Scheduling Reports

You can schedule reports/report bundles to run once or for recurring periods in the future. When you schedule a reports/report bundle, you can specify notifications that can be sent for the report. In addition, you should make sure that the default settings for notifications for all scheduled reports/report bundles have been set up.

• Scheduling a Report
• Scheduling a Report Bundle
• Scheduling Reports Using a Workflow

Starting in 6.1.1, adhoc reports run from GUI and scheduled reports may time out after running for a long time. In a cluster environment with Worker nodes, the user may see partial results (indicated in the PDF, in PDF or RTF starting in 6.3.0), if some workers are able to finish their queries within the timeout. The default timeouts are specified (in seconds) in the phoenix_config.txt file on the Supervisor node.

[BEGIN phQueryMaster]

...

interactive_query_timeout=1800 # 30 mins

...

scheduled_query_timeout=3600 # 60mins

...

[END]

To change the default timeout values, SSH to the Supervisor node, change the values, save the file, and restart the Query Master process.

Scheduling a Report

Complete these steps to schedule a report:

1. Go to RESOURCES tab and select the report under Reports folder from the left pane.
2. Select the report(s) to schedule from the list on the right pane.
3. Click More > Schedule.
   Note: You can also schedule a report from the lower pane - select the Schedule tab after selecting the report. Use the + icon to enter the Schedule settings.
4. In Super/Global scope, under Organization section, for Report Data, you can choose either Combine all selected Organizations into one Report or Generate separate Report for each selected Organization with selected organizations:
   • Choose Combine all selected Organizations into one Report if you would like to run the report for only Global administrators. This choice will combine event data from all selected Organizations within one PDF or RTF report and sent to the Global Administrators added in the Notification settings while scheduling reports.
   • Choose Generate separate Report for each selected Organization if you would like to run this report for each selected Organization separately same as your login to each of these Organizations and schedule this report there. In this case, each selected organization will receive its own copy of the CSV, PDF or RTF report containing the event data for its own Organization based on the Notification settings added while scheduling reports.
     
     
5. In Report Time Range, configure the range of time that the report should provide. See Specifying Search Time Window.
6. In Trend Interval, configure appropriately if your report uses trend event attributes, otherwise, leave as Auto. See Specifying Trend Interval.
7. Click Next.
8. Use the Schedule Time Range option if the run time has to be scheduled for a later period and a specific place.
9. Schedule the Schedule Recurrence Pattern for the report to run once, hourly, daily, weekly, or monthly or set the range under Schedule Recurrence Range.
10. Click Next.
11. Select the Output Format as PDF, CSV, or RTF.
    For PDF and RTF output, the default template configured under RESOURCES > Reports is used. You can customize the report templates following the steps under Designing a Report Template.
12. Specify the Notification that should be sent when the report runs from the available options:
    • Default Notifications - to send default notifications. Click the edit icon to add more Recipients.
    • Custom Notifications - to send notifications to specific email addresses. Use the edit icon to add more Recipients
    • Copy to a remote directory - to copy the report to a remote directory.

13. Specify the time that the report should be retained after it has run using the Retention setting in hours or number of days.
14. Click OK.
    The report will run at the time you scheduled. 

Scheduling a Report Bundle

Complete these steps to schedule a report bundle:

1. Go to RESOURCES > Reports tab and select a report bundle under Report Bundles folder from the left pane.
2. Select the clock icon () above the left panel folders to open the scheduler settings.
3. In the Schedule Report Bundle window, click +.
4. In Super/Global scope, under Organization section, for Report Data, you can choose either Combine all selected Organizations into one Report or Generate separate Report for each selected Organization with selected organizations:
   • Choose Combine all selected Organizations into one Report if you would like to run the report for only Global administrators. This choice will combine event data from all selected Organizations within one PDF or RTF report and sent to the Global Administrators added in the Notification settings while scheduling reports.
   • Choose Generate separate Report for each selected Organization if you would like to run this report for each selected Organization separately same as your login to each of these Organizations and schedule this report there. In this case, each selected Organization will receive its own copy of the PDF or RTF report containing the event data for its own Organization based on the Notification settings added while scheduling reports.
5. Select the Report Time Range:
   • Select the Time Zone.
   • Select Relative to enter the last number of hours from which report has to be generated or Absolute to enter the range of start and end date and time.

6. Select the Trend Interval for Trend. See Specifying Trend Interval.
7. Click Next.
8. Use the Schedule Time Range if the run time has to be scheduled for a later period and a specific place.
9. Click Next.
10. Select the Output Format as PDF or RTF.
    For PDF or RTF output, the default template configured under RESOURCES > Reports is used. You can customize the report templates following the steps under Designing a Report Template.
11. Schedule the Schedule Recurrence Pattern for the report bundle to run once, hourly, daily, weekly, or monthly or set the range under Schedule Recurrence Range.
12. Specify the Notification that should be sent when the report bundle runs from the available options:
    • Default Notifications - to send default notifications. Click + to add more Recipients.
    • Custom Notifications - to send notifications to specific email addresses. Use the edit icon to add more Recipients.
    • Copy to a remote directory - to copy the report bundle to a remote directory.

13. Specify the Event/CMDB Attribute, Operator, and Value. Click + to add more, if required.
14. Click OK.
    The report bundle will run at the time you scheduled. 

Scheduling Reports Using a Workflow

Follow these steps to schedule a report by using a workflow.

• Step 1 - Create Appropriate Roles for Users
• Step 2 - Map Users to Appropriate Roles
• Step 3 - Request the Report to be Scheduled
• Step 4 - Approve the Report Scheduling Request
• Step 5 - View the Report Scheduling Request Status

Step 1 - Create Appropriate Roles for Users

Complete these steps to create a role that will require report scheduling approval.

1. Go to ADMIN > Settings > Role > Role Management.
2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
3. Make sure the Approver > Report Schedule option is not checked.
4. Make sure the Activation > Report Schedule option is not checked.
5. Save the role definition.

 

Complete these steps to create a role that can approve report scheduling requests.

1. Go to ADMIN > Settings > Role > Role Management.
2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
3. Make sure the Approver > Report Schedule option is checked.
4. Make sure the Activation > Report Schedule option is not checked.
5. Save the role definition.

Step 2 - Map Users to Appropriate Roles

1. Go to CMDB > Users.
2. Select a user from the table and click Edit.
3. In the Edit User dialog box, select the System Admin option, and click the Edit icon.
4. Select the Requestor or Approver role as appropriate.

Step 3 - Request Report to be Scheduled

1. Go to RESOURCES > Reports.
2. Select a report, then select More > Schedule. The Create New Request dialog box opens.
3. If the role requires approval, select an approver from the Approver drop-down list.
4. Click Submit.

5. The approver will receive an email with a link to log back in to FortiSIEM and approve the request.

Step 4 - Approve the Report Scheduling Request

1. Login to FortiSIEM using a role that can approve a report being scheduled .
2. Click Approval. The table in the TASKS page lists pending requests.
3. To process the requests, scroll to the right-hand end of the row.
4. From the drop-down list, select Approve or Reject.
   • If you select Approve, the Approve Request dialog box opens. You can choose whether the request is valid Until or For the date and time listed in the time stamp field. You can click the time stamp field to choose a different date and time.
   • If you choose Reject, the Reject Request dialog box opens where you can enter a reason for the rejection.
5. If you choose Approve, the report will now be scheduled.

Step 5 - View Report Scheduling Request Status

Complete this step to see the status of your report schedule activation requests.

1. Login to FortiSIEM using the same account as in Step 3.
2. Click Request. The table in the TASKS page shows the status of requests.