FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rsingla
Staff
Staff
Article Id 194810

Description

 

This article describes an issue with FortiAnalyzer where the reports after generation are not visible in the GUI, but they are sent to email recipients without any issue.

Scope

 

Generated Reports on FortiAnalyzer GUI

Solution

 

Check the below points to fix the issue when FortiAnalyzer might have an issue where the reports after generation are not visible in the GUI, but the same report is sent to the Email Recipient without any issue.

 

  1.  If the FortiAnalyzer received by the user either as RMA or a new device was on a newer version, for example, v6.2.x, and it was downgraded to a lower version, for e.g. 6.0.x, without formatting the flash, in that case, the issue might occur, where the generated reports are not visible in GUI.
  2. To verify this problem, do the following steps
  • If the FortiAnalyzer having report visibility issue is on any version, let's say v6.0.x, and there is another FortiAnalyzer on the same series version (6.0.x), on which reports are fine, run the below commands on each FortiAnalyzer.
  • Enable Shell Access:

 

 config system admin setting
         set shell-access enable
         Enter new password: <enter a password>
         Confirm new password: <enter same password>
    end

 

Once the complete operation given below is completed, it is possible to chose to disable the shell access by using the command:

 

config system admin setting
    set shell-access disable
end 

 

 

  • Login to shell and execute these commands:

 

execute shell
     sqlite3 /drive0/private/faz_idb/report.db
     select count(*) from report;
     PRAGMA table_info(report);

 

The output of this command will look like this. Note that this command shows Columns from 0-16:

 

sqlite> PRAGMA table_info(report);

0|name|varchar(256)|0||3
1|mtime|integer|0||0
2|start|integer|0||0
3|end|integer|0||0
4|period_start|integer|0||0
5|period_end|integer|0||0
6|formats|integer|0||0
7|status|integer|0||0
8|schedule_color|varchar(16)|0||0
9|dev_type|integer|0||0
10|title|varchar(256)|0||0
11|adom_oid|integer|0||1
12|date|varchar(12)|0||2
13|layout_id|integer|0||0
14|uuid|varchar(40)|0||0
15|adminuser|varchar(36)|0||0
16|profileid|varchar(36)|0||0

sqlite> .exit   <- Use .exit to exit SQL.

sh-4.3# exit    <- Use exit to exit shell.

 

Run the same commands on the other FortiAnalyzer which does not have the issue of reports visibility in GUI, and the number of columns might be different. If there is no spare FortiAnalyzer to verify this information, it is possible to ask the Fortinet Support Engineer to verify this information in the lab device. The difference in the number of columns confirms that the Report DB file has been migrated from a different OS version.

 

  1. To fix this issue, simply delete the DB file with the below commands, this deletion of DB is non-impacting and does not delete any logs/data from FortiAnalyzer.
  • To delete this file, enter the shell again.

 

execute shell

rm /drive0/private/faz_idb/report.db
exit 

 

Note: The current firmware versions have restricted the shell permissions. If deleting the report.db via shell isn't working, use the following CLI instead:

 

diagnose system disk delete /drive0/private/faz_idb/report.db

 

  • After this file is deleted, generate some reports and the DB will be created after some time (maybe about 1 hour) automatically and all the reports will be visible now.
  • If in any case, even after some time the DB file is not generated, reboot the FortiAnalyzer, and this DB file that has been deleted above will be created immediately after reboot.
  • For any further queries, get in touch with Fortinet Technical Support for further assistance in this activity.