FortiAnalyzer- the problem with logs.

Author
fuks87i
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/01/16 05:10:35
  • Status: offline
2014/08/18 03:15:53 (permalink)
0

FortiAnalyzer- the problem with logs.

Hi,
Our FA1000C has been upgraded to 5.06 version. Device is collecting logs file from FortiGates. When I go to the Log View, Traffic Log I see columns: Date/Time, Source/View, Destination IP, Service, Sent/Received, User and VPN for VPN ipsec Traffic. There is a problem with column " User" , because is empty, does not display any information, in contrast to other( full information).

How do I know which user (AD login) was logged in the past, since I can only see the IP address( Column Source/Device) ?

The Event Log-> VPN
contains information about the AD user(xauthUser) but does not display other information(source, destination IP, service).
These are empty records.

I tried to create new dataset which contains logs from Traffic and Event but it does not give the expected result. Situation like the one described above.Should
Should I focus on creating an appropriate DATASET joined by two LOG files (Traffic and Event VPN)? Is that possible to create a new query with two diffrent log files?

Regards,
Fuks
< Message edited by fuks87i -- 8/18/2014 4:15:07 AM >
#1
L_FTNT
optimizzz
  • Total Posts : 378
  • Scores: 8
  • Reward points: 0
  • Joined: 2011/01/24 20:25:51
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/19 10:41:13 (permalink)
0
Have you tried the factory default VPN usage report? This report supports FGT 5.0 or later and it has a number of improvements in FAZ 5.0.7.
#2
fuks87i
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/01/16 05:10:35
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/20 03:19:12 (permalink)
0
hi,
i have tried to use The default VPN usage raport but dataset " Top Dial-up VPN Users By Duration" but it does not give Information about DestinationIP, Service and Source IP.

For now I created two new querries, one from Traffic log and one from Event Log.
It' s hard to find a common element which it will be use to locate user from Event Log and localize him in Traffic Log. Even Data/Time is diffrent between two logs for logged user (many services used when user was logged). I Can' t find 100% match for single user.

5.07? Can anyone confirm that reports in 5.07 are much better and give more information than firmware 5.06?
#3
fuks87i
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/01/16 05:10:35
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/21 03:07:49 (permalink)
0
Additional question: Can I generate report in CSV format?
#4
L_FTNT
optimizzz
  • Total Posts : 378
  • Scores: 8
  • Reward points: 0
  • Joined: 2011/01/24 20:25:51
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/21 09:25:12 (permalink)
5 (1)
Hi there,

For now I created two new querries, one from Traffic log and one from Event Log.
It' s hard to find a common element which it will be use to locate user from Event Log and localize him in Traffic Log. Even Data/Time is diffrent between two logs for logged user (many services used when user was logged). I Can' t find 100% match for single user.


This is a known limitation with FGT 5.0 (or earlier) IPsec VPN.

With 5.2 FOS, if you follow the new way to configure IPsec VPN (not configure user group in the IPsec Phase 1 but config the authentication in the policy), you will get the correct IPsec VPN user info in the traffic log.

Additional question: Can I generate report in CSV format?

For 5.0.7, it supports PDF and HTML formats - CSV is not supported.
#5
fuks87i
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/01/16 05:10:35
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/22 00:20:24 (permalink)
0
L.Clarke thanks a lot! Now i have clear vision about FG reports.


Can I use an external tool, like a SQLite Database Browser or use other postgres tool, to connect into internal FA log database (need to know login and password)?

#6
Istvan Takacs_FTNT
Silver Member
  • Total Posts : 118
  • Scores: 15
  • Reward points: 0
  • Joined: 2014/08/05 16:14:08
  • Location: Nowhere, OK
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/22 03:47:45 (permalink)
4 (1)
You can' t login to the FAZ DB, but you can configure it to use an external DB server.
That way you could do whatever you want with the data in that MySQL DB.

You can also create your custom reports by using SQL queries on FAZ, but for that you need to use the built-in CLI instead of a 3rd party tool. Eg.


config report dataset
edit <dataset_name>
set query <sql_statement>
next end
#7
Warren_Olson_FTNT
Gold Member
  • Total Posts : 131
  • Scores: 3
  • Reward points: 0
  • Joined: 2014/06/05 06:57:10
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/22 05:57:43 (permalink)
0
If CLI isn' t your preference you can go to datasets within the report options and create a custom one, then put in postgres to query the db directly and click ' test' to see the output.
#8
fuks87i
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/01/16 05:10:35
  • Status: offline
RE: FortiAnalyzer- the problem with logs. 2014/08/26 04:08:12 (permalink)
0
in near future I' ll decide which solution will be used.

Warren Olson, I tried this all the time but did not get the correct result.

#9
Jump to:
© 2021 APG vNext Commercial Version 5.5