Hello friends! On we learned the basics of working with logs on FortiAnalyzer. Today we will go further and look at the main aspects of working with reports: what reports are, what they consist of, how you can edit existing reports and create new ones. As usual, first a little theory, and then we will work with reports in practice. Under the cut, the theoretical part of the lesson is presented, as well as a video lesson that includes both theory and practice.
The main purpose of the reports is to combine large amounts of data contained in the logs and, based on the available settings, present all the information received in a readable form: in the form of graphs, tables, charts. The figure below shows a list of pre-installed reports for FortiGate devices (not all reports fit in it, but I think this list already shows that even out of the box you can build a lot of interesting and useful reports).
But the reports only present the requested information in a readable way - they do not contain any recommendations for further action with the problems found.
The main components of reports are charts. Each report consists of one or more charts. Charts determine what information should be extracted from the logs and in what format it should be presented. Datasets are responsible for extracting information - SELECT queries to the database. It is in datasets that it is precisely determined from where and what kind of information needs to be extracted. After the required data appears as a result of the request, the format (or display) settings are applied to them. As a result, the data obtained are drawn up in tables, graphs or charts of various types.
The SELECT query uses various commands that set conditions for the information to be retrieved. The most important thing to consider is that these commands must be applied in a specific order, in that order they are listed below:
FROM is the only command that is required in a SELECT query. It indicates the type of logs from which information must be extracted;
WHERE - using this command, the conditions for the logs are set (for example, a specific name of the application / attack / virus);
GROUP BY - this command allows you to group information by one or more columns of interest;
ORDER BY - using this command, you can order the output of information by line;
LIMIT - Limits the number of records returned by the query.
FortiAnalyzer contains predefined report templates. Templates are the so-called report layout β they contain the text of the report, its charts and macros. Using templates, you can create new reports if minimal changes are required to the predefined ones. However, pre-installed reports cannot be edited or deleted - you can clone them and make the necessary changes on the copy. It is also possible to create your own report templates.
Sometimes you may encounter the following situation: a predefined report fits the task, but not completely. Perhaps you need to add some information to it, or, conversely, remove it. In this case, there are two options: clone and change the template, or the report itself. Here you need to rely on several factors.
Templates are a layout for a report, they contain charts and report text, nothing more. The reports themselves, in turn, in addition to the so-called βlayoutβ, contain various report parameters: language, font, text color, generation period, information filtering, and so on. Therefore, if you only need to make changes to the report layout, you can use templates. If additional report configuration is needed, you can edit the report itself (more precisely, a copy of it).
Based on templates, you can create several reports of the same type, so if you have to make a lot of reports similar to each other, then it is preferable to use templates.
In the event that the pre-installed templates and reports do not suit you, you can create both a new template and a new report.
Also on FortiAnalyzer, it is possible to configure sending reports to individual administrators by e-mail or uploading them to external servers. This is done using the Output Profile mechanism. Separate Output Profiles are configured in each administrative domain. When configuring an Output Profile, the following parameters are defined:
- Formats of sent reports - PDF, HTML, XML or CSV;
- The location where the reports will be sent. This can be an administrator's email (for this, you need to bind FortiAnalyzer to a mail server, we covered this in the last lesson). It can also be an external file server - FTP, SFTP, SCP;
- You can choose whether to keep or delete local reports that are left on the device after the transfer.
If necessary, it is possible to speed up the generation of reports. Let's consider two ways:
When generating a report, FortiAnalyzer builds charts from precompiled SQL cache data known as hcache. If the hcache data is not created when the report is run, the system must first create the hcache and then build the report. This increases the report generation time. However, if new logs for a report are not received, when the report is regenerated, the time to generate it will be significantly reduced, since the hcache data has already been compiled.
To improve the performance of report generation, you can enable automatic hcache generation in the report settings. In this case, hcache is automatically updated when new logs arrive. An example of setting is shown in the figure below.
This process uses a large amount of system resources (especially for reports that require a long time to collect data), so after turning it on, you need to monitor the status of FortiAnalyzer: whether the load has increased significantly, whether there is a critical consumption of system resources. In case FortiAnalyzer cannot cope with the load, it is better to disable this process.
It should also be noted that automatic updating of hcache data is enabled by default for scheduled reports.
The second way to speed up report generation is grouping:
If the same (or similar) reports are being generated for different FortiGate (or other Fortinet) devices, you can greatly speed up the generation process by grouping them. Grouping reports can reduce the number of hcache tables and speed up auto caching times, resulting in faster report generation.
In the example shown in the figure below, reports that contain the string Security_Report in their names are grouped by the Device ID parameter.
The video tutorial presents the theoretical material discussed above, as well as the practical aspects of working with reports - from creating your own datasets and charts, templates and reports to setting up sending reports to administrators. Enjoy watching!
In the next lesson, we will look at various aspects of FortiAnalyzer administration, as well as its licensing scheme. In order not to miss it, subscribe to our .
You can also follow the updates on the following resources:
Source: habr.com