config : log reports
 
log reports
Use this command to configure report profiles.
When generating a report, FortiWeb appliances collate information collected from their log files and present the information in tabular and graphical format.
In addition to log files, your FortiWeb appliance requires a report profile to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.
FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually in the web UI when you click the Run now icon in the report profile list. You may want to create one report profile for each type of report that you will generate on demand or periodically, by schedule.
 
Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night.
The number of results in a section’s table or graph varies by the report type.
Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in “Top Attack Severity by Hour of Day,” the report includes the top x hours, and their top y attacks, then groups the remaining results.
scope_top1 <topX_int> is x.
scope_top2 <topY_int> is y.
Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to the local hard disk, see “config log attack-log” and “config log disk”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For more information, see “Permissions”.
 
Creating a report profile is considerably easier in the web UI. Go to Log&Report > Report Config.
Syntax
config log reports
edit <report_name>
set custom_company "<org_str>"
set custom_footer_options {custom | report-title}
set custom_footer "<footer_str>"
set custom_header <header_str>
set custom_header_logo <filename_hex>
set custom_title_logo <filename_hex>
set email_attachment_compress {enable | disable}
set email_attachment_name "<filename_str>"
set email_body "<message_str>"
set email_subject "<subject_str>"
set filter_string "<log-filter_str>"
set include_nodata {yes | no}
set on_demand {enable | disable}
set output_email {html mht pdf rtf txt}
set output_email_policy <policy_name>
set output_file {html mht pdf rtf txt}
set period_end <time_str> <date_str>
set period_last_n <n_int>
set period_start <time_str> <date_str>
set period_type {last‑14‑days | last‑2‑weeks | last‑30-days | last‑7-days | lastmonth | last‑n‑days | last‑n‑hours | last‑n-weeks | last‑quarter | last‑week | other | this-month | this‑quarter | this‑week | this‑year | today | yesterday}
set report_desc "<comment_str>"
set report_title <title_str>
set Report_attack_activity {attacks-type attacks‑url attacks‑date‑type attacks‑month‑type attacks‑day‑type attacks‑hour‑type attacks‑type‑dev attacks‑dst‑type attacks‑dst‑ip attacks‑type‑ip attacks‑method‑type attacks‑cat attacks‑policy attacks‑day attacks‑ts attacks‑td attacks‑proto attacks‑date‑severity attacks‑month‑severity attacks‑day‑severity attacks‑hour‑severity attacks‑sessionid attacks-signature-id attacks-srccounty attacks-type-signature-id}
set Report_event_activity {ev‑all ev‑all‑cat ev‑all‑type ev‑crit‑hour ev‑crit‑day ev‑warn‑hour ev‑warn‑day ev‑info‑hour ev‑info‑day ev‑emer‑hour ev‑emer‑day ev‑aler‑hour ev‑aler‑day ev‑err‑hour ev‑err‑day ev‑noti‑hour ev‑noti‑day ev‑hour ev‑hour‑cat ev‑day ev‑day‑cat ev‑stat}
set Report_traffic_activity {net‑pol net‑srv net‑src net‑dst net‑src‑dst net‑dst‑src net‑date‑dst net‑hour‑dst net‑day‑dst net‑month‑dst net‑date‑src net‑hour‑src net‑day‑src net‑month‑src net-srccountry}
set Report_pci_activity {pci-attacks-date-type pci-attacks-day-type pci-attacks-hour-type pci-attacks-month-type}
set schedule_type {daily | dates | days | none}
set schedule_days {sun | mon | tue | wed | thu | fri | sat}
set schedule_dates <dates_str>
set schedule_time <time_str>
set scope_include_summary {yes | no}
set scope_include_table_of_content {yes | no}
set scope_top1 <topX_int>
set scope_top2 <topY_int>
next
end
Variable
Description
Default
<report_name>
Type the name of a new or existing report profile. The maximum length is 63 characters.
The profile name will be included in the report header.
To display the list of existing report names, type:
edit ?
No default.
custom_company "<org_str>"
Type the name of your department, company, or other organization, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 191 characters.
For information on enabling the summary, see scope_include_summary {yes | no}.
No default.
custom_footer_options {custom | report-title}
Select either:
report-title — Use <report_name> as the footer text.
custom — Provide separate footer text in custom_footer "<footer_str>".
report-title
custom_footer "<footer_str>"
Type the text, if any, that you want to include at the bottom of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.
This setting is available only if custom_footer_options is custom.
No default.
custom_header <header_str>
Type the text, if any, that you want to include at the top of each report page. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.
No default.
custom_header_logo <filename_hex>
Type the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report header. The maximum length is 255 characters.
