FortiAnalyzer

Datasets
RELEASE 5.0.8

Reference Manual
Datasets
v5.0.8
September 19, 2014
05-508-255078-20140919
Copyright © 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiOS®, FortiGuard®, FortiManager®,
FortiAnalyzer® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions, and
performance may vary. Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims
all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product
will perform according to the performance metrics herein. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation http://help.fortinet.com

Forums https://support.fortinet.com/forum

Customer Service & Support https://support.fortinet.com

Training http://training.fortinet.com

FortiGuard Threat Research & Response http://www.fortiguard.com

License http://www.fortinet.com/doc/legal/EULA.pdf

Document Feedback Email: [email protected]

 FortiAnalyzer v5.0.8 Datasets

Contents

Introduction 5

Overview 6
Understanding Datasets and Macros 7
Creating Custom Datasets 8
To create a custom dataset in the web-based manager 8
Testing SQL Query 8
Examples of SQL Query Errors 9
Syntax Errors 9
Connection Errors 9
Examples of Custom Datasets 10
Example 1: Distribution of applications by type in the last 24 hours 10
GUI Procedure 10
Example 2: Top 100 applications by bandwidth in the last 24 hours 11
GUI Procedure 11
Log Database Tables 13

Dataset Reference List 16

Macro Reference List 125

Copyright © 2014 Fortinet, Inc.

3
All Rights Reserved
 Introduction
FortiAnalyzer v5.0.8 Datasets

Introduction
This document provides information about the various types of FortiAnalyzer datasets which are created based on
the FortiGate log SQL tables and messages. These datasets are used to create charts and reports.
It describes the procedure for creating custom datasets, and also lists the types of log tables used to assist in
writing SQL queries to create the datasets.

Copyright © 2014 Fortinet, Inc.

5
All Rights Reserved
Overview
FortiAnalyzer v5.0.8 Datasets

Overview
FortiAnalyzer uses the PostgreSQL and remote MySQL databases to store the log data generated by the FortiGate.
To create a chart based on the FortiGate logs in a local or remote database, you can use either the predefined datasets, or
create your own custom datasets by querying the logs in the SQL database in FortiAnalyzer.

This chapter includes the following topics:

Understanding Datasets and Macros 7
Creating Custom Datasets 8
To create a custom dataset in the web-based manager 8
Testing SQL Query 8
Examples of SQL Query Errors 9
Examples of Custom Datasets 10
Example 1: Distribution of applications by type in the last 24 hours 10
Example 2: Top 100 applications by bandwidth in the last 24 hours 11
Log Database Tables 13

Copyright © 2014 Fortinet, Inc.

6
 Overview
FortiAnalyzer v5.0.8 Datasets

Understanding Datasets and Macros

FortiAnalyzer datasets are collections of log messages from monitored devices.
If the FortiAnalyzer unit is not receiving data from a device, or logging is not enabled under System > Config > SQL
Database, it does not create log tables for that device.

Charts in FortiAnalyzer are generated based on the datasets. To create a chart, you can use either the predefined
datasets, or create your own custom datasets by querying the log messages in the SQL database on the FortiAna-
lyzer unit. Both predefined and custom datasets can be cloned, but only custom datasets can be deleted. You can
also view the SQL query for a dataset, and test the query against specific devices or log arrays.

You can create custom reports that contain macros created based on predefined and custom datasets. Macros are
used to dynamically display the device log data as text in a report. They can be embedded within a text field of a
paragraph in a report layout in XML format. Macros display a single value, such as a user name, highest session
count, or highest bandwidth etc.

To view and configure datasets, go to Reports > Advanced > Dataset in the left navigation pane of the web-
based manager. For more information, refer to the Dataset section in the FortiAnalyzer Administration Guide.

To view and configure macros, go to Reports> Macro Library in the left navigation pane of the web-based man-
ager. For more information, refer to the Macro Library section in the FortiAnalyzer Administration Guide.

N o te : Fo rti An a l yze r v5 .0 Pa tch R e l e a se 5 i n tro d u ce d n e w d a ta se ts fo r SIP a n d SC C P. Fo rti An a l yze r

v5 .0 Pa tch R e l e a se 6 i n tro d u ce s n e w d a ta se ts fo r Bo tn e t (Bo tn e t-Acti vi ty-By-So u rce s, Bo tn e t-In fe c-
te d -H o sts, Bo tn e t-So u rce s, Bo tn e t-Ti me l i n e , a n d D e te cte d -Bo tn e t).

Copyright © 2014 Fortinet, Inc.

7
All Rights Reserved
Overview
FortiAnalyzer v5.0.8 Datasets

Creating Custom Datasets

This section describes the procedure to create datasets in the FortiAnalyzer web-based manager.

To create a custom dataset in the web-based manager

1. Go to Reports> Advanced > Dataset.

2. Click Create New.

3. Configure the following, then click OK.

The following table describes the GUI fields of the New Dataset dialog box.
Field Description
Name Name of the data set.
Log Type to be used for the data set.
Log Type
$log is used in the SQL query to represent the log type you select, and it is run against all tables of this type.
Select All Devices to create datasets on all of FortiAnalyzer managed devices.
Devices
or select Specify to choose a device on which you want to create the dataset.
Query Enter the SQL query syntax to retrieve the log data you want from the SQL database.
Select to use logs from a time frame.
Time
Select Other to define a custom time frame by selecting the Start Time and End Time. $filter is used in the SQL
Period
query "where" clause to limit the results to the period you select.
Test Click to test whether or not the SQL query is successful.

Testing SQL Query

You can verify the SQL query that you used to create the custom dataset before saving the dataset configuration by testing
and viewing the query results.

Copyright © 2014 Fortinet, Inc.

8
 Overview
FortiAnalyzer v5.0.8 Datasets

To test a SQL query:

1. Click Test after entering the SQL query in the New Dataset dialog box.

The query results are displayed. If the query is not successful, an error message appears in the results pane.

Examples of SQL Query Errors

Here are some example error messages and possible causes:

Syntax Errors
You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax
error at or near... (local/PostgreSQL)

• Check that SQL keywords are spelled correctly, and that the query is well-formed.
• Table and column names are demarked by grave accent (`) characters. Single (') and
double (") quotation marks will cause an error.

No data is covered.

• The query is correctly formed, but no data has been logged for the log type. Check that
you have configured the FortiAnalyzer unit to save that log type. Under System >
Config > SQL Database, ensure that the log type is checked.

Connection Errors
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.

Ensure that:
• MySQL is running and using the default port3306.
• You have created an empty database and a user with create permissions for the
database.

Here is an example of creating a new MySQL database named fazlogs, and adding a
user for the database:

#Mysql –u root –p
mysql> Create database fazlogs;
mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’
identified by ‘fazpassword’;
mysql> Grant all privileges on fazlogs.* to
‘fazlogger’@’localhost’ identified by ‘fazpassword’;

For more information about using SQL queries for creating datasets, refer to the
FortiAnalyzer™ and FortiGate™ Version 4.0 MR2 SQL Log Database Query Technical Note on the Fortinet Docu-
mentation Library at docs.fortinet.com.

Copyright © 2014 Fortinet, Inc.

9
All Rights Reserved
Overview
FortiAnalyzer v5.0.8 Datasets

Examples of Custom Datasets

The following examples illustrate how to create custom datasets using the web-based manager GUI. Once created, you
can use the datasets to configure chart templates under Reports > Chart Library.

Example 1: Distribution of applications by type in the last 24 hours

GUI Procedure
1. Go to Reports> Advanced > Dataset.

2. Click Create New.

3. Select Application Control under Log Type.

4. Enter a name, such as "apps_type_24hrs".

5. Select Last N Hours under Time Period.

6. Enter the query:

SELECT app_type, COUNT( * ) AS totalnum

FROM $log
WHERE $filter

Copyright © 2014 Fortinet, Inc.

10
 Overview
FortiAnalyzer v5.0.8 Datasets

AND app_type IS NOT NULL

GROUP BY app_type
ORDER BY totalnum DESC

Notes:
• $filter restricts the query result to the time period specified; in this case, it’s the past 24 hours.
• $log queries all application control logs
• The application control module classifies each firewall session in app_type. One firewall session may be
classified to multiple app_types. For example, an HTTPsession can be classified to: HTTP, Facebook, etc.
• Some app/app_types may not be able to detected, then the ‘app_type’ field may be null or ‘N/A’. These will
be ignored by this query.
• The result is ordered by the total session number of the same app_type. The most frequent app_types will
appear first.

Example 2: Top 100 applications by bandwidth in the last 24 hours

GUI Procedure
1. Go to Reports> Advanced > Dataset.

2. Click Create New.

3. Select Application Control under Log Type.

4. Enter a name, such as "top_100_aps_24hrs".

5. Select Last N Hours under Time Period.

6. Enter the query:

SELECT (
TIMESTAMP - TIMESTAMP %3600
) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log
WHERE $filter and app IS NOT NULL
GROUP BY app
ORDER BY volume DESC
LIMIT 100

Notes:
• (timestamp-timestamp%3600) as hourstamp - this calculates an "hourstamp" to indicate bandwidth per
hour.
• SUM( sent + rcvd ) AS volume - this calculates the total sent and received bytes.
• ORDER BY volume DESC - this orders the results by descending volume (largest volume first).
• LIMIT 100 - this lists only the top 100 applications.

Copyright © 2014 Fortinet, Inc.

11
All Rights Reserved
Overview
FortiAnalyzer v5.0.8 Datasets

Copyright © 2014 Fortinet, Inc.

12
 Overview
FortiAnalyzer v5.0.8 Datasets

Log Database Tables

The FortiAnalyzer and FortiGate units create SQL database tables to record log data. These tables are generated
for high log rate and low log rate devices.

The naming convention for the log SQL tables is:

High log rate:

<devtype>]-ADOM[<admon_oid><log-type>-timestamp]

and

Low log rate:

<devtype>ADOM<adom_oid>-ALLELSE-<log-type>-<timestamp>-<delta-timestamp>

where the device type can be any one of the following:

Example:
FGTADOM141-tlog-0, FGTADOM141-ALLELSE-tlog-0-0

<devtype> : "FGT/FMG/FML/FCT/FWB/FCH/FAZ/SYS/..."

{"FGT", "FortiGate"},
{"FMG", "FortiManager"},
{"SYS", "Syslog"},
{"FCT", "FortiClient"},
{"FML", "FortiMail"},
{"FWB", "FortiWeb"},
{"FCH", "FortiCache"},
{"FAZ", "FortiAnalyzer"},
{"FSA", "FortiSandbox"},
Log Types and SQL Tables
SQL
Log Type Table Description
Type
Traffic tlog The traffic log records all traffic to and through the FortiGate interface.
The event log records management and activity events. For example, when an administrator
Event elog
logs in or logs out of the web-based manager.
Antivirus vlog The antivirus log records virus incidents in Web, FTP, and email traffic.
The web filter log records HTTP FortiGate log rating errors including web content blocking
Webfilter wlog
actions that the FortiGate unit performs.
Attack attack_log The attack log records attacks that are detected and prevented by the FortiGate unit.
The Data Leak Prevention log records log data that is considered sensitive and that should
Data Leak
dlog not be made public. This log also records data that a company does not want entering their
Prevention
network.
The application control log records data detected by the FortiGate unit and the action taken
Application
rlog against the network traffic depending on the application that is generating the traffic, for
Control
example, instant messaging software, such as MSN Messenger.

Copyright © 2014 Fortinet, Inc.

13
All Rights Reserved
Overview
FortiAnalyzer v5.0.8 Datasets

SQL
Log Type Table Description
Type
spamfilter_ The spam filter log records blocking of email address patterns and content in SMTP, IMAP,
Spamfilter
log and POP3 traffic.
Content clog The content log records all network content that is transmitted through the network.
Netscan nlog The netscan log records data related to network security and scan.
Sniffer xlog The sniffer log records each packet raw data for traffic bottlenecks.
VOIP plog The VOIP log records detailed protocol specific logs for VOIP traffic.

