Created on 06-18-2018 06:04 AM Edited on 10-17-2023 03:09 AM By Stephen_G
Description
This article describes the common causes for web and user charts with ‘No matching log data found’ in FortiAnalyzer Reporting.
Scope
FortiAnalyzer.
Solution
If FortiAnalyzer's web usage, browsing or user reports show charts with ‘No matching log data found’, the following parameters can be checked on FortiAnalyzer and FortiGate:
1. Web Usage/Browsing reports:
FortiAnalyzer's web usage and browsing reports rely on hostname information being present in traffic logs.
To verify that it is, add the column ‘Host Name’ to display under Log View. Reload the page and check if any traffic logs have an entry under ‘Host Name’.
If this is not the case, the most common cause is that the FortiGate does not log hostname information. The FortiGate needs to be configured as follows to do it:
If this configuration is not in place in FortiGate, ensure that the webfiltering profile is configured and set to run on any policies that see significant Internet browsing.
Once the change is applied, wait a few minutes and then check if the hostname column starts populating on the FortiAnalyzer. If it does, reports on Browsing/Web Usage should now show meaningful information from the time the above changes were implemented.
2. User Reports
If reports in FortiAnalyzer do not show usernames when expected, check the following:
Note:
When working with self-written datasets, use the following syntax to get the ‘User’ column from the logs:
select `user` from $log where $filter
The command below will return the SQL database user, not an entry from the column ‘user’:
select user from $log where $filter
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.