log reports
Use this command to configure report profiles.
When generating a report, FortiWeb appliances collate information collected from their log files and present the information in tabular and graphical format.
In addition to log files, your FortiWeb appliance requires a report profile to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.
FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually in the web UI when you click the Run now icon in the report profile list. You may want to create one report profile for each type of report that you will generate on demand or periodically, by schedule.
|
Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night. |
The number of results in a section’s table or graph varies by the report type.
Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in “Top Attack Severity by Hour of Day,” the report includes the top x hours, and their top y attacks, then groups the remaining results.
- scope_top1 <topX_int> is x.
- scope_top2 <topY_int> is y.
Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to the local hard disk, see log attack-log and log disk.
To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.
|
Creating a report profile is considerably easier in the web UI. Go to Log&Report > Report Config. |
Syntax
config log reports
edit "<report_name>"
set custom_company "<org_str>"
set custom_footer_options {custom | report-title}
set custom_header "<header_str>"
set custom_header_logo "<filename_hex_str>"
set custom_title_logo "<filename_hex_str>"
set email_attachment_compress {enable | disable}
set email_attachment_name "<filename_str>"
set email_body "<message_str>"
set email_subject "<subject_str>"
set filter_string "<log-filter_str>"
set on_demand {enable | disable}
set output_email {html mht pdf rtf txt}
set output_email_policy "<policy_name>"
set output_file {html mht pdf rtf txt}
set output_ftp {html pdf rtf txt mht}
set output_ftp_policy "<ftp-policy_name>"
set period_end "<time_str>" "<date_str>"
set period_start "<time_str>" "<date_str>"
set report_desc "<comment_str>"
set report_title "<title_str>"
set schedule_type {daily | dates | days | none}
set schedule_days {sun | mon | tue | wed | thu | fri | sat}
set schedule_dates "<dates_str>"
set schedule_time "<time_str>"
set scope_include_summary {yes | no}
set scope_include_table_of_content {yes | no}
next
end
| Variable | Description | Default |
|
Enter the name of a new or existing report profile. The maximum length is 63 characters. The profile name will be included in the report header. To display the list of existing report names, enter:
|
No default. | |
|
Enter the name of your department, company, or other organization, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( For details about enabling the summary, see scope_include_summary {yes | no}. |
No default. | |
|
Select either:
|
report-title
|
|
|
Enter the text, if any, that you want to include at the bottom of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( This setting is available only if custom_footer_options {custom | report-title} is |
No default. | |
Enter the text, if any, that you want to include at the top of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters. |
No default. | |
| Enter the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report header. The maximum length is 256 characters. | No default. | |
| Enter the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report title. The maximum length is 256 characters. | No default. | |
|
Enable to enclose the generated report formats in a compressed archive attached to the email. This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}. |
disable
|
|
|
Enter the file name that will be used for the reports attached to the email. The maximum length is 63 characters. This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}. |
No default. | |
|
Enter the message body of the email. The maximum length is 383 characters. This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}. |
No default. | |
|
Enter the subject line of the email. The maximum length is 191 characters. This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}. |
No default. | |
|
Enter a log message filter string that includes or excludes log messages based upon matching log field values. The maximum length is 1,023 characters. For example syntax, see Example. |
No default. | |
Select whether to include (yes) or hide (no) reports which are empty because there is no matching log data. |
no
|
|
|
Enable to run the report one time only. After the FortiWeb appliance completes the report, it removes the report profile from its hard disk. Enter |
disable
|
|
| Select one or more file types for the report when mailing generated reports. | No default. | |
|
If you set a value for For details about email policies, see log email-policy. |
No default. | |
| Select one or more file types for the report when saving to the FortiWeb hard disk. |
html
|
|
| Select one or more file types for the report when FortiWeb sends reports to an FTP or TFTP server. | No default. | |
| Enter the policy that defines a connection to the appropriate server. For details, see log ftp-policy. | No default. | |
|
Enter the time and date that define the end of the span of time whose log messages you want to use when generating the report. The time format is
This setting appears only when you select a period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} of |
No default. | |
|
Enter the number that defines n if the period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} contains that variable. The valid range is from 1 to 2,147,483,647. This setting appears only when you select a |
No default. | |
|
Enter the time and date that defines the beginning of the span of time whose log messages you want to use when generating the report. The time format is
This setting appears only when you select a period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} of |
No default. | |
|
period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} |
Select the span of time whose log messages you want to use when generating the report. If you select If you select other, you must also define the start and end of the report’s time range by entering period_start "<time_str>" "<date_str>" and period_end "<time_str>" "<date_str>". The span of time will be included in the summary, if enabled. For information on enabling the summary, see scope_include_summary {yes | no}. |
last-7-days
|
|
Enter a description of the report, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, surround it with double quotes ( For information on enabling the summary, see scope_include_summary {yes | no}. |
No default. | |
|
Enter a title, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( For information on enabling the summary, see scope_include_summary {yes | no}. |
No default. | |
|
report_attack_activity {attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-srccountry attacks-signature-id attacks-type-signature-id attacks-fortisandbox attacks-httphost attacks-username attacks-httprefer attacks-httpversion threat-weight-client-device attacks-client-device cat-client-device attack-summary attack-details} |
Enter zero or more options to indicate which charts based upon attack logs to include in the report. For example, to include “Attacks By Policy,” enter a list of charts that includes |
No default. |
|
report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-login ev-user-logint} |
Enter zero or more options to indicate which charts based upon event logs to include in the report. For example, to include “Top Event Categories by Status”, enter a list of charts that includes |
No default. |
|
report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src net-srccountry net-httphost net-username net-httprefer net-httpversion net-client-device} |
Enter zero or more options to indicate which charts based upon traffic logs to include in the report. For example, to include “Top Sources By Day of Week”, enter a list of charts that includes |
No default. |
|
report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-attacks-day-type pci-attacks-hour-type} |
Enter zero or more options to indicate which charts based upon PCI attack logs to include in the report. | No default. |
|
Select when the FortiWeb appliance will automatically run the report. If you reboot the FortiWeb appliance while the report is being generated, report generation resumes after the boot process is complete. If If |
none
|
|
If schedule_type {daily | dates | days | none} is days, select the day of the week when the report should be generated. |
No default. | |
If schedule_type {daily | dates | days | none} is dates, select the specific date of the month, from 1 to 31, when the report should be generated. Separate multiple dates with spaces. |
No default. | |
|
If schedule_type {daily | dates | days | none} is not The time format is
|
00:00
|
|
|
Enter
|
yes
|
|
Enter yes to include a table of contents at the beginning of the report. The table of contents includes links to each chart in the report. |
yes
|
|
|
Enter x number of items (up to 30) to include in the first cross-section of ranked reports. For some report types, you can set the top ranked items for the report. These reports have “Top” in their name, and will always show only the top x entries. Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports. |
6
|
|
|
Enter y number of items (up to 30) to include in the second cross-section of ranked reports. For some report types, you can set the number of ranked items to include in the report. These reports have “Top” in their name, and will always show only the top x entries. Some report types have two levels of ranking: the top y sub-entries for each top x entry. Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports. |
3
|
Example
This example configures a report to be generated every Saturday at 1 PM. The report, whose title is Report 1, includes all available charts, and covers the last 14 days’ worth of event, traffic, and attack logs. However, it only uses logs where the source IP address was 192.0.2.20. Each time it is generated, it will be saved to the hard disk in both HTML and PDF file formats and will be sent by email in PDF format to recipients defined within the “Log report analysis” email policy.
config log reports
edit "eport_1"
set Report_attack_activity attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-signature-id attacks-srccounty attacks-type-signature-id
set Report_event_activity ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat
set Report_traffic_activity net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src
set custom_company "Example, Inc."
set custom_footer_options custom
set custom_header "A fictitious corporation."
set custom_title_logo "titlelogo.jpg"
set filter_string (and src==\'192.0.2.20\')
set include_nodata yes
set output_file html pdf
set output_email html
set output_email_policy log_report_analysis
set period_type last-n-days
set report_desc "A sample report."
set report_title Report 1
set schedule_type days
set custom_footer "Weekly report for Example, Inc."
set period_last_n 14
set schedule_days sat
set schedule_time 01:00
next
end