To view all the tables created in a database, use the following commands:

• local (PostgreSQL) database: SELECT * FROM pg_tables

• remote (MySQL): SHOW TABLES
FortiAnalyzer and FortiGate logs also include log sub-types, which are types of log messages that are within the main log
type. For example, in the event log type there are the subtype admin log messages.
For more information on FortiGate Log Types and Messages, refer to the FortiOS/FortiGate Log Message Reference Guide
on the Fortinet Documentation Library at: docs.fortinet.com.
Log Type Sub Type
• allowed – Policy allowed traffic
traffic (Traffic Log) • violation - Policy violation traffic
• other
For FortiGate devices:
• system – System activity event
• ipsec – IPSec negotiation event
• dhcp – DHCP service event
• ppp – L2TP/PPTP/PPPoE service event
• admin – admin event
• ha – HA activity event
• auth – Firewall authentication event
event (Event Log) • pattern – Pattern update event
• alertemail – Alert email notifications
• chassis – FortiGate-4000 and FortiGate-5000 series chassis event
• sslvpn-user – SSL VPN user event
• sslvpn-admin – SSL VPN administration event
• sslvpn-session – SSL VPN session event
• his-performance – performance statistics
• vipssl – VIP SSL events
• ldb-monitor – LDB monitor events
dlp (Data Leak Prevention) • dlp – Data Leak Prevention
app-crtl (Application Control Log) • app-crtl-all – All application control
• infected – Virus infected
virus (Antivirus Log) • filename – Filename blocked
• oversize – File oversized
• content – content block
• urlfilter – URL filter
• FortiGuard block
• FortiGuard allowed
webfilter (Web Filter Log)
• FortiGuard error
• ActiveX script filter
• Cookie script filter
• Applet script filter

Copyright © 2014 Fortinet, Inc.

14
 Overview
FortiAnalyzer v5.0.8 Datasets

Log Type Sub Type

• signature – Attack signature
ips (Attack Log)
• anomaly – Attack anomaly
• SMTP
email filter (Spam Filter Log) • POP3
• IMAP

Copyright © 2014 Fortinet, Inc.

15
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset Reference List

The following table lists the available predefined data sets applicable to a FortiGate device reported by FortiAnalyzer.

For documentation and technical support reference purposes, this table contains the dataset names, SQL query syntax for
each dataset, and the log category of the dataset.

Dataset
Description Log Category Query Syntax
Name
SELECT appcat,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND nullifna(appcat) IS NOT NULL
GROUP BY appcat
Application ORDER BY bandwidth DESC
App-Risk- SELECT app_group_name(app) AS app_group,
risk applic-
App-Usage- Traffic appcat,
ation usage
By-Category sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
by category count(*) AS num_session
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND nullifna(app) IS NOT NULL
GROUP BY app_group,
appcat
ORDER BY bandwidth DESC
SELECT app_group_name(app) AS app_group,
appcat,
sum(coalesce(sentbyte, 0)+COALESCE (rcvdbyte, 0)) AS band-
width,
count(*) AS num_session
App-Risk- Application FROM $log
WHERE $filter
Application- risk applic- Traffic
AND logid_to_int(logid) NOT IN (4,
Activity-APP ation activity
7,
14)
AND nullifna(app) IS NOT NULL
GROUP BY app_group,
appcat
ORDER BY bandwidth DESC
SELECT app_group_name(app) AS app_group,
service,
Application count(*) AS sessions,
App-Risk-
risk applic- sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
Applications-
ations run- Traffic FROM $log
Running-
ning over WHERE $filter
Over-HTTP AND logid_to_int(logid) NOT IN (4,
HTTP
7,
14)

Copyright © 2014 Fortinet, Inc.

16
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND nullifna(app) IS NOT NULL
AND service IN ('80/tcp',
'443/tcp',
'HTTP',
'HTTPS',
'http',
'https')
GROUP BY app_group,
service HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0))>0
ORDER BY bandwidth DESC
SELECT d_behavior,
count(*) AS number
FROM $log t1
App-Risk- Application INNER JOIN app_mdata t2 ON t1.appid=t2.id
WHERE $filter
Breakdown- risk break-
Traffic AND logid_to_int(logid) NOT IN (4,
Of-Risk-Applic- down of risk
7,
ations applications 14)
AND d_risk>0
GROUP BY d_behavior
ORDER BY number DESC
SELECT utmsubtype,
sum(number) AS number
FROM (###
(SELECT utmsubtype,
count(*) AS number
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
App-Risk- Application AND utmevent='dlp'
AND utmsubtype IS NOT NULL
DLP-UTM- risk DLP Traffic
GROUP BY utmsubtype
Event UTM event ORDER BY number DESC)###
UNION ALL ###
(SELECT subtype AS utmsubtype,
count(*) AS number
FROM $log-dlp
WHERE $filter
AND subtype IS NOT NULL
GROUP BY subtype
ORDER BY number DESC)###) t
GROUP BY utmsubtype
ORDER BY number DESC
SELECT d_risk,
d_behavior,
t2.id,
t2.name,
App-Risk- Application t2.app_cat,
t2.technology,
High-Risk- risk high risk Traffic
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
Application application count(*) AS sessions
FROM $log t1
INNER JOIN app_mdata t2 ON t1.appid=t2.id
WHERE $filter
AND logid_to_int(logid) NOT IN (4,

Copyright © 2014 Fortinet, Inc.

17
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
7,
14)
AND d_behavior IS NOT NULL
GROUP BY t2.id
ORDER BY d_risk DESC,
sessions DESC
SELECT d_risk,
coalesce(d_behavior, 'Other Applications') AS f_behavior,
count(*) AS number
App-Risk- Application FROM $log t1
Number-Of- risk number INNER JOIN app_mdata t2 ON t1.appid=t2.id
WHERE $filter
Applications- of applic- Traffic
AND logid_to_int(logid) NOT IN (4,
By-Risk-Beha- ations by risk 7,
vior behavior 14)
GROUP BY d_risk,
d_behavior
ORDER BY d_risk DESC, number DESC
SELECT devtype,
coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) AS
dev_src,
sum(crscore%65536) AS scores
Application FROM $log
App-Risk-
risk repu- WHERE $filter
Reputation-
tation top Traffic AND logid_to_int(logid) NOT IN (4,
Top-Devices-
devices by 7,
By-Scores 14)
scores
AND crscore IS NOT NULL
GROUP BY devtype,
dev_src HAVING sum(crscore%65536)>0
ORDER BY scores DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum(crscore%65536) AS scores
Application FROM $log
App-Risk-
risk repu- WHERE $filter
Reputation-
tation top Traffic AND logid_to_int(logid) NOT IN (4,
Top-Users-By-
users by 7,
Scores 14)
scores
AND crscore IS NOT NULL
GROUP BY user_src HAVING sum(crscore%65536)>0
ORDER BY scores DESC
SELECT attack,
severity,
REF,
count(*) AS totalnum
App-Risk-Top- Application FROM $log
Critical- risk top crit- WHERE $filter
attack
Threat-Vect- ical threat AND severity='critical'
ors vectors AND nullifna(attack) IS NOT NULL
GROUP BY attack,
severity,
REF
ORDER BY totalnum DESC
App-Risk-Top- Application SELECT attack,
High-Threat- risk top high attack severity,
Vectors threat vectors REF,

Copyright © 2014 Fortinet, Inc.

18
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
count(*) AS totalnum
FROM $log
WHERE $filter
AND severity='high'
AND nullifna(attack) IS NOT NULL
GROUP BY attack,
severity,
REF
ORDER BY totalnum DESC
SELECT attack,
severity,
REF,
count(*) AS totalnum
App-Risk-Top- Application FROM $log
WHERE $filter
Info-Threat- risk top info attack
AND severity='info'
Vectors threat vectors AND nullifna(attack) IS NOT NULL
GROUP BY attack,
severity,
REF
ORDER BY totalnum DESC
SELECT attack,
severity,
REF,
count(*) AS totalnum
App-Risk-Top- Application FROM $log
WHERE $filter
Low-Threat- risk top low attack
AND severity='low'
Vectors threat vectors AND nullifna(attack) IS NOT NULL
GROUP BY attack,
severity,
REF
ORDER BY totalnum DESC
SELECT attack,
severity,
REF,
count(*) AS totalnum
App-Risk-Top- Application FROM $log
Medium- risk top WHERE $filter
attack
Threat-Vect- medium AND severity='medium'
ors threat vectors AND nullifna(attack) IS NOT NULL
GROUP BY attack,
severity,
REF
ORDER BY totalnum DESC
SELECT severity,
App-Risk-Top- Application count(*) AS totalnum
FROM $log
Threat-Vect- risk top threat attack
WHERE $filter
ors vectors GROUP BY severity
ORDER BY totalnum DESC

Application SELECT srcip,

coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
App-Risk-Top- risk top user
user_src,
User-Source- source by Traffic
count(*) AS sessions
By-Sessions session
FROM $log
count WHERE $filter

Copyright © 2014 Fortinet, Inc.

19
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND srcip IS NOT NULL
GROUP BY srcip,
user_src
ORDER BY sessions DESC
SELECT dom,
sum(totalnum) AS totalnum
FROM (###
(SELECT $DAY_OF_MONTH AS dom,
count(*) AS totalnum
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IS NOT NULL
App-Risk- Application AND virus IS NOT NULL
GROUP BY dom
Virus-Dis- risk virus dis- Traffic
ORDER BY totalnum DESC)###
covered covered UNION ALL ###
(SELECT $DAY_OF_MONTH AS dom,
count(*) AS totalnum
FROM $log-virus
WHERE $filter
AND nullifna(virus) IS NOT NULL
AND (eventtype IS NULL
OR logver = 52)
GROUP BY dom
ORDER BY totalnum DESC)###) t
GROUP BY dom
ORDER BY totalnum DESC
SELECT vuln,
vulncat,
severity,
Application count(*) AS totalnum
App-Risk-Vul- FROM $log
risk vul-
nerability-Dis- netscan WHERE $filter
nerability dis-
covered AND vuln IS NOT NULL
covered GROUP BY vuln,
vulncat,
severity
ORDER BY totalnum DESC
SELECT DOMAIN,
catdesc,
sum(visits) AS visits
FROM (###
Application (SELECT coalesce(nullifna(hostname), ipstr(`dstip`)) AS DOMAIN,
App-Risk-
risk web catdesc,
Web-Brows-
browsing count(*) AS visits
ing-Activity- Traffic
activity host- FROM $log-traffic
Hostname-Cat- WHERE $filter
name cat-
egory AND logid_to_int(logid) NOT IN (4,
egory
7,
14)
AND utmevent IN ('webfilter',
'banned-word',

Copyright © 2014 Fortinet, Inc.

20
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'web-content',
'command-block',
'script-filter')
AND catdesc IS NOT NULL
AND catdesc !='Unrated'
GROUP BY DOMAIN,
catdesc
ORDER BY visits DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(hostname), ipstr(`dstip`)) AS DOMAIN,
catdesc,
count(*) AS visits
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND catdesc IS NOT NULL
AND catdesc !='Unrated'
GROUP BY DOMAIN,
catdesc
ORDER BY visits DESC)###) t
GROUP BY DOMAIN,
catdesc
ORDER BY visits DESC
SELECT catdesc,
sum(num_sess) AS num_sess,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT catdesc,
count(*) AS num_sess,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
Application 'web-content',
App-Risk-
risk web 'command-block',
Web-Brows-
browsing Traffic 'script-filter')
ing-Summary-
summary cat- AND catdesc IS NOT NULL
Category AND catdesc !='Unrated'
egory
GROUP BY catdesc
ORDER BY num_sess DESC)###
UNION ALL ###
(SELECT catdesc,
count(*) AS num_sess,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND catdesc IS NOT NULL
AND catdesc !='Unrated'
GROUP BY catdesc
ORDER BY num_sess DESC)###) t

Copyright © 2014 Fortinet, Inc.