No default.
custom_title_logo <filename_hex>
Type the file name of a custom logo that you have previously uploaded to the FortiWeb appliance. The logo image will be included in the report title. The maximum length is 255 characters.
No default.
email_attachment_compress {enable | disable}
Enable to enclose the generated report formats in a compressed archive attached to the email.
This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.
disable
email_attachment_name "<filename_str>"
Type the file name that will be used for the reports attached to the email. The maximum length is 63 characters.
This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.
No default.
email_body "<message_str>"
Type the message body of the email. The maximum length is 383 characters.
This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.
No default.
email_subject "<subject_str>"
Type the subject line of the email. The maximum length is 191 characters.
This field is required if you have enabled email output by enabling one or more of the file formats for email output in output_email {html mht pdf rtf txt}.
No default.
filter_string "<log-filter_str>"
Type a log message filter string that includes or excludes log messages based upon matching log field values. The maximum length is 1,023 characters.
For example syntax, see “Example”.
No default.
include_nodata {yes | no}
Select whether to include (yes) or hide (no) reports which are empty because there is no matching log data.
no
on_demand {enable | disable}
Enable to run the report one time only. After the FortiWeb appliance completes the report, it removes the report profile from its hard disk.
Type disable to schedule a time to run the report, and to keep the report profile for subsequent use.
disable
output_email {html mht pdf rtf txt}
Select one or more file types for the report when mailing generated reports.
No default.
output_email_policy <policy_name>
If you set a value for output_email, type the name of the email policy that contains settings for sending the report by email. The maximum length is 35 characters.
For more information on email policies, see “config log email-policy”.
No default.
output_file {html mht pdf rtf txt}
Select one or more file types for the report when saving to the FortiWeb hard disk.
html
period_end <time_str> <date_str>
Enter the time and date that define the end of the span of time whose log messages you want to use when generating the report.
The time format is hh:mm and the date format is yyyy/mm/dd, where:
hh is the hour according to a 24-hour clock
mm is the minute
yyyy is the year
mm is the month
dd is the day
This setting appears only when you select a period_type of other.
No default.
period_last_n <n_int>
Enter the number that defines n if the period_type contains that variable. The valid range is from 1 to 2,147,483,647.
This setting appears only when you select a period_type of last-n-days, last-n-hours, or last-n-weeks.
No default.
period_start <time_str> <date_str>
Enter the time and date that defines the beginning of the span of time whose log messages you want to use when generating the report.
The time format is hh:mm and the date format is yyyy/mm/dd, where:
hh is the hour according to a 24-hour clock
mm is the minute
yyyy is the year
mm is the month
dd is the day
This setting appears only when you select a period_type of other.
No default.
period_type {last‑14‑days | last‑2‑weeks | last‑30-days | last‑7-days | lastmonth | last‑n‑days | last‑n‑hours | last‑n-weeks | last‑quarter | last‑week | other | this-month | this‑quarter | this‑week | this‑year | today | yesterday}
Select the span of time whose log messages you want to use when generating the report.
If you select last-n-days, last-n-hours, or last-nweeks, you must also define n by entering period_last_n <n_int>.
If you select other, you must also define the start and end of the report’s time range by entering period_start and period_end.
The span of time will be included in the summary, if enabled. For information on enabling the summary, see scope_include_summary {yes | no}.
last-7-days
report_desc "<comment_str>"
Type a description of the report, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, surround it with double quotes ( " ). The maximum length is 63 characters.
For information on enabling the summary, see scope_include_summary {yes | no}.
No default.
report_title <title_str>
Type a title, if any, that you want to include in the report summary. If the text is more than one word or contains special characters, enclose it in double quotes ( " ). The maximum length is 127 characters.
For information on enabling the summary, see scope_include_summary {yes | no}.
No default.
Report_attack_activity {attacks-type attacks‑url attacks‑date‑type attacks‑month‑type attacks‑day‑type attacks‑hour‑type attacks‑type‑dev attacks‑dst‑type attacks‑dst‑ip attacks‑type‑ip attacks‑method‑type attacks‑cat attacks‑policy attacks‑day attacks‑ts attacks‑td attacks‑proto attacks‑date‑severity attacks‑month‑severity attacks‑day‑severity attacks‑hour‑severity attacks‑sessionid
attacks-signature-id attacks-srccounty
attacks-type-signature-id}
Type zero or more options to indicate which charts based upon attack logs to include in the report.
For example, to include “Attacks By Policy,” enter a list of charts that includes attacks-policy. To include “Top Attacked HTTP Methods by Type,” enter a list of charts that includes attacks‑method-type.
