Hot!fortianalyzer reports only go back 10 days - log setting?

Author
jamestiberius
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/06/08 05:32:32
  • Status: offline
2016/06/24 06:58:20 (permalink)
0

fortianalyzer reports only go back 10 days - log setting?

I was asked to run user detailed browsing log and web usage report for the last 45 days.
when I run the reports, it only goes back 10 days.
 
I checked the device log settings on the analyzer, and it was set to roll log file at 200 MB, and I changed that to the maximum of 500.
under file management nothing is checked to automatically delete.
 
how can I view how far back my logs go?
is there someplace else I need to check settings?
 
#1
Marilia
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/23 13:00:14
  • Location: San Juan Puerto Rico
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/24 13:45:06 (permalink)
0
Verify the Disk Log Quota
On Device Manager Right Click and select EDIT
very the Disk Log Quota (min. 100MB)
#2
Mikael.A
Bronze Member
  • Total Posts : 51
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/23 06:39:23
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/27 01:16:14 (permalink)
0
Hello!
You can check the logs @ Log View->Log Browse
#3
jamestiberius
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/06/08 05:32:32
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/28 12:24:16 (permalink)
0
okay, so I have found that I can run the report for any 10 day period, going back more than 45 days, and I can see the report for those 10 days.
 
but it appears that if I try to run the report for more than 12 days, it only gives me the last 12 days.
I have ran reports for 15 days, 20 days, 30 days, and each only returns the last 12 days.
 
BUT- I can specify the date, make it over 30 days ago, and I have that information in the report, as long as the time period is less than 12 days.
I have tried running reports for N days, N weeks, custom days, it all works the same.
 
is there a setting I am missing?
#4
jamestiberius
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/06/08 05:32:32
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/28 13:49:29 (permalink)
0
or, is it that the report runs just over 400 pages?
maybe the limit is in the page count?
#5
MikePruett
Platinum Member
  • Total Posts : 677
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/28 14:08:06 (permalink)
0
Every issue I have ever run into where logs were only showing for the past x number of days was related to log quota size.
 
Either that, or someone only kicked on UTM / logging that long ago and before it was running without it.

Mike Pruett
Fortinet GURU
#6
Mikael.A
Bronze Member
  • Total Posts : 51
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/23 06:39:23
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/28 23:42:38 (permalink)
0
I´ve seen issues where Fortianalyzers with low performance will not give you good reports even if the data is present.
For example, you have data for periods 1-30 but the report gives you output for say day 3-6, 15, 28-30.
Really strange and inconsistent results.
If I restored the logs in a VM, the report generated OK.
 
You could try and setup a free VM and try a restore there.
#7
AtiT
Platinum Member
  • Total Posts : 463
  • Scores: 40
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/28 23:52:35 (permalink)
0
The same issue as Mikael.A described above.
We are using approx. 80 ADOMS. We sometimes had a problem mainly with the webfilter log that no result was generated or only for some days but only under some ADOM. When I backed up the logs for the specific ADOM to FTP and uploaded them back the report was OK.
Probably corrupted database? (version was 5.0.10)
Now we are on 5.2.7 (1 month) and it is OK. We will see.
 

AtiT
--------------------
NSE 8, CCNP R+S
#8
Mikael.A
Bronze Member
  • Total Posts : 51
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/23 06:39:23
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/06/29 00:23:32 (permalink)
0
Thanks for giving the feedback AtiT.
I´m currently investigating an issue with the TAC with one of our ADOM:s with a brand new machine where the logs are collected but not inserted into the database (Analythics) untill I do a database rebuild. This results in very strange issues as Fortiview for example is showing no results.
Other ADOM:s are fine. This is 5.4.0. If I delete a device, same issue occurs.
#9
FatalXCepti0n
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/06 13:12:12
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2016/07/12 11:51:15 (permalink)
0
The limit is the record count. as soon as you hit 10000 records, it terminates the query.
#10
Hossein Oliabak
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/03 18:07:26
  • Status: offline
Re: fortianalyzer reports only go back 10 days - log setting? 2019/08/20 10:51:26 (permalink)
0
I have the same problem with fortianalyzer vm v.6.0.3. When I create a report, it only shows me the last x days.
I am not sure if this is a problem with "disk quota" since I can filter all the expected logs in FortiView/Log View to what extent I want.
I also ran the query manually but the same problem still persisted:
 
select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and ( ( lower(`app`) = lower('YouTube')) AND (`srcip` <<= inet('X.Y.Z.0/24'))) group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
 
Do "Datasets" queries default to some value and once it hits x# of records, they terminate the queries?
 
@jamestiberius did you find a resolution or workaround?
#11
Jump to:
© 2019 APG vNext Commercial Version 5.5