21
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
GROUP BY catdesc
ORDER BY num_sess DESC
SELECT appcat,
count(*) AS sessions
FROM $log
App-Ses- Application WHERE $filter
AND logid_to_int(logid) NOT IN (4,
sions-By-Cat- sessions by Traffic
7,
egory category 14)
AND nullifna(appcat) IS NOT NULL
GROUP BY appcat
ORDER BY sessions DESC
SELECT FROM_itime(itime) AS TIMESTAMP,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
appcat,
app,
coalesce(root_domain(hostname), ipstr(dstip)) AS destination,
sum(coalesce(`sentbyte`, 0)+coalesce(`rcvdbyte`, 0)) AS band-
width
FROM $log
app-Top- Top allowed WHERE $filter
Allowed- applications AND logid_to_int(logid) NOT IN (4,
Traffic
Applications- by bandwidth 7,
by-Bandwidth usage 14)
AND action IN ('accept',
'close',
'timeout')
GROUP BY TIMESTAMP,
user_src,
appcat,
app,
destination
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
appcat,
app,
count(*) AS sessions
FROM $log
WHERE $filter
app-Top- AND logid_to_int(logid) NOT IN (4,
Top blocked
Blocked- 7,
applications Traffic
Applications- 14)
by session
by-Session AND action IN ('deny',
'blocked',
'reset',
'dropped')
GROUP BY user_src,
appcat,
app
ORDER BY sessions DESC
Top category SELECT appcat,
app-Top-Cat-
and applic- app,
egory-and-
ations by Traffic sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
Applications-
bandwidth FROM $log
by-Bandwidth WHERE $filter
usage

Copyright © 2014 Fortinet, Inc.

22
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY appcat,
app HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT appcat,
app,
count(*) AS sessions
app-Top-Cat- Top category FROM $log
WHERE $filter
egory-and- and applic-
Traffic AND logid_to_int(logid) NOT IN (4,
Applications- ations by ses-
7,
by-Session sion 14)
GROUP BY appcat,
app
ORDER BY sessions DESC
SELECT srcname AS caller,
count(*) AS totalnum
FROM $log
appctrl-Top- Appctrl top WHERE $filter
AND lower(appcat)='voip'
Blocked- blocked app-ctrl
AND app='sccp'
SCCP-Callers SCCP callers AND action='block'
AND srcname IS NOT NULL
GROUP BY caller
ORDER BY totalnum DESC
SELECT srcname AS caller,
count(*) AS totalnum
FROM $log
appctrl-Top- Appctrl top WHERE $filter
AND srcname IS NOT NULL
Blocked-SIP- blocked SIP app-ctrl
AND lower(appcat)='voip'
Callers callers AND app='sip'
AND action='block'
GROUP BY caller
ORDER BY totalnum DESC
SELECT $flex_timescale AS hodex,
count(*) AS counter
FROM $log
Application- Application WHERE $filter
Session-His- session his- Traffic AND logid_to_int(logid) NOT IN (4,
tory tory 7,
14)
GROUP BY hodex
ORDER BY hodex
SELECT coalesce(nullifna(root_domain(hostname)), ipstr(`dstip`)) AS
DOMAIN,
Bandwidth sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
bandwidth- sum(coalesce(rcvdbyte, 0)) AS traffic_in,
application
app-Top-Dest- sum(coalesce(sentbyte, 0)) AS traffic_out,
top dest by
By-Band- Traffic count(*) AS sessions
bandwidth
width-Ses- FROM $log
usage ses- WHERE $filter
sions
sions AND logid_to_int(logid) NOT IN (4,
7,
14)

Copyright © 2014 Fortinet, Inc.

23
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
GROUP BY appid,
DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0))>0
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
Bandwidth sum(coalesce(sentbyte, 0)) AS traffic_out,
bandwidth- count(*) AS sessions
application
app-Top- FROM $log
top users by Traffic
Users-By- WHERE $filter
bandwidth AND logid_to_int(logid) NOT IN (4,
Bandwidth
usage 7,
14)
GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT hodex,
count(distinct(user_src)) AS total_user
FROM ###
(SELECT $flex_timescale AS hodex,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
Bandwidth (`srcip`)) AS user_src
bandwidth- FROM $log
application
app-Traffic- WHERE $filter
traffic by act- Traffic
By-Active- AND logid_to_int(logid) NOT IN (4,
ive user num-
User-Number 7,
ber 14)
GROUP BY hodex,
user_src
ORDER BY hodex)### t
GROUP BY hodex
ORDER BY hodex
DROP TABLE IF EXISTS stats_temp;

CREATE
TEMPORARY TABLE stats_temp(total_sessions varchar(255), total_
bandwidth varchar(255), ave_session varchar(255), ave_bandwidth
varchar(255), active_date varchar(255), total_users varchar(255),
total_app varchar(255), total_dest varchar(255));

INSERT INTO stats_temp (total_sessions, total_bandwidth, ave_ses-

Bandwidth sion, ave_bandwidth)
bandwidth- SELECT format_numeric_no_decimal(sum(sessions)) AS total_ses-
application
app-Traffic- Traffic sions,
traffic stat-
Statistics bandwidth_unit(sum(bandwidth)) AS total_bandwidth,
istics
format_numeric_no_decimal(cast(sum(sessions)/$days_num AS
decimal(18, 0))) AS ave_session,
bandwidth_unit(cast(sum(bandwidth)/$days_num AS decimal(18,
0))) AS ave_bandwidth
FROM ###
(SELECT count(*) AS sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log
WHERE $filter

Copyright © 2014 Fortinet, Inc.

24
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND ${LOCAL_EXCLUSIVE})### t;

UPDATE stats_temp
SET active_date=t1.dom
FROM
(SELECT dom,
sum(sessions) AS sessions
FROM ###
(SELECT $DAY_OF_MONTH AS dom,
count(*) AS sessions
FROM $log
WHERE $filter
AND ${LOCAL_EXCLUSIVE}
GROUP BY dom
ORDER BY sessions)### t
GROUP BY dom
ORDER BY sessions DESC LIMIT 1) AS t1;

UPDATE stats_temp
SET total_users=t2.totalnum
FROM
(SELECT format_numeric_no_decimal(count(distinct(user_src))) AS
totalnum
FROM ###
(SELECT distinct(coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`))) AS user_src
FROM $log
WHERE $filter
AND ${LOCAL_EXCLUSIVE})### t) AS t2;

UPDATE stats_temp
SET total_app=t3.totalnum
FROM
(SELECT format_numeric_no_decimal(count(distinct(app_group_
name(app)))) AS totalnum
FROM ###
(SELECT distinct(app_group_name(app)) AS app
FROM $log
WHERE $filter
AND ${LOCAL_EXCLUSIVE})### t) AS t3;

UPDATE stats_temp
SET total_dest=t4.totalnum
FROM
(SELECT format_numeric_no_decimal(count(distinct(dstip))) AS total-
num
FROM ###
(SELECT distinct(dstip) AS dstip
FROM $log
WHERE $filter
AND ${LOCAL_EXCLUSIVE})### t) AS t4;

SELECT 'Total Sessions' AS summary,

total_sessions AS stats
FROM stats_temp
UNION ALL
SELECT 'Total Bytes Transferred' AS summary,
total_bandwidth AS stats
FROM stats_temp

Copyright © 2014 Fortinet, Inc.

25
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
UNION ALL
SELECT 'Most Active Date By Sessions' AS summary,
active_date AS stats
FROM stats_temp
UNION ALL
SELECT 'Total Users' AS summary,
total_users AS stats
FROM stats_temp
UNION ALL
SELECT 'Total Applications' AS summary,
total_app AS stats
FROM stats_temp
UNION ALL
SELECT 'Total Destinations' AS summary,
total_dest AS stats
FROM stats_temp
UNION ALL
SELECT 'Average Sessions Per Day' AS summary,
ave_session AS stats
FROM stats_temp
UNION ALL
SELECT 'Average Bytes Per Day' AS summary,
ave_bandwidth AS stats
FROM stats_temp
SELECT app,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
count(*) AS events
FROM $log
WHERE $filter
Botnet-Activ- Botnet activ- AND logid_to_int(logid) NOT IN (4,
Traffic
ity-By-Sources ity by sources 7,
14)
AND appcat='Botnet'
AND nullifna(app) IS NOT NULL
GROUP BY app,
user_src
ORDER BY events DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
devtype,
coalesce(srcname, srcmac) AS host_mac,
count(*) AS events
FROM $log
Botnet-Infec- Botnet infec- WHERE $filter
Traffic AND logid_to_int(logid) NOT IN (4,
ted-Hosts ted hosts
7,
14)
AND appcat='Botnet'
GROUP BY user_src,
devtype,
host_mac
ORDER BY events DESC

SELECT dstip,
Botnet- Botnet
Traffic root_domain(hostname) AS DOMAIN,
Sources sources
count(*) AS events
FROM $log

Copyright © 2014 Fortinet, Inc.

26
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND appcat='Botnet'
AND dstip IS NOT NULL
GROUP BY dstip,
DOMAIN
ORDER BY events DESC
SELECT $flex_timescale AS hodex,
count(*) AS events
FROM $log
WHERE $filter
Botnet- Botnet AND logid_to_int(logid) NOT IN (4,
Traffic
Timeline timeline 7,
14)
AND appcat='Botnet'
GROUP BY hodex
ORDER BY hodex DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
count(*) AS events
FROM $log
WHERE $filter
Botnet vic- AND logid_to_int(logid) NOT IN (4,
Botnet-Victims Traffic
tims 7,
14)
AND appcat='Botnet'
AND srcip IS NOT NULL
GROUP BY user_src
ORDER BY events DESC
SELECT $hour_of_day AS hourstamp,
content- Content count(*) AS totalnum
Count-Total- count total FROM $log
SCCP-Call- SCCP call WHERE $filter
content
Registrations- registrations AND proto='sccp'
by-Hour-of- by hour of AND kind='register'
Day day GROUP BY hourstamp
ORDER BY hourstamp
SELECT $hour_of_day AS hourstamp,
sum(duration) AS sccp_usage
content- Content FROM $log
Count-Total- count total WHERE $filter
SCCP-Calls- SCCP calls content AND proto='sccp'
Duration-by- duration by AND kind='call-info'
Hour-of-Day hour of day AND status='end'
GROUP BY hourstamp
ORDER BY hourstamp
SELECT status,
count(*) AS totalnum
content- Content FROM $log
Count-Total- count total WHERE $filter
content
SCCP-Calls- SCCP calls AND proto='sccp'
per-Status per status AND kind='call-info'
GROUP BY status
ORDER BY totalnum DESC

Copyright © 2014 Fortinet, Inc.

27
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT $hour_of_day AS hourstamp,
content- count(*) AS totalnum
Content
Count-Total- FROM $log
count total
SIP-Call- WHERE $filter
SIP call regis- content
Registrations- AND proto='sip'
trations by AND kind='register'
by-Hour-of-
hour of day GROUP BY hourstamp
Day
ORDER BY hourstamp

SELECT status,
content- Content count(*) AS totalnum
FROM $log
Count-Total- count total
content WHERE $filter
SIP-Calls-per- SIP calls per
AND proto='sip'
Status status AND kind='call'
GROUP BY status
ORDER BY totalnum DESC
SELECT (CASE
WHEN duration < 60 THEN 'LESS_ONE_MIN'
WHEN duration < 600 THEN 'LESS_TEN_MIN'
WHEN duration < 3600 THEN 'LESS_ONE_HOUR'
WHEN duration >= 3600 THEN 'MORE_ONE_HOUR'
content-Dist- ELSE 'unknown'
Content dist END) AS f_duration,
Total-SIP-
total SIP calls content count(*) AS totalnum
Calls-by-Dur-
by duration FROM $log
ation WHERE $filter
AND proto='sip'
AND kind='call'
AND status='end'
GROUP BY f_duration
ORDER BY totalnum DESC
SELECT (CASE apstatus
WHEN 1 THEN 'rogue'
WHEN 2 THEN 'accepted'
WHEN 3 THEN 'suppressed'
ELSE 'others'
END) AS ap_full_status,
count(*) AS totalnum
FROM
(SELECT apstatus,
bssid,
Default ssid
default-AP- access point FROM ###
Detection- detection (SELECT apstatus,
event
Summary-by- summary by bssid,
Status-OffWire status off- ssid,
wire count(*) AS subtotal
FROM $log
WHERE $filter
AND apstatus IS NOT NULL
AND apstatus!=0
AND bssid IS NOT NULL
AND onwire='no'
AND logid_to_int(logid) IN (43527,
43521,
43525)
GROUP BY apstatus,

Copyright © 2014 Fortinet, Inc.

28
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
bssid,
ssid
ORDER BY subtotal DESC)### t
GROUP BY apstatus,
bssid,
ssid) t
GROUP BY ap_full_status
ORDER BY totalnum DESC
SELECT (CASE apstatus
WHEN 1 THEN 'rogue'
WHEN 2 THEN 'accepted'
WHEN 3 THEN 'suppressed'
ELSE 'others'
END) AS ap_full_status,
count(*) AS totalnum
FROM
(SELECT apstatus,
bssid,
ssid
FROM ###
(SELECT apstatus,
bssid,
Default ssid,
default-AP- access point count(*) AS subtotal
Detection- detection FROM $log
event
Summary-by- summary by WHERE $filter
Status-OnWire status on- AND apstatus IS NOT NULL
wire AND apstatus!=0
AND bssid IS NOT NULL
AND onwire='yes'
AND logid_to_int(logid) IN (43527,
43521,
43525)
GROUP BY apstatus,
bssid,
ssid
ORDER BY subtotal DESC)### t
GROUP BY apstatus,
bssid,
ssid) t
GROUP BY ap_full_status
ORDER BY totalnum DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
default-Email- Default email 7,
Top-Receiv- top receivers 14)
Traffic
ers-By-Band- by bandwidth AND service IN ('pop3',
width usage 'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',
'imaps',
'IMAPS',

Copyright © 2014 Fortinet, Inc.

29
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
count(*) AS requests
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('pop3',
default-Email- Default email 'POP3',
'110/tcp',
Top-Receiv- top receivers Traffic
'imap',
ers-By-Count by count
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
GROUP BY user_src
ORDER BY requests DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
Default email 14)
default-Email-
top senders AND service IN ('smtp',
Top-Senders- Traffic
by bandwidth 'SMTP',
By-Bandwidth '25/tcp',
usage
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT (CASE
WHEN (action LIKE '%join%'
AND logid_to_int(logid)=43522) THEN 'Authorized'
Default man- ELSE 'Unauthorized'
default-Man- END) AS ap_status,
aged access
aged-AP-Sum- event count(*) AS totalnum
point sum-
mary FROM $log
mary WHERE $filter
AND logid_to_int(logid)=43522
GROUP BY ap_status
ORDER BY totalnum DESC

Copyright © 2014 Fortinet, Inc.

30
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT (CASE apstatus
WHEN 0 THEN 'unclassified'
WHEN 1 THEN 'rogue'
WHEN 2 THEN 'accepted'
WHEN 3 THEN 'suppressed'
ELSE 'others'
END) AS ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
FROM_dtime(min(dtime)) AS first_seen,
FROM_dtime(max(dtime)) AS last_seen,
Default detectionmethod,
default-
SELECTed itime,
SELECTed-
access point event onwire AS on_wire
AP-Details-
details off- FROM $log
OffWire WHERE $filter
wire
AND apstatus IS NOT NULL
AND bssid IS NOT NULL
AND onwire='no'
AND logid_to_int(logid)=43521
GROUP BY ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
detectionmethod,
itime,
onwire,
apstatus
SELECT (CASE apstatus
WHEN 0 THEN 'unclassified'
WHEN 1 THEN 'rogue'
WHEN 2 THEN 'accepted'
WHEN 3 THEN 'suppressed'
ELSE 'others'
END) AS ap_full_status,
Default devid,
default- vd,
SELECTed
SELECTed- ssid,
access point event
AP-Details- bssid,
details on- manuf,
OnWire
wire rssi,
channel,
radioband,
FROM_dtime(min(dtime)) AS first_seen,
FROM_dtime(max(dtime)) AS last_seen,
detectionmethod,
itime,
onwire AS on_wire

Copyright © 2014 Fortinet, Inc.

31
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM $log
WHERE $filter
AND apstatus IS NOT NULL
AND bssid IS NOT NULL
AND onwire='yes'
AND logid_to_int(logid)=43521
GROUP BY ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
detectionmethod,
itime,
onwire,
apstatus
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
default-Top- Default top WHERE $filter
Dial-Up-User- dial up user AND logid_to_int(logid) NOT IN (4,
Of-Vpn-Tun- of VPN tun- Traffic 7,
nel-By-Band- nel by band- 14)
width width usage AND vpntype IN ('ipsec-dynamic',
'sslvpn')
GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
count(*) AS requests
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
default-Top- Default top 7,
Email- email 14)
Traffic AND service IN ('smtp',
Senders-By- senders by
'SMTP',
Count count '25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
GROUP BY user_src
ORDER BY requests DESC
SELECT user_src,
Default top sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth
default-Top- FROM ###
IPsec VPN
IPSEC-Vpn- (SELECT coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr
dial up user event
Dial-Up-User- (`remip`)) AS user_src,
by bandwidth tunnelid,
By-Bandwidth
usage min(coalesce(sentbyte, 0))
AS sent_beg,

Copyright © 2014 Fortinet, Inc.

32
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
max
(coalesce(sentbyte, 0)) AS sent_end,

min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ipsec%'
AND action='tunnel-stats'
AND NOT (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND tunnelid IS NOT NULL
GROUP BY user_src,
tunnelid
ORDER BY tunnelid)### t
GROUP BY user_src HAVING sum(sent_end-sent_beg+rcvd_end-
rcvd_beg)>0
ORDER BY bandwidth DESC
SELECT remip AS remote_ip,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth
FROM ###
(SELECT remip,
tunnelid,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS sent_end,
min(coalesce(rcvdbyte, 0)) AS
rcvd_beg,
default-Top- Default top max(coalesce
Sources-Of- sources of (rcvdbyte, 0)) AS rcvd_end
FROM $log
SSL-VPN-Tun- SSL VPN tun- event
WHERE $filter
nels-By-Band- nels by band-
AND tunneltype LIKE 'ssl%'
width width usage AND remip IS NOT NULL
AND subtype='vpn'
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
remip
ORDER BY tunnelid)### t
GROUP BY remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-
rcvd_beg)>0
ORDER BY bandwidth DESC
SELECT (CASE onwire
WHEN 'no' THEN 'off-wire'
WHEN 'yes' THEN 'on-wire'
ELSE 'others'
Default END) AS ap_status,
default-Unclas- count(*) AS totalnum
unclassified
sified-AP-Sum- event FROM ###
access point
mary (SELECT onwire,
summary ssid,
bssid,
count(*) AS subtotal
FROM $log
WHERE $filter

Copyright © 2014 Fortinet, Inc.

33
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND apstatus=0
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525,
43527)
GROUP BY onwire,
ssid,
bssid
ORDER BY subtotal DESC)### t
GROUP BY ap_status
ORDER BY totalnum DESC
SELECT appid,
app,
appcat,
(CASE utmaction
WHEN 'blocked' THEN 'Blocked'
ELSE 'Allowed'
END) AS custaction,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
count(*) AS num_session
Detailed- Detailed FROM $log
Application- application Traffic WHERE $filter
Usage usage AND logid_to_int(logid) NOT IN (4,
7,
14)
AND nullifna(app) IS NOT NULL
AND policyid != 0
GROUP BY appid,
app,
appcat,
custaction
ORDER BY bandwidth DESC
SELECT app,
count(*) AS events
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
Detected-Bot- Detected bot-
Traffic 7,
net net
14)
AND appcat='Botnet'
AND nullifna(app) IS NOT NULL
GROUP BY app
ORDER BY events DESC
SELECT appid,
app,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT appid,
app,
Drilldown top
drilldown-Top- coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
applications
App-By-Band- Traffic user_src,
by bandwidth
width dstip,
usage srcintf,
dstintf,
policyid,
count(*) AS sessions,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth

Copyright © 2014 Fortinet, Inc.

34
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM $log
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY appid,
app,
user_src,
dstip,
srcintf,
dstintf,
policyid
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
AND nullifna(app) IS NOT NULL
GROUP BY appid,
app HAVING sum(bandwidth)>0
ORDER BY bandwidth DESC
SELECT appid,
app,
sum(sessions) AS sessions
FROM ###
(SELECT appid,
app,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
dstip,
srcintf,
dstintf,
policyid,
count(*) AS sessions,
sum(coalesce(sent-
Drilldown top byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
drilldown-Top- FROM $log
applications
App-By-Ses- Traffic WHERE $filter-exclude-var
by session
sions AND logid_to_int(logid) NOT IN (4,
count
7,
14)
GROUP BY appid,
app,
user_src,
dstip,
srcintf,
dstintf,
policyid
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
AND nullifna(app) IS NOT NULL
GROUP BY appid,
app
ORDER BY sessions DESC
SELECT dstip,
sum(totalnum) AS totalnum
FROM ###
drilldown-Top- Drilldown top
attack (SELECT srcip,
Attack-Dest attack dest
dstip,
count(*) AS totalnum
FROM $log

Copyright © 2014 Fortinet, Inc.

35
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter-exclude-var
GROUP BY srcip,
dstip
ORDER BY totalnum DESC)### t
WHERE $filter-var-ONLY
AND dstip IS NOT NULL
GROUP BY dstip
ORDER BY totalnum DESC
SELECT FROM_itime(itime) AS TIMESTAMP,
attack,
srcip,
dstip
FROM ###
(SELECT itime,
drilldown-Top- Drilldown top attack,
attack
Attack-List attack list srcip,
dstip
FROM $log
WHERE $filter-exclude-var
ORDER BY itime DESC)### t
WHERE $filter-var-ONLY
ORDER BY itime DESC
SELECT srcip,
sum(totalnum) AS totalnum
FROM ###
(SELECT srcip,
dstip,
count(*) AS totalnum
FROM $log
drilldown-Top- Drilldown top
attack WHERE $filter-exclude-var
Attack-Source attack source
GROUP BY srcip,
dstip
ORDER BY totalnum DESC)### t
WHERE $filter-var-ONLY
AND srcip IS NOT NULL
GROUP BY srcip
ORDER BY totalnum DESC
SELECT dstip,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT appid,
app,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
dstip,
Drilldown top srcintf,
drilldown-Top- dstintf,
destination
Destination- Traffic policyid,
by bandwidth
By-Bandwidth count(*) AS sessions,
usage sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY appid,
app,

Copyright © 2014 Fortinet, Inc.

36
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
user_src,
dstip,
srcintf,
dstintf,
policyid
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
AND dstip IS NOT NULL
GROUP BY dstip HAVING sum(bandwidth)>0
ORDER BY bandwidth DESC
SELECT dstip,
sum(sessions) AS sessions
FROM ###
(SELECT appid,
app,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
dstip,
srcintf,
dstintf,
policyid,
count(*) AS sessions,
sum(coalesce(sent-
Drilldown top byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
drilldown-Top- FROM $log
destination
Destination- Traffic WHERE $filter-exclude-var
by session
By-Sessions AND logid_to_int(logid) NOT IN (4,
count
7,
14)
GROUP BY appid,
app,
user_src,
dstip,
srcintf,
dstintf,
policyid
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
AND dstip IS NOT NULL
GROUP BY dstip
ORDER BY sessions DESC
SELECT recipient,
sum(requests) AS requests
FROM (###
(SELECT recipient,
sender,
count(*) AS requests,
drilldown-Top- Drilldown top sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
Email- email bandwidth
Traffic FROM $log
Receiver-By- receiver by
WHERE $filter-exclude-var
Count count AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',

Copyright © 2014 Fortinet, Inc.

