FortiAnalyzer datasets are collections of data from logs for monitored devices. Charts and macros reference datasets. When you generate a report, the datasets populate the charts and macros to provide data for the report.
FortiAnalyzer has many predefined datasets that you can use right away. You can also create your own custom datasets.
To create a new dataset:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Reports > Report Definitions > Datasets, and click Create New.
- Provide the required information for the new dataset.
Enter a name for the dataset.
Select a log type from the dropdown list. Below is a list of the available log types based on device.
- FortiGate: Appevent, Intrusion Prevention, Content Log, Data Leak Prevention, DNS, Email Filter, Event, FortiClient Event, FortiClient Vulnerability Scan, FortiClient Traffic, File Filter, GTP, Vulnerability Scan, Protocol, SSH, SSL, Traffic, Virus, VoIP, Web Application Firewall, Web Filter, and Local Event.
- FortiMail: Email Filter, Event, History, and Virus.
- FortiWeb: Intrusion Prevention, Event, and Traffic.
- FortiAnalyer: Appevent, Event, and Local Event.
- FortiCache: Intrusion Prevention, Content Log, Data Leak Prevention, DNS, Email Filter, Event, File Filter, Vulnerability Scan, Protocol, SSH, SSL, Traffic, Virus, VoIP, and Web Filter.
- FortiClient: FortiClient Event, FortiClient Vulnerability Scan, FortiClient Traffic.
- Syslog: Generic.
- FortiManager: Appevent and Event.
- FortiSandbox: Event, Vulnerability Scan, and Virus.
- FortiDDoS: Intrusion Prevention and Event.
- FortiAuthenticator: Event.
- FortiProxy: Appevent, Intrusion Prevention, Content Log, Data Leak Prevention, DNS, Email Filter, Event, File Filter, Vulnerability Scan, Protocol, SSH, SSL, Traffic, Virus, VoIP, and Web Filter.
- FortiNAC: Asset and Event.
- FortiDeceptor: Event.
- SIEM: Normalized.
Enter the SQL query used for the dataset. An easy way to build a custom query is to copy and modify a predefined dataset's query.
Click the Add button to add variable, expression, and description information.
If added, the expression for the variable will be used when configuring filters for reports that use this dataset. For example, if Variable = User (user) and Expression = coalesce(nullifna(`user`), ipstr(`srcip`)), then the expression will be used when User (user) is selected as the Log Field in a report's filter. See Filtering report output.
Test query with specified devices and time period
Use the dropdown list to select a time period. When selecting Custom, enter the start date and time, and the end date and time.
Select All Devices or Specify to select specific devices to run the SQL query against. Click the Select Device button to add multiple devices to the query.
Click to test the SQL query before saving the dataset configuration.
- Click Test.
The query results are displayed. If the query is not successful, an error message appears in the Test Result pane.
- Click OK.