Fortinet black logo

CLI Reference

log reports

log reports

Use this command to configure report profiles.

When generating a report, FortiWeb appliances collate information collected from their log files and present the information in tabular and graphical format.

In addition to log files, your FortiWeb appliance requires a report profile to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.

FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually in the web UI when you click the Run now icon in the report profile list. You may want to create one report profile for each type of report that you will generate on demand or periodically, by schedule.

Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night.

The number of results in a section’s table or graph varies by the report type.

Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in “Top Attack Severity by Hour of Day,” the report includes the top x hours, and their top y attacks, then groups the remaining results.

Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to the local hard disk, see log attack-log and log disk.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Creating a report profile is considerably easier in the web UI. Go to Log&Report > Report Config.

Syntax

config log reports

edit "<report_name>"

set custom_company "<org_str>"

set custom_footer_options {custom | report-title}

set custom_header "<header_str>"

set custom_header_logo "<filename_hex_str>"

set custom_title_logo "<filename_hex_str>"

set email_attachment_compress {enable | disable}

set email_attachment_name "<filename_str>"

set email_body "<message_str>"

set email_subject "<subject_str>"

set filter_string "<log-filter_str>"

set include_nodata {yes | no}

set on_demand {enable | disable}

set output_email {html mht pdf rtf txt}

set output_email_policy "<policy_name>"

set output_file {html mht pdf rtf txt}

set output_ftp {html pdf rtf txt mht}

set output_ftp_policy "<ftp-policy_name>"

set period_end "<time_str>" "<date_str>"

set period_last_n <n_int>

set period_start "<time_str>" "<date_str>"

set period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday}

set report_desc "<comment_str>"

set report_title "<title_str>"

set report_attack_activity {attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-srccountry attacks-signature-id attacks-type-signature-id attacks-fortisandbox attacks-HTTPhost attacks-username attacks-HTTPrefer attacks-HTTPversion attack-summary attack-details}

set report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-login ev-user-logint}

set report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src net-srccountry net-HTTPhost net-username net-HTTPrefer net-HTTPversion}

set report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-attacks-day-type pci-attacks-hour-type}

set schedule_type {daily | dates | days | none}

set schedule_days {sun | mon | tue | wed | thu | fri | sat}

set schedule_dates "<dates_str>"

set schedule_time "<time_str>"

set scope_include_summary {yes | no}

set scope_include_table_of_content {yes | no}

set scope_top1 <topX_int>

set scope_top2 <topY_int>

next

end



Variable Description Default

"<report_name>"

Enter the name of a new or existing report profile. The maximum length is 63 characters.

The profile name will be included in the report header.

To display the list of existing report names, enter:

edit ?

No default.

custom_company "<org_str>"

Enter the name of your department, company, or other organization, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 191 characters.

For details about enabling the summary, see scope_include_summary {yes | no}.

No default.

custom_footer_options {custom | report-title}

Select either:

  • report-title—Use "<report_name>" as the footer text.
  • custom—Provide different footer text.
report-title

custom_footer "<footer_str>"

Enter the text, if any, that you want to include at the bottom of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.

This setting is available only if custom_footer_options {custom | report-title} is custom.

No default.

custom_header "<header_str>"

Enter the text, if any, that you want to include at the top of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters. No default.

custom_header_logo "<filename_hex_str>"

Enter the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report header. The maximum length is 256 characters. No default.

custom_title_logo "<filename_hex_str>"

Enter the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report title. The maximum length is 256 characters. No default.

email_attachment_compress {enable | disable}

Enable to enclose the generated report formats in a compressed archive attached to the email.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

disable

email_attachment_name "<filename_str>"

Enter the file name that will be used for the reports attached to the email. The maximum length is 63 characters.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

No default.

email_body "<message_str>"

Enter the message body of the email. The maximum length is 383 characters.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

No default.

email_subject "<subject_str>"

Enter the subject line of the email. The maximum length is 191 characters.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

No default.

filter_string "<log-filter_str>"

Enter a log message filter string that includes or excludes log messages based upon matching log field values. The maximum length is 1,023 characters.

For example syntax, see Example.

No default.

include_nodata {yes | no}

Select whether to include (yes) or hide (no) reports which are empty because there is no matching log data. no

on_demand {enable | disable}

Enable to run the report one time only. After the FortiWeb appliance completes the report, it removes the report profile from its hard disk.

