FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Debbie_FTNT
Staff
Staff
Article Id 194186

Description

 

This article describes the common causes for web and user charts with ‘No matching log data found’ in FortiAnalyzer Reporting.

 

Scope

 

FortiAnalyzer.

 

Solution

 

If FortiAnalyzer's web usage, browsing or user reports show charts with ‘No matching log data found’, the following parameters can be checked on FortiAnalyzer and FortiGate:

1. Web Usage/Browsing reports:

FortiAnalyzer's web usage and browsing
reports rely on hostname information being present in traffic logs.

To verify that it is,
add the column ‘Host Name’ to display under Log View. Reload the page and check if any traffic logs have an entry under ‘Host Name’.


If this is not the case, the most common cause is that the FortiGate does not log hostname information. The FortiGate needs to be configured as follows to do it:

  • Webfiltering needs to be applied in policies:

 

  • The ‘Monitor’ action needs to be set instead of the ‘Allow’ action. ‘Monitor’ will do the same as ‘Allow’ in terms of letting the traffic pass, but it will also generate a log message at the same time. The ‘Block’ action will always generate a log message.
  • All sessions should be logged in the policy, not just security events:


If this configuration is not in place in FortiGate, ensure that the webfiltering profile is configured and set to run on any policies that see significant Internet browsing.

Once the change is applied, wait a few minutes and then check if the hostname column starts populating on the FortiAnalyzer. If it does, reports on Browsing/Web Usage should now show meaningful information from the time the above changes were implemented.


2. User Reports

If reports in FortiAnalyzer do not show usernames when expected, check the following:

 

  • Display the ‘User’ column in FortiAnalyzer's Log View to see if any username information is supplied by FortiGate.

 

  • Check on the FortiGate if any policies use user groups or require authentication.
  • Check the User Monitor on FortiGate, with FSSO logons enabled if Fortinet Single Sign On is in use:
 

 

  • If the FortiGate does not require any user authentication and does not use user groups or similar to match policies, the FortiGate will not track user authentication. It will therefore not add usernames to log messages.
  • Verify that user obfuscation is not enabled on the report in FortiAnalyzer:
 


Note:


When working with self-written datasets, use the following syntax to get the ‘User’ column from the logs:

 

select `user` from $log where $filter

 

The command below will return the SQL database user, not an entry from the column ‘user’:

 

select user from $log where $filter