No default.
Report_event_activity {ev‑all ev‑all‑cat ev‑all‑type ev‑crit‑hour ev‑crit‑day ev‑warn‑hour ev‑warn‑day ev‑info‑hour ev‑info‑day ev‑emer‑hour ev‑emer‑day ev‑aler‑hour ev‑aler‑day ev‑err‑hour ev‑err‑day ev‑noti‑hour ev‑noti‑day ev‑hour ev‑hour‑cat ev‑day ev‑day‑cat ev‑stat}
Type zero or more options to indicate which charts based upon event logs to include in the report.
For example, to include “Top Event Categories by Status”, enter a list of charts that includes ev-status.
No default.
Report_traffic_activity {net‑pol net‑srv net‑src net‑dst net‑src‑dst net‑dst‑src net‑date‑dst net‑hour‑dst net‑day‑dst net‑month‑dst net‑date‑src net‑hour‑src net‑day‑src net‑month‑src net-srccountry}
Type zero or more options to indicate which charts based upon traffic logs to include in the report.
For example, to include “Top Sources By Day of Week”, enter a list of charts that includes net‑day‑src.
No default.
Report_pci_activity {pci-attacks-date-type pci-attacks-day-type pci-attacks-hour-type pci-attacks-month-type}
Type zero or more options to indicate which charts based upon PCI attack logs to include in the report.
No default.
schedule_type {daily | dates | days | none}
Select when the FortiWeb appliance will automatically run the report. If you reboot the FortiWeb appliance while the report is being generated, report generation resumes after the boot process is complete.
If schedule_type is daily, dates or days, specify the schedule_time, schedule_days, or schedule_dates when the report will be generated.
If schedule_type is none, the report will be generated only when you manually initiate it.
none
schedule_days {sun | mon | tue | wed | thu | fri | sat}
If schedule_type is days, select the day of the week when the report should be generated.
No default.
schedule_dates <dates_str>
If schedule_type is dates, select the specific date of the month, from 1 to 31, when the report should be generated. Separate multiple dates with spaces.
No default.
schedule_time <time_str>
If schedule_type is not none, select the time of day when the report should be run.
The time format is hh:mm, where:
hh is the hour according to a 24-hour clock
mm is the minute
00:00
scope_include_summary {yes | no}
Enter yes to include a summary section at the beginning of the report. The summary includes:
the date and time when the report was generated using this profile
the span of time whose log messages were used to generate the report, according to period_type
yes
scope_include_table_of_content {yes | no}
Enter yes to include a table of contents at the beginning of the report. The table of contents includes links to each chart in the report.
yes
scope_top1 <topX_int>
Enter x number of items (up to 30) to include in the first cross-section of ranked reports.
For some report types, you can set the top ranked items for the report. These reports have “Top” in their name, and will always show only the top x entries. Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports.
6
scope_top2 <topY_int>
Enter y number of items (up to 30) to include in the second cross-section of ranked reports.
For some report types, you can set the number of ranked items to include in the report. These reports have “Top” in their name, and will always show only the top x entries. Some report types have two levels of ranking: the top y sub-entries for each top x entry.
Reports that do not include “Top” in their name show all information. Changing the values for top field will not affect these reports.
3
Example
This example configures a report to be generated every Saturday at 1 PM. The report, whose title is “Report 1”, includes all available charts, and covers the last 14 days’ worth of event, traffic, and attack logs. However, it only uses logs where the source IP address was 172.16.1.20. Each time it is generated, it will be saved to the hard disk in both HTML and PDF file formats and will be sent by email in PDF format to recipients defined within the “Log report analysis” email policy.
config log reports
edit "Report_1"
set Report_attack_activity attacks-type attacks-url attacks-date-type attacks-month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-severity attacks-hour-severity attacks-sessionid attacks-signature-id attacks-srccounty attacks-type-signature-id
set Report_event_activity ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat
set Report_traffic_activity net-pol net-srv net-src net-dst net-src-dst net-dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src net-month-src
set custom_company "Example, Inc."
set custom_footer_options custom
set custom_header "A fictitious corporation."
set custom_title_logo "titlelogo.jpg"
set filter_string "(and src==\'172.16.1.10\')"
set include_nodata yes
set output_file html pdf
set output_email html
set output_email_policy log_report_analysis
set period_type last-n-days
set report_desc "A sample report."
set report_title "Report 1"
set schedule_type days
set custom_footer "Weekly report for Example, Inc."
set period_last_n 14
set schedule_days sat
set schedule_time 01:00
next
end
Related topics
config log attack-log
config log disk
config log email-policy