Enter disable to schedule a time to run the report, and to keep the report profile for subsequent use.

disable

output_email {html mht pdf rtf txt}

Select one or more file types for the report when mailing generated reports. No default.

output_email_policy "<policy_name>"

If you set a value for output_email, enter the name of the email policy that contains settings for sending the report by email. The maximum length is 63 characters.

For details about email policies, see log email-policy.

No default.

output_file {html mht pdf rtf txt}

Select one or more file types for the report when saving to the FortiWeb hard disk. html

output_ftp {html pdf rtf txt mht}

Select one or more file types for the report when FortiWeb sends reports to an FTP or TFTP server. No default.

output_ftp_policy "<ftp-policy_name>"

Enter the policy that defines a connection to the appropriate server. For details, see log ftp-policy. No default.

period_end "<time_str>" "<date_str>"

Enter the time and date that define the end of the span of time whose log messages you want to use when generating the report.

The time format is hh:mm and the date format is yyyy/mm/dd, where:

  • hh is the hour according to a 24-hour clock
  • mm is the minute
  • yyyy is the year
  • mm is the month
  • dd is the day

This setting appears only when you select a period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} of other.

No default.

period_last_n <n_int>

Enter the number that defines n if the period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} contains that variable. The valid range is from 1 to 2,147,483,647.

This setting appears only when you select a period_type of last-n-days, last-n-hours, or last-n-weeks.

No default.

period_start "<time_str>" "<date_str>"

Enter the time and date that defines the beginning of the span of time whose log messages you want to use when generating the report.

The time format is hh:mm and the date format is yyyy/mm/dd, where:

  • hh is the hour according to a 24-hour clock
  • mm is the minute
  • yyyy is the year
  • mm is the month
  • dd is the day

This setting appears only when you select a period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} of other.

No default.

period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday}

Select the span of time whose log messages you want to use when generating the report.

If you select last-n-days, last-n-hours, or last-nweeks, you must also define n by entering period_last_n <n_int>.

If you select other, you must also define the start and end of the report’s time range by entering period_start "<time_str>" "<date_str>" and period_end "<time_str>" "<date_str>".

The span of time will be included in the summary, if enabled. For information on enabling the summary, see scope_include_summary {yes | no}.

last-7-days

report_desc "<comment_str>"

Enter a description of the report, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, surround it with double quotes ( " ). The maximum length is 63 characters.

For information on enabling the summary, see scope_include_summary {yes | no}.

No default.

report_title "<title_str>"

Enter a title, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.

For information on enabling the summary, see scope_include_summary {yes | no}.

No default.

report_attack_activity {attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-srccountry attacks-signature-id attacks-type-signature-id attacks-fortisandbox attacks-HTTPhost attacks-username attacks-HTTPrefer attacks-HTTPversion attack-summary attack-details}

Enter zero or more options to indicate which charts based upon attack logs to include in the report.

For example, to include “Attacks By Policy,” enter a list of charts that includes attacks-policy. To include “Top Attacked HTTP Methods by Type,” enter a list of charts that includes attacks-method-type.

No default.

report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-login ev-user-logint}

Enter zero or more options to indicate which charts based upon event logs to include in the report.

For example, to include “Top Event Categories by Status”, enter a list of charts that includes ev-stat.

No default.

report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src net-srccountry net-HTTPhost net-username net-HTTPrefer net-HTTPversion}

Enter zero or more options to indicate which charts based upon traffic logs to include in the report.

For example, to include “Top Sources By Day of Week”, enter a list of charts that includes net-day-src.

No default.

report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-attacks-day-type pci-attacks-hour-type}

Enter zero or more options to indicate which charts based upon PCI attack logs to include in the report. No default.

schedule_type {daily | dates | days | none}

Select when the FortiWeb appliance will automatically run the report. If you reboot the FortiWeb appliance while the report is being generated, report generation resumes after the boot process is complete.

If schedule_type is daily, dates or days, specify the schedule_time, schedule_days, or schedule_dates when the report will be generated.

If schedule_type is none, the report will be generated only when you manually initiate it.

none

schedule_days {sun | mon | tue | wed | thu | fri | sat}

If schedule_type {daily | dates | days | none} is days, select the day of the week when the report should be generated. No default.

schedule_dates "<dates_str>"

If schedule_type {daily | dates | days | none} is dates, select the specific date of the month, from 1 to 31, when the report should be generated. Separate multiple dates with spaces. No default.

schedule_time "<time_str>"

If schedule_type {daily | dates | days | none} is not none, select the time of day when the report should be run.