37
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND utmevent IN ('general-email-log',
'spamfilter')
GROUP BY recipient,
sender
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `to` AS recipient,
`FROM` AS sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND eventtype IS NULL
GROUP BY `to`,
`FROM`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND recipient IS NOT NULL
GROUP BY recipient
ORDER BY requests DESC
SELECT recipient,
sum(bandwidth) AS volume
FROM (###
(SELECT recipient,
sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
drilldown-Top- Drilldown top bandwidth
Email- email FROM $log
Traffic
Receiver-By- receiver by WHERE $filter-exclude-var
Volume volume AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',

Copyright © 2014 Fortinet, Inc.

38
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND utmevent IN ('general-email-log',
'spamfilter')
GROUP BY recipient,
sender
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `to` AS recipient,
`FROM` AS sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND eventtype IS NULL
GROUP BY `to`,
`FROM`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND recipient IS NOT NULL
GROUP BY recipient HAVING sum(bandwidth)>0
ORDER BY volume DESC
SELECT sender,
sum(requests) AS requests
FROM (###
(SELECT recipient,
sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
drilldown-Top- bandwidth
Drilldown top
Email- FROM $log
email receive
Receive- Traffic WHERE $filter-exclude-var
sender by
Sender-By- AND logid_to_int(logid) NOT IN (4,
count 7,
Count
14)
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',

Copyright © 2014 Fortinet, Inc.

39
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND utmevent IN ('general-email-log',
'spamfilter')
GROUP BY recipient,
sender
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `to` AS recipient,
`FROM` AS sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND eventtype IS NULL
GROUP BY `to`,
`FROM`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND sender IS NOT NULL
GROUP BY sender
ORDER BY requests DESC
SELECT sender,
sum(bandwidth) AS volume
FROM (###
(SELECT recipient,
sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
drilldown-Top- bandwidth
Drilldown top FROM $log
Email-
email receive WHERE $filter-exclude-var
Receive- Traffic
sender by AND logid_to_int(logid) NOT IN (4,
Sender-By-
volume 7,
Volume 14)
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',
'imaps',

Copyright © 2014 Fortinet, Inc.

40
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND utmevent IN ('general-email-log',
'spamfilter')
GROUP BY recipient,
sender
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `to` AS recipient,
`FROM` AS sender,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
AND eventtype IS NULL
GROUP BY `to`,
`FROM`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND sender IS NOT NULL
GROUP BY sender HAVING sum(bandwidth)>0
ORDER BY volume DESC
SELECT sender,
sum(requests) AS requests
FROM (###
(SELECT sender,
recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
drilldown-Top- Drilldown top WHERE $filter-exclude-var
Email-Sender- email sender Traffic AND logid_to_int(logid) NOT IN (4,
By-Count by count 7,
14)
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND utmevent IN ('general-email-log',

Copyright © 2014 Fortinet, Inc.

41
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'spamfilter')
GROUP BY sender,
recipient
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `FROM` AS sender,
`to` AS recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND eventtype IS NULL
GROUP BY `FROM`,
`to`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND sender IS NOT NULL
GROUP BY sender
ORDER BY requests DESC
SELECT sender,
sum(bandwidth) AS volume
FROM (###
(SELECT sender,
recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('smtp',
drilldown-Top- Drilldown top 'SMTP',
Email-Sender- email sender Traffic '25/tcp',
By-Volume by volume '587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND utmevent IN ('general-email-log',
'spamfilter')
GROUP BY sender,
recipient
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `FROM` AS sender,
`to` AS recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth

Copyright © 2014 Fortinet, Inc.

42
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND eventtype IS NULL
GROUP BY `FROM`,
`to`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND sender IS NOT NULL
GROUP BY sender HAVING sum(bandwidth)>0
ORDER BY volume DESC
SELECT recipient,
sum(requests) AS requests
FROM (###
(SELECT sender,
recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
drilldown-Top- Drilldown top '465/tcp')
Email-Send- email send AND utmevent IN ('general-email-log',
Traffic
Recipient-By- recipient by 'spamfilter')
Count count GROUP BY sender,
recipient
ORDER BY requests DESC)###
UNION ALL ###
(SELECT `FROM` AS sender,
`to` AS recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND eventtype IS NULL
GROUP BY `FROM`,

Copyright © 2014 Fortinet, Inc.

43
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
`to`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND recipient IS NOT NULL
GROUP BY recipient
ORDER BY requests DESC
SELECT recipient,
sum(bandwidth) AS volume
FROM (###
(SELECT sender,
recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND utmevent IN ('general-email-log',
'spamfilter')
drilldown-Top- Drilldown top GROUP BY sender,
Email-Send- email send recipient
Traffic
Recipient-By- recipient by ORDER BY requests DESC)###
Volume volume UNION ALL ###
(SELECT `FROM` AS sender,
`to` AS recipient,
count(*) AS requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) AS bandwidth
FROM $log-emailfilter
WHERE $filter-exclude-var
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
AND eventtype IS NULL
GROUP BY `FROM`,
`to`
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND recipient IS NOT NULL
GROUP BY recipient HAVING sum(bandwidth)>0
ORDER BY volume DESC

drilldown-Top- Drilldown top SELECT user_src,

sum(bandwidth) AS bandwidth
User-By-Band- user by band- Traffic
FROM ###
width width usage (SELECT appid,

Copyright © 2014 Fortinet, Inc.

44
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
app,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
dstip,
srcintf,
dstintf,
policyid,
count(*) AS sessions,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY appid,
app,
user_src,
dstip,
srcintf,
dstintf,
policyid
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
AND user_src IS NOT NULL
GROUP BY user_src HAVING sum(bandwidth)>0
ORDER BY bandwidth DESC
SELECT user_src,
sum(sessions) AS sessions
FROM ###
(SELECT appid,
app,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
user_src,
dstip,
srcintf,
dstintf,
policyid,
count(*) AS sessions,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
drilldown-Top- Drilldown top FROM $log
User-By-Ses- user by ses- Traffic WHERE $filter-exclude-var
sions sion count AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY appid,
app,
user_src,
dstip,
srcintf,
dstintf,
policyid
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
AND user_src IS NOT NULL
GROUP BY user_src
ORDER BY sessions DESC

Copyright © 2014 Fortinet, Inc.

45
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT hostname,
sum(requests) AS visits
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
hostname,
count(*) AS requests
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
drilldown-Top- Drilldown top 'script-filter')
AND hostname IS NOT NULL
Website-By- website by Traffic
GROUP BY user_src,
Request request
hostname
ORDER BY requests DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
hostname,
count(*) AS requests
FROM $log-webfilter
WHERE $filter-exclude-var
AND eventtype IS NULL
AND hostname IS NOT NULL
GROUP BY user_src,
hostname
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND hostname IS NOT NULL
GROUP BY hostname
ORDER BY visits DESC
SELECT user_src,
sum(requests) AS visits
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
hostname,
count(*) AS requests
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
drilldown-Top- Drilldown top 7,
Web-User-By- web user by Traffic 14)
Visit visit AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
AND hostname IS NOT NULL
GROUP BY user_src,
hostname
ORDER BY requests DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,

Copyright © 2014 Fortinet, Inc.

46
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
hostname,
count(*) AS requests
FROM $log-webfilter
WHERE $filter-exclude-var
AND eventtype IS NULL
AND hostname IS NOT NULL
GROUP BY user_src,
hostname
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND user_src IS NOT NULL
GROUP BY user_src
ORDER BY visits DESC
SELECT FROM_itime(itime) AS TIMESTAMP,
virus,
user_src,
dstip,
hostname,
recipient
FROM (###
(SELECT itime,
virus,
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
dstip,
hostname,
recipient
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
drilldown- Drilldown 14)
Traffic
Virus-Detail virus detail AND utmevent IS NOT NULL
AND virus IS NOT NULL
ORDER BY itime DESC)###
UNION ALL ###
(SELECT itime,
virus,
coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
dstip,
cast(' ' AS char) AS hostname,
cast(' ' AS char) AS recip-
ient
FROM $log-virus
WHERE $filter-exclude-var
AND (eventtype IS NULL
OR logver = 52)
AND nullifna(virus) IS NOT NULL
ORDER BY itime DESC)###) t
WHERE $filter-var-ONLY
ORDER BY itime DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
Estimated- Estimated sum($browse_time) AS browsetime
Browsing- browsing Traffic FROM $log
Time time WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,

Copyright © 2014 Fortinet, Inc.

47
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
14)
GROUP BY user_src HAVING sum($browse_time)>0
ORDER BY browsetime DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum($browse_time2) AS browsetime
Estimated- Estimated FROM $log
Browsing- browsing WHERE $filter
Traffic
Time- time AND logid_to_int(logid) NOT IN (4,
Enhanced enhanced 7,
14)
GROUP BY user_src HAVING sum($browse_time2)>0
ORDER BY browsetime DESC
SELECT `user` AS f_user,
ui,
count(status) AS total_failed
event-Admin- Event admin FROM $log
WHERE $filter
Failed-Login- failed login event
AND nullifna(`user`) IS NOT NULL
Summary summary AND logid_to_int(logid) = 32002
GROUP BY ui,
f_user
ORDER BY total_failed DESC
SELECT `user` AS f_user,
ui,
sum(CASE WHEN logid_to_int(logid)=32001 THEN 1 ELSE 0
END) AS total_num,
sum(CASE WHEN logid_to_int(logid)=32003 THEN duration ELSE
0 END) AS total_duration,
event-Admin- Event admin count(STATE) AS total_change
FROM $log
Login-Sum- login sum- event
WHERE $filter
mary mary
AND nullifna(`user`) IS NOT NULL
AND logid_to_int(logid) IN (32001,
32003)
GROUP BY f_user ,
ui HAVING sum(CASE WHEN logid_to_int(logid)=32001 THEN 1
ELSE 0 END)>0
ORDER BY total_num DESC
SELECT $flex_timescale AS dom,
sum(CASE WHEN logid_to_int(logid)=32001 THEN 1 ELSE 0
END) AS total_num,
count(STATE) AS total_change
event-Admin- Event admin FROM $log
WHERE $filter
Login-Sum- login sum- event
AND nullifna(`user`) IS NOT NULL
mary-By-Date mary by date AND logid_to_int(logid) IN (32001,
32003)
GROUP BY dom HAVING sum(CASE WHEN logid_to_int(logid)
=32001 THEN 1 ELSE 0 END)>0
ORDER BY dom
SELECT msg_desc AS msg,
event-System- Event system severity,
Critical-Sever- critical sever- event sum(COUNT) AS counts
ity-Events ity events FROM ###
(SELECT coalesce(nullifna(logdesc), msg) AS msg_desc, (CASE

Copyright © 2014 Fortinet, Inc.

48
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHEN LEVEL IN ('critical',
'alert',
'emergency') THEN 'Critical'
WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN
'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS
severity,
COUNT(*) AS COUNT
FROM $log
WHERE $filter
AND subtype='system'
GROUP BY msg_desc,
severity
ORDER BY COUNT DESC)### t
WHERE severity='Critical'
GROUP BY msg,
severity
ORDER BY counts DESC
SELECT msg_desc AS msg,
severity,
sum(COUNT) AS counts
FROM ###
(SELECT coalesce(nullifna(logdesc), msg) AS msg_desc, (CASE
WHEN LEVEL IN ('critical',
'alert',
'emergency') THEN 'Critical'
WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN
event-System- Event system 'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS
High-Severity- high severity event severity,
Events events COUNT(*) AS COUNT
FROM $log
WHERE $filter
AND subtype='system'
GROUP BY msg_desc,
severity
ORDER BY COUNT DESC)### t
WHERE severity='High'
GROUP BY msg,
severity
ORDER BY counts DESC
SELECT msg_desc AS msg,
severity,
sum(COUNT) AS counts
FROM ###
(SELECT coalesce(nullifna(logdesc), msg) AS msg_desc, (CASE
WHEN LEVEL IN ('critical',
'alert',
event-System- Event system 'emergency') THEN 'Critical'
Medium- medium WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN
event
Severity- severity 'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS
Events events severity,
COUNT(*) AS COUNT
FROM $log
WHERE $filter
AND subtype='system'
GROUP BY msg_desc,
severity
ORDER BY COUNT DESC)### t

Copyright © 2014 Fortinet, Inc.

