topic Fortigate internet access reports in Reporting

Fortigate internet access reports

spgsitsupport — Thu, 16 Dec 2010 05:26:29 GMT

I have Fortinet Fortigate sending syslog to Splunk But how do I get any meaningful reports out of Splunk?

Very simple: user, all accessed websites in the last 7 days with time per each site visited

Seb

Re: Fortigate internet access reports

tgow — Thu, 16 Dec 2010 06:35:00 GMT

Seb,

Is Splunk creating fields out of the data that look interesting? Can you send a snippet of the log and I can show you how to build reports.

Here is a link in Docs to more information:

http://www.splunk.com/base/Documentation/4.1.6/User/Buildreportstutorial

Regards,

Todd

Re: Fortigate internet access reports

treinke — Sat, 09 Apr 2011 20:52:51 GMT

I use this for a report that generates every morning to show me what happened yesterday.

cat_desc!="" | chart count by cat_desc | sort -count | rename cat_desc as Categories

This will show the categories and how many hits per category. To get a good view of what is going on in a specific category I use the follow example.

cat_desc="Adult Materials" | fields src,hostname,url | collect

That will show from which computer it came from, the server, and the url.

If you have your DHCP logs in to Splunk, you can combine the results. The following will shoud you the Source IP, Source Computer, Website, and URL.

cat_desc="Pornography" | join src,date_mday [search sourcetype="DhcpSrvLog" NOT desc="Expired"] | fields src,src_host,hostname,url | collect | rename src as IpAddress | rename src_host as Computer | rename hostname as WebSite | rename url as URL

Hope these examples help.