Using SQL to query the DDoS Attack Log
You can use SQL to query the DDoS Attack Log using a third-party tool such as the MySQL command-line tool or MySQL Workbench. Access to the log database is read-only.
This feature allows you to view attack log information in a report format other than the one provided by the web UI. For example, to generate consolidated reports when FortiDDoS is integrated with other appliances in your network.
You access the log using the user root and the password is the serial number of the appliance.
| SQL connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiDDoS appliance. |
To enable SQL access:
1. Go to System > Network > Interface.
2. Double-click either mgmt1 or mgmt2.
3. Under Administrative Access, select SQL.
To allow other types of access to FortiDDoS (for example, HTTPS or SSH), ensure other types of access are selected.
To access the DDoS attack log database with a GUI tool:
The following workflow gives steps for getting started with MySQL Workbench. You can download MYSQL Workbench for Windows from the following location:
1. Open the workbench and log into the IP address of the appropriate management network interface.
Use the user root; the password is the serial number of the appliance.
2. Open a connection to start querying.
3. In the SQL Editor, select database flg and table dlog.
The following is an example query:
select dropcount from dlog where dropcount>10000 order by dropcount desc
To access the DDoS attack log database with a CLI tool:
The following example illustrates accessing the log using MySQL on a Linux terminal:
mysql -h 172.30.153.122 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1393
Server version: 5.5.23-MariaDB Source distribution
...
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| flg |
+--------------------+
2 rows in set (0.00 sec)
mysql> use flg
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select timestamp, inet_ntoa(ip_src4), dropcount from dlog where dropcount > 1000 order by timestamp desc limit 10;
+---------------------+--------------------+-----------+
| timestamp | inet_ntoa(ip_src4) | dropcount |
+---------------------+--------------------+-----------+
| 2014-03-13 10:03:07 | 12.0.0.2 | 7471 |
| 2014-03-13 09:47:31 | 10.0.0.2 | 3571 |
| 2014-03-13 09:40:35 | 12.0.0.2 | 3991 |
| 2014-03-13 09:07:29 | 12.0.0.2 | 5649 |
| 2014-03-13 08:38:19 | 10.0.0.2 | 7557 |
| 2014-03-13 07:38:49 | 10.0.0.2 | 2418 |
| 2014-03-13 06:57:48 | 12.0.0.2 | 3425 |
| 2014-03-13 06:57:25 | 10.0.0.2 | 3610 |
| 2014-03-13 06:46:00 | 10.0.0.2 | 1051 |
| 2014-03-13 06:39:12 | 10.0.0.2 | 4853 |
+---------------------+--------------------+-----------+
10 rows in set (0.00 sec)