The time format is hh:mm, where:

  • hh is the hour according to a 24-hour clock
  • mm is the minute
00:00

scope_include_summary {yes | no}

Enter yes to include a summary section at the beginning of the report. The summary includes:

yes

scope_include_table_of_content {yes | no}

Enter yes to include a table of contents at the beginning of the report. The table of contents includes links to each chart in the report. yes

scope_top1 <topX_int>

Enter x number of items (up to 30) to include in the first cross-section of ranked reports.

For some report types, you can set the top ranked items for the report. These reports have “Top” in their name, and will always show only the top x entries. Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports.

6

scope_top2 <topY_int>

Enter y number of items (up to 30) to include in the second cross-section of ranked reports.

For some report types, you can set the number of ranked items to include in the report. These reports have “Top” in their name, and will always show only the top x entries. Some report types have two levels of ranking: the top y sub-entries for each top x entry.

Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports.

3

Example

This example configures a report to be generated every Saturday at 1 PM. The report, whose title is Report 1, includes all available charts, and covers the last 14 days’ worth of event, traffic, and attack logs. However, it only uses logs where the source IP address was 192.0.2.20. Each time it is generated, it will be saved to the hard disk in both HTML and PDF file formats and will be sent by email in PDF format to recipients defined within the “Log report analysis” email policy.

config log reports

edit "eport_1"

set Report_attack_activity attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-signature-id attacks-srccounty attacks-type-signature-id

set Report_event_activity ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat

set Report_traffic_activity net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src

set custom_company "Example, Inc."

set custom_footer_options custom

set custom_header "A fictitious corporation."

set custom_title_logo "titlelogo.jpg"

set filter_string (and src==\'192.0.2.20\')

set include_nodata yes

set output_file html pdf

set output_email html

set output_email_policy log_report_analysis

set period_type last-n-days

set report_desc "A sample report."

set report_title Report 1

set schedule_type days

set custom_footer "Weekly report for Example, Inc."

set period_last_n 14

set schedule_days sat

set schedule_time 01:00

next

end

Related topics

log reports

log reports

Use this command to configure report profiles.

When generating a report, FortiWeb appliances collate information collected from their log files and present the information in tabular and graphical format.

In addition to log files, your FortiWeb appliance requires a report profile to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.

FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually in the web UI when you click the Run now icon in the report profile list. You may want to create one report profile for each type of report that you will generate on demand or periodically, by schedule.

Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night.

The number of results in a section’s table or graph varies by the report type.

Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in “Top Attack Severity by Hour of Day,” the report includes the top x hours, and their top y attacks, then groups the remaining results.

Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to the local hard disk, see log attack-log and log disk.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Creating a report profile is considerably easier in the web UI. Go to Log&Report > Report Config.

Syntax

config log reports

edit "<report_name>"

set custom_company "<org_str>"

set custom_footer_options {custom | report-title}

set custom_header "<header_str>"

set custom_header_logo "<filename_hex_str>"

set custom_title_logo "<filename_hex_str>"

set email_attachment_compress {enable | disable}

set email_attachment_name "<filename_str>"

set email_body "<message_str>"

set email_subject "<subject_str>"

set filter_string "<log-filter_str>"

set include_nodata {yes | no}

set on_demand {enable | disable}

set output_email {html mht pdf rtf txt}

set output_email_policy "<policy_name>"

set output_file {html mht pdf rtf txt}

set output_ftp {html pdf rtf txt mht}

set output_ftp_policy "<ftp-policy_name>"

set period_end "<time_str>" "<date_str>"

set period_last_n <n_int>

set period_start "<time_str>" "<date_str>"

set period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday}

set report_desc "<comment_str>"

set report_title "<title_str>"

set report_attack_activity {attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-srccountry attacks-signature-id attacks-type-signature-id attacks-fortisandbox attacks-HTTPhost attacks-username attacks-HTTPrefer attacks-HTTPversion attack-summary attack-details}

set report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-login ev-user-logint}

set report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src net-srccountry net-HTTPhost net-username net-HTTPrefer net-HTTPversion}

set report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-attacks-day-type pci-attacks-hour-type}

set schedule_type {daily | dates | days | none}

set schedule_days {sun | mon | tue | wed | thu | fri | sat}

set schedule_dates "<dates_str>"

set schedule_time "<time_str>"

set scope_include_summary {yes | no}

set scope_include_table_of_content {yes | no}

set scope_top1 <topX_int>

set scope_top2 <topY_int>

next

end



Variable Description Default

"<report_name>"

Enter the name of a new or existing report profile. The maximum length is 63 characters.