49
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE severity='Medium'
GROUP BY msg,
severity
ORDER BY counts DESC
SELECT $flex_timescale AS dom,
sum(CASE WHEN LEVEL IN ('critical', 'alert', 'emergency') THEN 1
ELSE 0 END) AS critical,
sum(CASE WHEN LEVEL = 'error' THEN 1 ELSE 0 END) AS high,
sum(CASE WHEN LEVEL = 'warning' THEN 1 ELSE 0 END) AS
event-System- Event system medium,
Summary-By- summary by event sum(CASE WHEN LEVEL = 'notice' THEN 1 ELSE 0 END) AS low,
sum(CASE WHEN LEVEL = 'information'
Date date
OR LEVEL = 'debug' THEN 1 ELSE 0 END) AS info
FROM $log
WHERE $filter
AND subtype='system'
GROUP BY dom
ORDER BY dom
SELECT (CASE
WHEN LEVEL IN ('critical',
'alert',
'emergency') THEN 'Critical'
WHEN LEVEL='error' THEN 'High'
WHEN LEVEL='warning' THEN 'Medium'
event-System- Event system WHEN LEVEL='notice' THEN 'Low'
Summary-By- summary by event ELSE 'Info'
Severity severity END) AS severity,
count(*) AS total_num
FROM $log
WHERE $filter
AND subtype='system'
GROUP BY severity
ORDER BY total_num DESC
DROP TABLE IF EXISTS pre_clt_list;

DROP TABLE IF EXISTS cur_clt_list;

DROP TABLE IF EXISTS allocated_ip;

CREATE
TEMPORARY TABLE pre_clt_list AS ###
(SELECT concat(interface, '.', devid) AS intf,
mac
FROM $log
event-Top- Event top WHERE $last3day_period $filter
DHCP-Sum- dhcp sum- event AND logid_to_int(logid) = 26001
mary mary AND dhcp_msg = 'Ack'
GROUP BY interface,
devid,
mac)###;

CREATE
TEMPORARY TABLE cur_clt_list AS ###
(SELECT concat(interface, '.', devid) AS intf,
mac
FROM $log
WHERE $filter
AND logid_to_int(logid) = 26001

Copyright © 2014 Fortinet, Inc.

50
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND dhcp_msg = 'Ack'
GROUP BY interface,
devid,
mac)###;

CREATE
TEMPORARY TABLE allocated_ip AS ###
(SELECT t31.intf,
percent_of_allocated_ip
FROM
(SELECT concat(interface, '.', devid) AS intf,
CAST((CAST(used AS float)/CAST(total AS
float)*100) AS decimal(10,2)) AS percent_of_allocated_ip,
itime
FROM $log
WHERE $filter
AND logid_to_int(logid) = 26003
AND total != 0
GROUP BY interface,
devid,
percent_of_allocated_ip,
itime) t31
INNER JOIN
(SELECT concat(interface,'.', devid) AS intf,
max(itime) AS max_itime
FROM $log
WHERE $filter
AND logid_to_int(logid) = 26003
GROUP BY interface,
devid) t32 ON t31.intf = t32.intf
AND t31.itime=t32.max_itime)###;

SELECT t41.intf AS interface,

percent_of_allocated_ip,
count(mac) AS new_cli_count
FROM
(SELECT intf,
percent_of_allocated_ip
FROM allocated_ip) t41
INNER JOIN
(SELECT intf,
mac
FROM cur_clt_list
WHERE (mac NOT IN
(SELECT mac
FROM pre_clt_list))
GROUP BY intf,
mac) t42 ON t41.intf = t42.intf
GROUP BY interface,
percent_of_allocated_ip
ORDER BY interface ,
percent_of_allocated_ip DESC
SELECT hourstamp,
cast(sum(cpu_usage)/sum(num) AS decimal(6,2)) AS cpu_avg_
event-Usage- Event usage usage
event FROM ###
CPU CPU
(SELECT $hour_of_day AS hourstamp,
sum(cpu) AS cpu_usage,
count(*) AS num

Copyright © 2014 Fortinet, Inc.

51
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM $log
WHERE $filter
AND subtype='system'
AND action='perf-stats'
GROUP BY hourstamp)### t
GROUP BY hourstamp
ORDER BY hourstamp
SELECT hourstamp,
cast(sum(sess_usage)/sum(num) AS decimal(10,2)) AS sess_avg_
usage,
cast(sum(cpu_usage)/sum(num) AS decimal(6,2)) AS cpu_avg_
usage
FROM ###
(SELECT $hour_of_day AS hourstamp,
event-Usage- Event usage sum(cpu) AS cpu_usage,
CPU-Ses- CPU ses- event sum(totalsession) AS sess_usage,
sions sions count(*) AS num
FROM $log
WHERE $filter
AND subtype='system'
AND action='perf-stats'
GROUP BY hourstamp)### t
GROUP BY hourstamp
ORDER BY hourstamp
SELECT hourstamp,
cast(sum(mem_usage)/sum(num) AS decimal(6,2)) AS mem_avg_
usage
FROM ###
(SELECT $hour_of_day AS hourstamp,
sum(mem) AS mem_usage,
event-Usage- Event usage count(*) AS num
event
Mem memory FROM $log
WHERE $filter
AND subtype='system'
AND action='perf-stats'
GROUP BY hourstamp)### t
GROUP BY hourstamp
ORDER BY hourstamp
SELECT hourstamp,
cast(sum(sess_usage)/sum(num) AS decimal(10,2)) AS sess_avg_
usage
FROM ###
(SELECT $hour_of_day AS hourstamp,
sum(totalsession) AS sess_usage,
event-Usage- Event usage count(*) AS num
event
Sessions sessions FROM $log
WHERE $filter
AND subtype='system'
AND action='perf-stats'
GROUP BY hourstamp)### t
GROUP BY hourstamp
ORDER BY hourstamp
SELECT 'accepted' AS ap_full_status,
event-Wire- Event wire- devid,
less-Accep- less accep- event vd,
ted-Offwire ted off-wire ssid,
bssid,

Copyright © 2014 Fortinet, Inc.

52
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
manuf,
channel,
radioband,
FROM_dtime(max(last_seen)) AS last_seen,
detectionmethod,
snclosest,
'no' AS on_wire
FROM ###
(SELECT devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=2
AND onwire='no'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT 'accepted' AS ap_full_status,
devid,
event-Wire- Event wire- vd,
ssid,
less-Accep- less accep- event
bssid,
ted-Onwire ted on-wire manuf,
channel,
radioband,

Copyright © 2014 Fortinet, Inc.

53
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM_dtime(max(last_seen)) AS last_seen,
detectionmethod,
snclosest,
'yes' AS on_wire
FROM ###
(SELECT devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=2
AND onwire='yes'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
DROP TABLE IF EXISTS ip_list;

CREATE
TEMPORARY TABLE ip_list AS
SELECT ip,
event-Wire- Event wire- lower(mac) AS lmac,
less-Client- less client event sn,
Details details ssid,
channel,
radioband,
min(dtime) AS FIRST,
max(dtime) AS LAST
FROM $log-event

Copyright © 2014 Fortinet, Inc.

54
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter
AND ip IS NOT NULL
AND mac IS NOT NULL
AND sn IS NOT NULL
AND ssid IS NOT NULL
GROUP BY ip,
lmac,
sn,
ssid,
channel,
radioband
ORDER BY ip;

SELECT user_src,
ip,
lmac,
sn,
ssid,
channel,
radioband,
FROM_dtime(FIRST) AS first_seen,
FROM_dtime(LAST) AS last_seen,
cast(volume AS decimal(18,2)) AS bandwidth
FROM
(SELECT *
FROM ip_list
INNER JOIN
(SELECT user_src,
srcip,
sum(volume) AS volume
FROM ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
srcip,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS volume
FROM $log-traffic
WHERE $filter-time
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND srcip IS NOT NULL
GROUP BY user_src,
srcip HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0))>0
ORDER BY volume DESC)### t
GROUP BY user_src,
srcip
ORDER BY user_src,
srcip) t ON ip_list.ip = t.srcip) t
ORDER BY volume DESC
SELECT 'rogue' AS ap_full_status,
devid,
event-Wire- Event wire- vd,
less-Rogue- less rogue event ssid,
Offwire off-wire bssid,
manuf,
channel,

Copyright © 2014 Fortinet, Inc.

55
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
radioband,
FROM_dtime(max(last_seen)) AS last_seen,
detectionmethod,
snclosest,
'no' AS on_wire
FROM ###
(SELECT devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid IN ('43521',
'43525')
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=1
AND onwire='no'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT 'rogue' AS ap_full_status,
devid,
vd,
event-Wire- Event wire- ssid,
bssid,
less-Rogue- less rogue event
manuf,
Onwire on-wire channel,
radioband,
FROM_dtime(max(last_seen)) AS last_seen,
detectionmethod,

Copyright © 2014 Fortinet, Inc.

56
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
snclosest,
'yes' AS on_wire
FROM ###
(SELECT devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=1
AND onwire='yes'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT 'suppressed' AS ap_full_status,
devid,
vd,
ssid,
bssid,
event-Wire- Event wire- manuf,
channel,
less-Sup- less sup-
event radioband,
pressed- pressed off-
FROM_dtime(max(last_seen)) AS last_seen,
Offwire wire detectionmethod,
snclosest,
'no' AS on_wire
FROM ###
(SELECT devid,
vd,

Copyright © 2014 Fortinet, Inc.

57
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=3
AND onwire='no'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT 'suppressed' AS ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
event-Wire- Event wire- radioband,
less-Sup- less sup- FROM_dtime(max(last_seen)) AS last_seen,
event
pressed- pressed on- detectionmethod,
Onwire wire snclosest,
'yes' AS on_wire
FROM ###
(SELECT devid,
vd,
ssid,
bssid,
manuf,

Copyright © 2014 Fortinet, Inc.

58
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=3
AND onwire='yes'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT 'unclassified' AS ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
FROM_dtime(max(last_seen)) AS last_seen,
detectionmethod,
event-Wire- Event wire- snclosest,
less-Unclas- less unclas- event 'no' AS on_wire
sified-Offwire sified off-wire FROM ###
(SELECT devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,

Copyright © 2014 Fortinet, Inc.

59
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
logid,
apstatus,
max(dtime) AS last_seen
FROM $log
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
logid,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=0
AND onwire='no'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT 'unclassified' AS ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
FROM_dtime(max(last_seen)) AS last_seen,
detectionmethod,
snclosest,
event-Wire- Event wire- 'yes' AS on_wire
FROM ###
less-Unclas- less unclas- event
(SELECT devid,
sified-Onwire sified on-wire vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus,
max(dtime) AS last_seen
FROM $log

Copyright © 2014 Fortinet, Inc.

