one or more columns of interest;
ORDER BY – using this command, you can sort the output of information by lines;
LIMIT – Limits the number of records returned by the query.
FortiAnalyzer contains predefined report templates. Templates are the so-called report layout – they contain the text of the report, its charts and macros. Using templates, you can create new reports if the predefined ones require minimal changes. However, the predefined reports cannot be edited or deleted – you can clone them and make the necessary changes on the copy. It is also possible to create your own templates for reports.
Sometimes you may come across the following situation: a preset report fits the task, but not completely. Perhaps you need to add some information to it, or, conversely, delete it. In this case, there are two options: clone and change the template, or the report itself. Here you need to rely on several factors:
Templates are a layout for a report, they contain charts and report text, nothing more. The reports themselves, in turn, in addition to the so-called “layout”, contain various report parameters: language, font, text color, generation period, information filtering, and so on. Therefore, if you only need to make changes to the report layout, you can use templates. If you need additional configuration of the report, you can edit the report itself (or rather a copy of it).
Based on the templates, you can create several reports of the same type, so if you have to make many reports similar to each other, then it is preferable to use templates.
In the event that the predefined templates and reports do not suit you, you can create both a new template and a new report.
Also on FortiAnalyzer it is possible to configure the forwarding of reports to individual administrators by email or uploading them to external servers. This is done using the Output Profile mechanism. Separate Output Profiles are configured for each administrative domain. When configuring the Output Profile, the following parameters are defined:
- Forms of sent reports – PDF, HTML, XML or CSV;
- The place where the reports will be sent. This can be the administrator’s email (for this you need to bind FortiAnalyzer to the mail server, we discussed this in the last lesson). It can also be an external file server – FTP, SFTP, SCP;
- You can specify what to do with local reports that remained on the device after the transfer – keep them or delete them.
If necessary, it is possible to speed up the generation of reports. Let’s consider two ways:
When generating a report, FortiAnalyzer builds charts from pre-compiled SQL cache data known as hcache. If the hcache data is not generated when the report is run, the system must first generate the hcache and then build the report. This increases the time it takes to generate the report. However, if new logs for the report are not received, when the report is re-generated, the time for its generation will significantly decrease, since the hcache data has already been compiled.
To improve the performance of report generation, you can enable automatic hcache generation in the report settings. In this case, hcache is automatically updated when new logs arrive. An example setting is shown in the figure below.
This process uses a large amount of system resources (especially for reports that take a long time to collect data), therefore, after turning on, you need to monitor the state of FortiAnalyzer: whether the load has increased significantly, whether there is a critical consumption of system resources. If FortiAnalyzer cannot cope with the load, it is better to disable this process.
It should also be noted that automatic hcache data refresh is enabled by default for scheduled reports.
The second way to speed up report generation is grouping:
If the same (or similar) reports are generated for different FortiGate devices (or other Fortinet devices), you can significantly speed up the generation process by grouping them. Grouping reports can reduce the number of hcache tables and speed up automatic caching times, thereby speeding up report generation.
In the example shown in the figure below, reports with the Security_Report string in the title are grouped by Device ID.
The video tutorial presents the theoretical material discussed above, and also discusses the practical aspects of working with reports – from creating your own datasets and charts, templates and reports to setting up the forwarding of reports to administrators. Happy viewing!