The profile name will be included in the report header.

To display the list of existing report names, enter:

edit ?

No default.

custom_company "<org_str>"

Enter the name of your department, company, or other organization, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 191 characters.

For details about enabling the summary, see scope_include_summary {yes | no}.

No default.

custom_footer_options {custom | report-title}

Select either:

  • report-title—Use "<report_name>" as the footer text.
  • custom—Provide different footer text.
report-title

custom_footer "<footer_str>"

Enter the text, if any, that you want to include at the bottom of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.

This setting is available only if custom_footer_options {custom | report-title} is custom.

No default.

custom_header "<header_str>"

Enter the text, if any, that you want to include at the top of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters. No default.

custom_header_logo "<filename_hex_str>"

Enter the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report header. The maximum length is 256 characters. No default.

custom_title_logo "<filename_hex_str>"

Enter the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report title. The maximum length is 256 characters. No default.

email_attachment_compress {enable | disable}

Enable to enclose the generated report formats in a compressed archive attached to the email.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

disable

email_attachment_name "<filename_str>"

Enter the file name that will be used for the reports attached to the email. The maximum length is 63 characters.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

No default.

email_body "<message_str>"

Enter the message body of the email. The maximum length is 383 characters.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

No default.

email_subject "<subject_str>"

Enter the subject line of the email. The maximum length is 191 characters.

This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.

No default.

filter_string "<log-filter_str>"

Enter a log message filter string that includes or excludes log messages based upon matching log field values. The maximum length is 1,023 characters.

For example syntax, see Example.

No default.

include_nodata {yes | no}

Select whether to include (yes) or hide (no) reports which are empty because there is no matching log data. no

on_demand {enable | disable}

Enable to run the report one time only. After the FortiWeb appliance completes the report, it removes the report profile from its hard disk.

Enter disable to schedule a time to run the report, and to keep the report profile for subsequent use.

disable

output_email {html mht pdf rtf txt}

Select one or more file types for the report when mailing generated reports. No default.

output_email_policy "<policy_name>"

If you set a value for output_email, enter the name of the email policy that contains settings for sending the report by email. The maximum length is 63 characters.

For details about email policies, see log email-policy.

No default.

output_file {html mht pdf rtf txt}

Select one or more file types for the report when saving to the FortiWeb hard disk. html

output_ftp {html pdf rtf txt mht}

Select one or more file types for the report when FortiWeb sends reports to an FTP or TFTP server. No default.

output_ftp_policy "<ftp-policy_name>"

Enter the policy that defines a connection to the appropriate server. For details, see log ftp-policy. No default.

period_end "<time_str>" "<date_str>"

Enter the time and date that define the end of the span of time whose log messages you want to use when generating the report.

The time format is hh:mm and the date format is yyyy/mm/dd, where:

  • hh is the hour according to a 24-hour clock
  • mm is the minute
  • yyyy is the year
  • mm is the month
  • dd is the day

This setting appears only when you select a period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} of other.

No default.

period_last_n <n_int>

Enter the number that defines n if the period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} contains that variable. The valid range is from 1 to 2,147,483,647.

This setting appears only when you select a period_type of last-n-days, last-n-hours, or last-n-weeks.

No default.

period_start "<time_str>" "<date_str>"

Enter the time and date that defines the beginning of the span of time whose log messages you want to use when generating the report.

The time format is hh:mm and the date format is yyyy/mm/dd, where:

  • hh is the hour according to a 24-hour clock
  • mm is the minute
  • yyyy is the year
  • mm is the month
  • dd is the day

This setting appears only when you select a period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday} of other.

No default.

period_type {last-14-days | last-2-weeks | last-30-days | last-7-days | lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-week | other | this-month | this-quarter | this-week | thiyear | today | yesterday}

Select the span of time whose log messages you want to use when generating the report.

If you select last-n-days, last-n-hours, or last-nweeks, you must also define n by entering period_last_n <n_int>.

If you select other, you must also define the start and end of the report’s time range by entering period_start "<time_str>" "<date_str>" and period_end "<time_str>" "<date_str>".