60
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter
AND bssid IS NOT NULL
AND logid_to_int(logid) IN (43521,
43525)
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest,
onwire,
apstatus
ORDER BY last_seen DESC)### t
WHERE apstatus=0
AND onwire='yes'
GROUP BY devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
detectionmethod,
snclosest
ORDER BY last_seen DESC
SELECT t2.name,
d_behavior,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log t1
High risk INNER JOIN app_mdata t2 ON t1.appid=t2.id
High-Risk- WHERE $filter
application
Application- Traffic AND logid_to_int(logid) NOT IN (4,
by bandwidth
By-Bandwidth 7,
usage 14)
AND d_behavior IS NOT NULL
GROUP BY t2.name,
d_behavior
ORDER BY bandwidth DESC
SELECT t2.name,
d_behavior,
count(*) AS sessions
FROM $log t1
High risk INNER JOIN app_mdata t2 ON t1.appid=t2.id
High-Risk- WHERE $filter
application
Application- Traffic AND logid_to_int(logid) NOT IN (4,
by session
By-Sessions 7,
count 14)
AND d_behavior IS NOT NULL
GROUP BY t2.name,
d_behavior
ORDER BY sessions DESC

Number of SELECT $flex_timescale AS hodex,

number-of-ses- count(*) AS sessions
session Traffic
sion-timeline FROM $log
timeline WHERE $filter

Copyright © 2014 Fortinet, Inc.

61
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY hodex
ORDER BY hodex
SELECT (coalesce(osname, 'Unknown')) AS os,
count(*) AS totalnum
FROM $log
Detected WHERE $filter
os-Detect-OS-
operation sys- Traffic AND logid_to_int(logid) NOT IN (4,
Count
tem count 7,
14)
GROUP BY os
ORDER BY totalnum DESC
SELECT $flex_timescale AS hodex,
sum(crscore%65536) AS scores,
count(*) AS totalnum
reputation- Reputation FROM $log
Number-Of- number of WHERE $filter
Incidents-For- incidents for Traffic AND logid_to_int(logid) NOT IN (4,
All-Users- all users 7,
Devices devices 14)
AND crscore IS NOT NULL
GROUP BY hodex HAVING sum(crscore%65536)>0
ORDER BY hodex
SELECT $flex_timescale AS hodex,
sum(crscore%65536) AS scores
reputation- Reputation FROM $log
Score-Sum- score sum- WHERE $filter
AND logid_to_int(logid) NOT IN (4,
mary-For-All- mary for all Traffic
7,
Users- users 14)
Devices devices AND crscore IS NOT NULL
GROUP BY hodex HAVING sum(crscore%65536)>0
ORDER BY hodex
SELECT devtype,
coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) AS
dev_src,
sum(crscore%65536) AS scores
FROM $log
reputation- Reputation WHERE $filter
Top-Devices- top devices Traffic AND logid_to_int(logid) NOT IN (4,
By-Scores by scores 7,
14)
AND crscore IS NOT NULL
GROUP BY devtype,
dev_src HAVING sum(crscore%65536)>0
ORDER BY scores DESC
DROP TABLE IF EXISTS prd1_dev_tbl;

reputation- Reputation DROP TABLE IF EXISTS prd2_dev_tbl;

Top-Devices- top devices
With- with Traffic CREATE
Increased- increased TEMPORARY TABLE prd1_dev_tbl AS ###
Scores scores (SELECT coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`sr-
cip`)) AS f_device,
devtype,

Copyright © 2014 Fortinet, Inc.

62
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
sum(crscore%65536) AS
sum_rp_score
FROM $log
WHERE $pre_period $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND crscore IS NOT NULL
GROUP BY f_device,
devtype HAVING sum(crscore%65536)>0
ORDER BY sum_rp_score DESC)###;

CREATE
TEMPORARY TABLE prd2_dev_tbl AS ###
(SELECT coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`sr-
cip`)) AS f_device,
devtype,
sum(crscore%65536) AS
sum_rp_score
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND crscore IS NOT NULL
GROUP BY f_device,
devtype HAVING sum(crscore%65536)>0
ORDER BY sum_rp_score DESC)###;

SELECT t1.f_device,
t1.devtype ,
sum(t1.sum_rp_score) AS t1_sum_score,
sum(t2.sum_rp_score) AS t2_sum_score,
(sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) AS delta
FROM prd1_dev_tbl AS t1
INNER JOIN prd2_dev_tbl AS t2 ON t1.f_device=t2.f_device
AND t1.devtype=t2.devtype
WHERE t2.sum_rp_score > t1.sum_rp_score
GROUP BY t1.f_device,
t1.devtype
ORDER BY delta DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
sum(crscore%65536) AS scores
FROM $log
reputation- Reputation WHERE $filter
Top-Users-By- top users by Traffic AND logid_to_int(logid) NOT IN (4,
Scores scores 7,
14)
AND crscore IS NOT NULL
GROUP BY user_src HAVING sum(crscore%65536)>0
ORDER BY scores DESC

reputation- Reputation DROP TABLE IF EXISTS prd1_usr_tbl;

Top-Users- top users
DROP TABLE IF EXISTS prd2_usr_tbl;
With- with Traffic
Increased- increased CREATE
Scores scores TEMPORARY TABLE prd1_usr_tbl AS ###

Copyright © 2014 Fortinet, Inc.

63
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS f_user,
sum(crscore%65536) AS
sum_rp_score
FROM $log
WHERE $pre_period $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND crscore IS NOT NULL
GROUP BY f_user HAVING sum(crscore%65536)>0
ORDER BY sum_rp_score DESC)###;

CREATE
TEMPORARY TABLE prd2_usr_tbl AS ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS f_user,
sum(crscore%65536) AS
sum_rp_score
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND crscore IS NOT NULL
GROUP BY f_user HAVING sum(crscore%65536)>0
ORDER BY sum_rp_score DESC)###;

SELECT t1.f_user,
sum(t1.sum_rp_score) AS t1_sum_score,
sum(t2.sum_rp_score) AS t2_sum_score,
(sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) AS delta
FROM prd1_usr_tbl AS t1
INNER JOIN prd2_usr_tbl AS t2 ON t1.f_user=t2.f_user
WHERE t2.sum_rp_score > t1.sum_rp_score
GROUP BY t1.f_user
ORDER BY delta DESC
SELECT $flex_timescale AS hodex,
count(*) AS totalnum
threat- Threat FROM $log
Adware- adware virus WHERE $filter
Timeline timeline AND virus LIKE 'Adware%'
GROUP BY hodex
ORDER BY hodex DESC
SELECT (CASE
WHEN severity='critical' THEN 'Critical'
WHEN severity='high' THEN 'High'
WHEN severity='medium' THEN 'Medium'
Threat WHEN severity='low' THEN 'Low'
threat-Attacks- WHEN severity='info' THEN 'Info'
attacks by attack
By-Severity END) AS severity,
severity count(*) AS totalnum
FROM $log
WHERE $filter
GROUP BY severity
ORDER BY totalnum DESC

threat-Attacks- Threat SELECT attack,

attack
(CASE

Copyright © 2014 Fortinet, Inc.

64
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHEN severity='critical' THEN 'Critical'
WHEN severity='high' THEN 'High'
WHEN severity='medium' THEN 'Medium'
WHEN severity='low' THEN 'Low'
WHEN severity='info' THEN 'Info'
END) AS severity,
count(*) AS totalnum,
(CASE
WHEN severity='critical' THEN 0
WHEN severity='high' THEN 1
WHEN severity='medium' THEN 2
WHEN severity='low' THEN 3
WHEN severity='info' THEN 4
Over-HTTP- attacks over
ELSE 5
HTTPs HTTP HTTPs
END) AS severity_number
FROM $log
WHERE $filter
AND severity IN ('critical',
'high',
'medium')
AND upper(service) IN ('HTTP',
'HTTPS')
GROUP BY attack,
severity,
severity_number
ORDER BY severity_number,
totalnum DESC
SELECT attack,
vuln_type,
count(*) AS totalnum
threat-Critical- Threat critical FROM $log t1
LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
Severity-Intru- severity intru- attack
WHERE $filter
sions sions AND t1.severity = 'critical'
GROUP BY attack,
vuln_type
ORDER BY totalnum DESC
SELECT attack,
vuln_type,
count(*) AS totalnum
threat-High- Threat high FROM $log t1
LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
Severity-Intru- severity intru- attack
WHERE $filter
sions sions AND t1.severity='high'
GROUP BY attack,
vuln_type
ORDER BY totalnum DESC
SELECT $flex_timescale AS timescale,
(CASE
WHEN severity='critical' THEN 'Critical'
threat-Intru- Threat intru- WHEN severity='high' THEN 'High'
WHEN severity='medium' THEN 'Medium'
sions- sions
attack WHEN severity='low' THEN 'Low'
Timeline-By- timeline by
WHEN severity='info' THEN 'Info'
Severity severity END) AS severity,
count(*) AS totalnum
FROM $log
WHERE $filter

Copyright © 2014 Fortinet, Inc.

65
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
GROUP BY timescale,
severity
ORDER BY timescale
SELECT $flex_timescale AS hodex,
count(*) AS totalnum
threat-Intru- Threat intru- FROM $log
attack
sion-Timeline sion timeline WHERE $filter
GROUP BY hodex
ORDER BY hodex
SELECT attack,
vuln_type,
count(*) AS totalnum
threat-Low- Threat low FROM $log t1
LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
Severity-Intru- severity intru- attack
WHERE $filter
sions sions AND t1.severity='low'
GROUP BY attack,
vuln_type
ORDER BY totalnum DESC
SELECT attack,
vuln_type,
count(*) AS totalnum
threat- Threat FROM $log t1
Medium- medium LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
attack
Severity-Intru- severity intru- WHERE $filter
sions sions AND t1.severity='medium'
GROUP BY attack,
vuln_type
ORDER BY totalnum DESC
SELECT $flex_timescale AS hodex,
count(*) AS totalnum
FROM $log
threat-Spy- Threat spy-
virus WHERE $filter
ware-Timeline ware timeline
AND virus LIKE 'Riskware%'
GROUP BY hodex
ORDER BY hodex DESC
SELECT virus,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
virus,
threat-Top- Threat top count(*) AS totalnum
FROM $log
Adware-by- adware by virus
WHERE $filter
Name name GROUP BY user_src,
virus
ORDER BY totalnum DESC)### t
WHERE virus LIKE 'Adware%'
GROUP BY virus
ORDER BY totalnum DESC
SELECT srcip,
hostname,
threat-Top- Threat top count(*) AS totalnum
Adware- adware Traffic FROM $log
Source source WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,

Copyright © 2014 Fortinet, Inc.

66
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
14)
AND virus LIKE 'Adware%'
GROUP BY srcip,
hostname
ORDER BY totalnum DESC
SELECT user_src,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
virus,
threat-Top- Threat top count(*) AS totalnum
FROM $log
Adware-Vic- adware vic- virus
WHERE $filter
tims tims GROUP BY user_src,
virus
ORDER BY totalnum DESC)### t
WHERE virus LIKE 'Adware%'
GROUP BY user_src
ORDER BY totalnum DESC
SELECT attack,
count(*) AS attack_count
FROM $log
WHERE $filter
threat-Top- Threat top AND nullifna(attack) IS NOT NULL
Attacks- attacks attack AND action IN ('deny',
Blocked blocked 'blocked',
'reset',
'dropped')
GROUP BY attack
ORDER BY attack_count DESC
SELECT attack,
severity,
sum(attack_count) AS attack_count
FROM ###
(SELECT attack, severity, (CASE WHEN severity = 'critical' THEN 1
WHEN severity = 'high' THEN 2 WHEN severity = 'medium' THEN 3
WHEN severity = 'low' THEN 4 ELSE 5 END) AS severity_level,

count(*) AS attack_count
threat-Top- Threat top FROM $log
Attacks-Detec- attacks detec- attack WHERE $filter
AND nullifna(attack) IS NOT NULL
ted ted
GROUP BY attack,
severity,
severity_level
ORDER BY severity_level,
attack_count DESC)### t
GROUP BY attack,
severity,
severity_level
ORDER BY severity_level,
attack_count DESC
SELECT attack,
threat-Top- Threat top (CASE
Blocked-Intru- blocked intru- attack WHEN t1.severity='critical' THEN 'Critical'
sions sions WHEN t1.severity='high' THEN 'High'
WHEN t1.severity='medium' THEN 'Medium'

Copyright © 2014 Fortinet, Inc.

