So you have your firewall in place and all is working great. You are collecting logs on everything that you need to keep an eye on. But then the problems start. You know something unexpected is happening in the network but what is it? You can look through all that data trying to find the problem, but this can become quite tedious and analogous to looking for the proverbial needle in a haystack.
This is where a picture can greatly help; a chart to be specific. A chart can help for continuous monitoring and alert you to abnormal data patterns at a glance. Also the ability to generate specific charts when trying to find a problem can significantly reduce the time to hunt through a log.
Besides hunting down problems, using charts for reports is very useful for seeing historical trends and patterns which would be difficult to see in the data alone.
FortiOS 4.0 MR2 introduces new reporting capabilities, similar to the FortiAnalyzer product family. Users will be able to create charts from their local FortiGate logs for specific reports as well as dashboard monitoring. This powerful reporting system is highly customizable, allowing the user to create their own chart layouts with custom logos. Following is a list of some of the new features available in this new reporting system.
Customizable page layout.
Reports can support multiple columns
Individual fonts, coloring and size for titles, sub titles, headings and more.
Ability to embed graphics throughout the report
Large selection of pre-configured charts. Just add one to a report with a few easy mouse clicks.
Fully customized charts can be created using SQL queries of the log data.
Frequently used charts can be added to the favorites list for quick and easy access.
Output the report in multiple formats such as PDF and HTML.
Schedule the generation time of any report. Useful for running reports in off peak hours and periodic daily, weekly or monthly reports.
There will be several types of charts to use when graphing log data such as Pie, Bar, Line and Area charts. Users can create their own custom reports and choose from many of the built-in default charts.
To create a new report the following steps can be followed.
Enabling Report Configuration
Login to your FortiGate and go to the Log & Report menu item. If you are using vdoms, choose the appropriate vdom at the bottom of the menu first.
Navigate to Log Config->Log Setting.
Enable "Local Logging & Archiving" and enable logging to "Disk".
Enable any or all of the SQL Logging options. For example AntiVirus Log.
Choose apply, then refresh your browser.
Create the Report
Navigate again to the Log & Report menu and you will now see a new section called "Report Config"
Expand "Report Config" and choose "Layout"
Click the "Create New" button in the title bar.
Give your report a name, description and you may choose a theme (new themes may be created in the "Theme" section)
Choose an output format and schedule.
Set a report title and subtitle as necessary.
Enable any other options as you like, such as "Table of Contents", "HTML Navigation Bar" etc.
Adding Charts and Other Items
Click the Add button in the "Report Components" section
In the dialog that appears, choose from one of the component types (e.g. text, chart, image, misc)
Then choose an item from the available components.
When adding charts you will have the option of filtering by chart category and favorites to quickly choose from default and/or custom made charts.
Choose the OK button to add the component.
Repeat these steps to add more Report components.
You may edit or delete any of the components.
When satisfied with the layout choose the OK button to save the new report.
If the report is scheduled the report will run at the scheduled time.
To run the report immediately go to Report Config->Layout and enable one or more reports to run.
Choose the Run button on the title bar.
It may take a bit of time to run.
Navigate to Report Access->Disk and view the report by clicking the "Report File" name or a link in the "Other Formats" column.
In the next section I'll discuss an advanced method for getting exactly the type of chart you want to see in your reports.
Custom charts can be built using direct SQL queries of the log data. For example, the following steps can be used to create a custom chart for showing the latest virus events over the past 48 hours instead of the default 24 hours.
Create the Dataset
Login using the terminal, either directly with a third party application or via the gui console widget.
Be sure to enter the appropriate vdom if using vdoms, for example to enter the root vdom.
config vdom edit root
Create custom dataset using the following cli commands
config report dataset edit "latest-virus-last48h" set query "select virus, timestamp, src, sport, dst, dport, service, filetype, filefilter, status, msg from antivirus_log where timestamp >= F_TIMESTAMP(\'now\',\'hour\',\'-47\') order by timestamp desc limit 100" end end
Navigate to Log&Report->Report Config->Chart on the web based gui
Click the "Create New" button in the title bar
Enter a name for the chart.
Find the new data set "latest-virus-last48h" in the dataset drop list.
Add any comments and choose a graph type.
Choose the appropriate X and Y databindings (e.g. timestamp and virus respectively)
Setup scale information
Click the OK button.
Now your chart is ready for use as described previously in creating a report above.
The new log reporting feature for FortiOS 4.0 MR2 is a powerful tool to help visualize what is happening in your network. I hope you enjoyed this article and this new feature will become a much used tool in your security toolbox.