The span of time will be included in the summary, if enabled. For information on enabling the summary, see scope_include_summary {yes | no}.

last-7-days

report_desc "<comment_str>"

Enter a description of the report, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, surround it with double quotes ( " ). The maximum length is 63 characters.

For information on enabling the summary, see scope_include_summary {yes | no}.

No default.

report_title "<title_str>"

Enter a title, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.

For information on enabling the summary, see scope_include_summary {yes | no}.

No default.

report_attack_activity {attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-srccountry attacks-signature-id attacks-type-signature-id attacks-fortisandbox attacks-HTTPhost attacks-username attacks-HTTPrefer attacks-HTTPversion attack-summary attack-details}

Enter zero or more options to indicate which charts based upon attack logs to include in the report.

For example, to include “Attacks By Policy,” enter a list of charts that includes attacks-policy. To include “Top Attacked HTTP Methods by Type,” enter a list of charts that includes attacks-method-type.

No default.

report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-login ev-user-logint}

Enter zero or more options to indicate which charts based upon event logs to include in the report.

For example, to include “Top Event Categories by Status”, enter a list of charts that includes ev-stat.

No default.

report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src net-srccountry net-HTTPhost net-username net-HTTPrefer net-HTTPversion}

Enter zero or more options to indicate which charts based upon traffic logs to include in the report.

For example, to include “Top Sources By Day of Week”, enter a list of charts that includes net-day-src.

No default.

report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-attacks-day-type pci-attacks-hour-type}

Enter zero or more options to indicate which charts based upon PCI attack logs to include in the report. No default.

schedule_type {daily | dates | days | none}

Select when the FortiWeb appliance will automatically run the report. If you reboot the FortiWeb appliance while the report is being generated, report generation resumes after the boot process is complete.

If schedule_type is daily, dates or days, specify the schedule_time, schedule_days, or schedule_dates when the report will be generated.

If schedule_type is none, the report will be generated only when you manually initiate it.

none

schedule_days {sun | mon | tue | wed | thu | fri | sat}

If schedule_type {daily | dates | days | none} is days, select the day of the week when the report should be generated. No default.

schedule_dates "<dates_str>"

If schedule_type {daily | dates | days | none} is dates, select the specific date of the month, from 1 to 31, when the report should be generated. Separate multiple dates with spaces. No default.

schedule_time "<time_str>"

If schedule_type {daily | dates | days | none} is not none, select the time of day when the report should be run.

The time format is hh:mm, where:

  • hh is the hour according to a 24-hour clock
  • mm is the minute
00:00

scope_include_summary {yes | no}

Enter yes to include a summary section at the beginning of the report. The summary includes:

yes

scope_include_table_of_content {yes | no}

Enter yes to include a table of contents at the beginning of the report. The table of contents includes links to each chart in the report. yes

scope_top1 <topX_int>

Enter x number of items (up to 30) to include in the first cross-section of ranked reports.

For some report types, you can set the top ranked items for the report. These reports have “Top” in their name, and will always show only the top x entries. Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports.

6

scope_top2 <topY_int>

Enter y number of items (up to 30) to include in the second cross-section of ranked reports.

For some report types, you can set the number of ranked items to include in the report. These reports have “Top” in their name, and will always show only the top x entries. Some report types have two levels of ranking: the top y sub-entries for each top x entry.

Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports.

3

Example

This example configures a report to be generated every Saturday at 1 PM. The report, whose title is Report 1, includes all available charts, and covers the last 14 days’ worth of event, traffic, and attack logs. However, it only uses logs where the source IP address was 192.0.2.20. Each time it is generated, it will be saved to the hard disk in both HTML and PDF file formats and will be sent by email in PDF format to recipients defined within the “Log report analysis” email policy.

config log reports

edit "eport_1"

set Report_attack_activity attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-signature-id attacks-srccounty attacks-type-signature-id

set Report_event_activity ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat

set Report_traffic_activity net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src

set custom_company "Example, Inc."

set custom_footer_options custom

set custom_header "A fictitious corporation."

set custom_title_logo "titlelogo.jpg"

set filter_string (and src==\'192.0.2.20\')

set include_nodata yes

set output_file html pdf

set output_email html

set output_email_policy log_report_analysis

set period_type last-n-days

set report_desc "A sample report."

set report_title Report 1

set schedule_type days

set custom_footer "Weekly report for Example, Inc."

set period_last_n 14

set schedule_days sat

set schedule_time 01:00

next

end

Related topics