Description
This article describes the reason for empty report or table for dataset with sessions and method to resolve the issues.
Scope
FortiAnalyzer.
Solution
FortiAnalyzer provides multiple default datasets to generate reports for user sessions or bandwidth usage.
For example:
- app-Top-Category-and-Applications-by-Bandwidth.
- app-Top-Category-and-Applications-by-Session.
- app-Top-Blocked-Applications-by-Session.
- app-Top-User-by-Sessions.
- App-Sessions-By-Category
Occasionally, users will experience empty data returns for specific tables in the report. If this issue happens, users can navigate to the datasets and look for the SQL Query.
In the dataset, the WHERE clause is the major part of most of the report returned as empty. For all the reports with sessions or bandwidth tables, the filter below will be included:
WHERE
$filter
AND (logflag & 1 > 0)
This filter only records forward traffic logs as the output of reports. Hence, users need to check the Log ID of FortiAnalyzer Log View to verify the log received from FortiGates.
- Navigate to Log View and enable the Log ID column:
- Examine the Log ID of all the log received from the FortiGate:
The example above shows Log ID for output below:
0000000013 --> Forward Traffic Log
0001000014 --> Local Traffic Log
ID with the initial of 0000xxxxxx indicates forward traffic log while the initial 0001xxxxxx indicates local traffic log.
For more information, refer to the document below:
In order to receive forward traffic log for the FortiAnalyzer report to function, users need to make changes in the firewall policy to log all sessions:
After making changes to the firewall policy, wait for a few minutes for the FortiGate to forward the latest log to FortiAnalyzer and users can verify the Log ID in Log View again.
Related articles:
