Fortigate internet access reports

spgsitsupport · ‎12-15-2010

I have Fortinet Fortigate sending syslog to Splunk But how do I get any meaningful reports out of Splunk?

Very simple: user, all accessed websites in the last 7 days with time per each site visited

Seb

treinke · ‎04-09-2011

I use this for a report that generates every morning to show me what happened yesterday.

cat_desc!="" | chart count by cat_desc | sort -count | rename cat_desc as Categories

This will show the categories and how many hits per category. To get a good view of what is going on in a specific category I use the follow example.

cat_desc="Adult Materials" | fields src,hostname,url | collect

That will show from which computer it came from, the server, and the url.

If you have your DHCP logs in to Splunk, you can combine the results. The following will shoud you the Source IP, Source Computer, Website, and URL.

cat_desc="Pornography" | join src,date_mday [search sourcetype="DhcpSrvLog" NOT desc="Expired"] | fields src,src_host,hostname,url | collect | rename src as IpAddress | rename src_host as Computer | rename hostname as WebSite | rename url as URL

Hope these examples help.

There are no answer without questions

tgow · ‎12-15-2010

Seb,

Is Splunk creating fields out of the data that look interesting? Can you send a snippet of the log and I can show you how to build reports.

Here is a link in Docs to more information:

http://www.splunk.com/base/Documentation/4.1.6/User/Buildreportstutorial

Regards,

Todd

Fortigate internet access reports

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?