Scheduling Reports

You can schedule reports/report bundles to run once or for recurring periods in the future. When you schedule a reports/report bundle, you can specify notifications that can be sent for the report. In addition, you should make sure that the default settings for notifications for all scheduled reports/report bundles have been set up.

Starting in 6.1.1, adhoc reports run from GUI and scheduled reports may time out after running for a long time. In a cluster environment with Worker nodes, the user may see partial results (indicated in the PDF), if some workers are able to finish their queries within the timeout. The default timeouts are specified (in seconds) in the phoenix_config.txt file on the Supervisor node.

[BEGIN phQueryMaster]

...

interactive_query_timeout=1800 # 30 mins

...

scheduled_query_timeout=3600 # 60mins

...

[END]

To change the default timeout values, SSH to the Supervisor node, change the values, save the file, and restart the Query Master process.

Scheduling a Report

Complete these steps to schedule a report:

  1. Go to RESOURCES tab and select the report under Reports folder from the left pane.
  2. Select the report(s) to schedule from the list on the right pane.
  3. Click More > Schedule.
    Note: You can also schedule a report from the lower pane - select the Schedule tab after selecting the report. Use the + icon to enter the Schedule settings.
  4. In Super/Global scope, under Organization section, you can choose either Run this report for or Schedule this report for with selected organizations:

    • Choose Run this report for if you would like to run the report for only Global administrators. This choice will combine event data from all selected Organizations within one PDF report and sent to the Global Administrators added in the Notification settings while scheduling reports.
    • Choose Schedule this report for if you would like to run this report for each selected Organization separately same as your login to each of these Organizations and schedule this report there. In this case, each selected organization will receive its own copy of the PDF report containing the event data for its own Organization based on the Notification settings added while scheduling reports.
  5. Click Next.
  6. Use the Schedule Time Range option if the run time has to be scheduled for a later period and a specific place.
  7. Schedule the Schedule Recurrence Pattern for the report to run once, hourly, daily, weekly, or monthly or set the range under Schedule Recurrence Range.
  8. Click Next.
  9. Select the Output Format as PDF.
    For PDF output, the default template configured under RESOURCES > Reports is used. You can customize the report templates following the steps under Designing a PDF Report Template.
  10. Specify the Notification that should be sent when the report runs from the available options:

    • Default Notifications - to send default notifications. Click the edit icon to add more Recipients.
    • Custom Notifications - to send notifications to specific email addresses. Use the edit icon to add more Recipients
    • Copy to a remote directory - to copy the report to a remote directory.

  11. Specify the time that the report should be retained after it has run using the Retention setting in hours or number of days.
  12. Click OK.
    The report will run at the time you scheduled. 

Scheduling a Report Bundle

Complete these steps to schedule a report bundle:

  1. Go to RESOURCES > Reports tab and select a report bundle under Report Bundles folder from the left pane.
  2. Select the clock icon () above the left panel folders to open the scheduler settings.
  3. In Super/Global scope, under Organization section, you can choose either Run this report for or Schedule this report for with selected organizations:

    • Choose Run this report for if you would like to run the report for only Global administrators. This choice will combine event data from all selected Organizations within one PDF report and sent to the Global Administrators added in the Notification settings while scheduling reports.
    • Choose Schedule this report for if you would like to run this report for each selected Organization separately same as your login to each of these Organizations and schedule this report there. In this case, each selected Organization will receive its own copy of PDF report containing the event data for its own Organization based on the Notification settings added while scheduling reports.
  4. Select the Report Time Range:

    • Select the Time Zone.
    • Select Relative to enter the last number of hours from which report has to be generated or Absolute to enter the range of start and end date and time.
  5. Click Next.
  6. Use the Schedule Time Range if the run time has to be scheduled for a later period and a specific place.
  7. Click Next.
  8. Select the Output Format as PDF.
    For PDF output, the default template configured under RESOURCES > Reports is used. You can customize the report templates following the steps under Designing a PDF Report Template
  9. Schedule the Schedule Recurrence Pattern for the report bundle to run once, hourly, daily, weekly, or monthly or set the range under Schedule Recurrence Range.
  10. Specify the Notification that should be sent when the report bundle runs from the available options:

    • Default Notifications - to send default notifications. Click + to add more Recipients.
    • Custom Notifications - to send notifications to specific email addresses. Use the edit icon to add more Recipients.
    • Copy to a remote directory - to copy the report bundle to a remote directory.

  11. Specify the Event/CMDB Attribute, Operator, and Value. Click + to add more, if required.
  12. Click OK.
    The report bundle will run at the time you scheduled. 

Scheduling Reports Using a Workflow

Follow these steps to schedule a report by using a workflow.

Step 1 - Create Appropriate Roles for Users

Complete these steps to create a role that will require report scheduling approval.

  1. Go to ADMIN > Settings > Role > Role Management.
  2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
  3. Make sure the Approver > Report Schedule option is not checked.
  4. Make sure the Activation > Report Schedule option is not checked.
  5. Save the role definition.

 

Complete these steps to create a role that can approve report scheduling requests.

  1. Go to ADMIN > Settings > Role > Role Management.
  2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
  3. Make sure the Approver > Report Schedule option is checked.
  4. Make sure the Activation > Report Schedule option is not checked.
  5. Save the role definition.

Step 2 - Map Users to Appropriate Roles

  1. Go to CMDB > Users.
  2. Select a user from the table and click Edit.
  3. In the Edit User dialog box, select the System Admin option, and click the Edit icon.
  4. Select the Requestor or Approver role as appropriate.

Step 3 - Request Report to be Scheduled

  1. Go to RESOURCES > Reports.
  2. Select a report, then select More > Schedule. The Create New Request dialog box opens.
  3. If the role requires approval, select an approver from the Approver drop-down list.
  4. Click Submit.
  5. The approver will receive an email with a link to log back in to FortiSIEM and approve the request.

Step 4 - Approve the Report Scheduling Request

  1. Login to FortiSIEM using a role that can approve a report being scheduled .
  2. Click Approval. The table in the TASKS page lists pending requests.
  3. To process the requests, scroll to the right-hand end of the row.
  4. From the drop-down list, select Approve or Reject.
    • If you select Approve, the Approve Request dialog box opens. You can choose whether the request is valid Until or For the date and time listed in the time stamp field. You can click the time stamp field to choose a different date and time.
    • If you choose Reject, the Reject Request dialog box opens where you can enter a reason for the rejection.
  5. If you choose Approve, the report will now be scheduled.

Step 5 - View Report Scheduling Request Status

Complete this step to see the status of your report schedule activation requests.

  1. Login to FortiSIEM using the same account as in Step 3.
  2. Click Request. The table in the TASKS page shows the status of requests.