67
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHEN t1.severity='low' THEN 'Low'
WHEN t1.severity='info' THEN 'Info'
END) AS severity_name,
count(*) AS totalnum,
vuln_type,
(CASE
WHEN t1.severity='critical' THEN 0
WHEN t1.severity='high' THEN 1
WHEN t1.severity='medium' THEN 2
WHEN t1.severity='low' THEN 3
WHEN t1.severity='info' THEN 4
ELSE 5
END) AS severity_number
FROM $log t1
LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
WHERE $filter
AND nullifna(attack) IS NOT NULL
AND action IN ('deny',
'blocked',
'reset',
'dropped')
GROUP BY attack,
t1.severity,
vuln_type
ORDER BY severity_number,
totalnum DESC
SELECT vuln_type,
count(*) AS totalnum
threat-Top- Threat top FROM $log t1
LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
Intrusions-By- intrusions by attack
WHERE $filter
Types types AND vuln_type IS NOT NULL
GROUP BY vuln_type
ORDER BY totalnum DESC
SELECT SOURCE,
sum(cri_num) AS critical,
sum(high_num) AS high,
sum(med_num) AS medium,
sum(cri_num + high_num + med_num) AS totalnum
FROM ###
(SELECT srcip AS SOURCE,
sum(CASE WHEN severity='critical' THEN 1 ELSE 0 END)
AS cri_num,
sum(CASE WHEN sever-
threat-Top- Threat top
ity='high' THEN 1 ELSE 0 END) AS high_num,
Intrusion- intrusion attack
Sources sources
sum(CASE WHEN severity='medium' THEN 1 ELSE 0 END) AS med_
num
FROM $log
WHERE $filter
AND severity IN ('critical',
'high',
'medium')
GROUP BY SOURCE)### t
GROUP BY SOURCE
ORDER BY totalnum DESC

threat-Top- Threat top SELECT victim,

attack
sum(cri_num) AS critical,

Copyright © 2014 Fortinet, Inc.

68
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
sum(high_num) AS high,
sum(med_num) AS medium,
sum(cri_num + high_num + med_num) AS totalnum
FROM ###
(SELECT dstip AS victim,
sum((CASE WHEN severity='critical' THEN 1 ELSE 0 END))
AS cri_num,
sum(CASE WHEN sever-
ity='high' THEN 1 ELSE 0 END) AS high_num,
Intrusion-Vic- intrusion vic-
tims tims sum(CASE WHEN severity='medium' THEN 1 ELSE 0 END) AS med_
num
FROM $log
WHERE $filter
AND severity IN ('critical',
'high',
'medium')
GROUP BY victim)### t
GROUP BY victim
ORDER BY totalnum DESC
SELECT attack,
(CASE
WHEN t1.severity='critical' THEN 'Critical'
WHEN t1.severity='high' THEN 'High'
WHEN t1.severity='medium' THEN 'Medium'
WHEN t1.severity='low' THEN 'Low'
WHEN t1.severity='info' THEN 'Info'
END) AS severity_name,
count(*) AS totalnum,
vuln_type,
(CASE
WHEN t1.severity='critical' THEN 0
WHEN t1.severity='high' THEN 1
WHEN t1.severity='medium' THEN 2
threat-Top- Threat top WHEN t1.severity='low' THEN 3
Monitored- monitored attack WHEN t1.severity='info' THEN 4
Intrusions intrusions ELSE 5
END) AS severity_number
FROM $log t1
LEFT JOIN ips_mdata t2 ON t1.attack=t2.name
WHERE $filter
AND nullifna(attack) IS NOT NULL
AND action NOT IN ('deny',
'blocked',
'reset',
'dropped')
GROUP BY attack,
t1.severity,
vuln_type
ORDER BY severity_number,
totalnum DESC
SELECT virus,
sum(totalnum) AS totalnum
threat-Top- Threat top FROM ###
Spyware-by- spyware by virus (SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
Name name virus,
count(*) AS totalnum
FROM $log

Copyright © 2014 Fortinet, Inc.

69
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter
GROUP BY user_src,
virus
ORDER BY totalnum DESC)### t
WHERE virus LIKE 'Riskware%'
GROUP BY virus
ORDER BY totalnum DESC
SELECT srcip,
hostname,
count(*) AS totalnum
FROM $log
threat-Top- Threat top WHERE $filter
AND logid_to_int(logid) NOT IN (4,
Spyware- spyware Traffic
7,
Source source 14)
AND virus LIKE 'Riskware%'
GROUP BY srcip,
hostname
ORDER BY totalnum DESC
SELECT user_src,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
virus,
threat-Top- Threat top count(*) AS totalnum
FROM $log
Spyware-Vic- spyware vic- virus
WHERE $filter
tims tims GROUP BY user_src,
virus
ORDER BY totalnum DESC)### t
WHERE virus LIKE 'Riskware%'
GROUP BY user_src
ORDER BY totalnum DESC
SELECT srcip,
hostname,
sum(totalnum) AS totalnum
FROM (###
(SELECT srcip,
hostname,
count(*) AS totalnum
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
threat-Top- Threat top
Traffic AND utmevent IS NOT NULL
Virus-Source virus source
AND virus IS NOT NULL
GROUP BY srcip,
hostname
ORDER BY totalnum DESC)###
UNION ALL ###
(SELECT srcip ,
ipstr(`dstip`) AS hostname,
count(*) AS totalnum
FROM $log-virus
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)

Copyright © 2014 Fortinet, Inc.

70
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND nullifna(virus) IS NOT NULL
GROUP BY srcip,
hostname
ORDER BY totalnum DESC)###) t
GROUP BY srcip,
hostname
ORDER BY totalnum DESC
SELECT hodex,
sum(totalnum) AS totalnum
FROM (###
(SELECT $flex_timescale AS hodex,
count(*) AS totalnum
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IS NOT NULL
AND virus IS NOT NULL
threat-Virus- Threat virus GROUP BY hodex
virus
Timeline timeline ORDER BY hodex DESC)###
UNION ALL ###
(SELECT $flex_timescale AS hodex,
count(*) AS totalnum
FROM $log-virus
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND nullifna(virus) IS NOT NULL
GROUP BY hodex
ORDER BY hodex DESC)###) t
GROUP BY hodex
ORDER BY hodex DESC
SELECT app_group_name(app) AS app_group,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out,
count(*) AS sessions
Top applic- FROM $log
Top-App-By- ations by WHERE $filter
Traffic
Bandwidth bandwidth AND logid_to_int(logid) NOT IN (4,
usage 7,
14)
AND nullifna(app) IS NOT NULL
GROUP BY app_group HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT app_group_name(app) AS app_group,
count(*) AS sessions
FROM $log
Top applic- WHERE $filter
Top-App-By- AND logid_to_int(logid) NOT IN (4,
ations by ses- Traffic
Sessions 7,
sion count 14)
AND nullifna(app) IS NOT NULL
GROUP BY app_group
ORDER BY sessions DESC

Copyright © 2014 Fortinet, Inc.

71
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT coalesce(nullifna(root_domain(hostname)), ipstr(dstip)) AS
DOMAIN,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out
Top des- FROM $log
Top-Destin- WHERE $filter
tinations by
ations-By- Traffic AND logid_to_int(logid) NOT IN (4,
bandwidth 7,
Bandwidth
usage 14)
AND coalesce(nullifna(root_domain(hostname)), ipstr(`dstip`)) IS NOT
NULL
GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(root_domain(hostname)), ipstr(dstip)) AS
DOMAIN,
count(*) AS sessions
Top des- FROM $log
Top-Destin-
tinations by WHERE $filter
ations-By-Ses- Traffic
session AND logid_to_int(logid) NOT IN (4,
sions
count 7,
14)
GROUP BY DOMAIN
ORDER BY sessions DESC
SELECT app_group_name(app) AS app_group,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out,
count(*) AS sessions
FROM $log
Top P2P WHERE $filter
Top-P2P-App- applications AND logid_to_int(logid) NOT IN (4,
Traffic
By-Bandwidth by bandwidth 7,
usage 14)
AND nullifna(app) IS NOT NULL
AND lower(appcat)='p2p'
AND action='accept'
GROUP BY app_group HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT app_group_name(app) AS app_group,
count(*) AS sessions
FROM $log
WHERE $filter
Top P2P AND logid_to_int(logid) NOT IN (4,
Top-P2P-App- applications 7,
Traffic
By-Sessions by session 14)
count AND nullifna(app) IS NOT NULL
AND lower(appcat)='p2p'
AND action='accept'
GROUP BY app_group
ORDER BY sessions DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
Top user by
Top-User-By- AS user_src,
session Traffic
Sessions count(*) AS sessions
count
FROM $log

Copyright © 2014 Fortinet, Inc.

72
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY user_src
ORDER BY sessions DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
srcip,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out
Top users by FROM $log
Top-Users-By- WHERE $filter
bandwidth Traffic
Bandwidth AND logid_to_int(logid) NOT IN (4,
usage 7,
14)
AND srcip IS NOT NULL
GROUP BY user_src,
srcip HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
>0
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
count(*) AS sessions
Top user FROM $log
Top-User-
source by WHERE $filter
Source-By- Traffic
session AND logid_to_int(logid) NOT IN (4,
Sessions
count 7,
14)
GROUP BY user_src
ORDER BY sessions DESC
SELECT catdesc,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
Top web cat- 14)
Top-Web-Cat- AND utmevent IN ('webfilter',
egory by
egory-by- webfilter 'banned-word',
bandwidth 'web-content',
Bandwidth
usage 'command-block',
'script-filter')
GROUP BY catdesc HAVING sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log-webfilter
WHERE $filter

Copyright © 2014 Fortinet, Inc.

73
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND (eventtype IS NULL
OR logver = 52)
GROUP BY catdesc HAVING sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###) t
GROUP BY catdesc
ORDER BY bandwidth DESC
SELECT catdesc,
sum(sessions) AS sessions
FROM (###
(SELECT catdesc,
count(*) AS sessions
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
Top-Web-Cat- Top web cat- 'web-content',
'command-block',
egory-by-Ses- egory by ses- webfilter
'script-filter')
sions sion count GROUP BY catdesc
ORDER BY sessions DESC)###
UNION ALL ###
(SELECT catdesc,
count(*) AS sessions
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
GROUP BY catdesc
ORDER BY sessions DESC)###) t
GROUP BY catdesc
ORDER BY sessions DESC
SELECT DOMAIN,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN,
sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) AS bandwidth
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
Top-Web- Top web 14)
Sites-by-Band- sites by band- webfilter AND utmevent IN ('webfilter',
width width usage 'banned-word',
'web-content',
'command-block',
'script-filter')
GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN,
sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) AS bandwidth

Copyright © 2014 Fortinet, Inc.

74
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###) t
GROUP BY DOMAIN
ORDER BY bandwidth DESC
SELECT DOMAIN,
sum(sessions) AS sessions
FROM (###
(SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN,
count(*) AS sessions
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
Top-Web- Top web 'web-content',
'command-block',
Sites-by-Ses- sites by ses- webfilter
'script-filter')
sions sion count GROUP BY DOMAIN
ORDER BY sessions DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN,
count(*) AS sessions
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
GROUP BY DOMAIN
ORDER BY sessions DESC)###) t
GROUP BY DOMAIN
ORDER BY sessions DESC
SELECT count(*) AS totalnum
Total-Attack- Total attack
attack FROM $log
Source source
WHERE $filter
SELECT count(*) AS events
FROM $log
Total-Number- Total number WHERE $filter
AND logid_to_int(logid) NOT IN (4,
of-Botnet- of botnet Traffic
7,
Events events 14)
AND appcat='Botnet'
AND nullifna(app) IS NOT NULL

SELECT sum(totalnum) AS totalnum

FROM (###
(SELECT count(*) AS totalnum
Total-Number- Total number
Traffic FROM $log-traffic
of-Viruses of viruses
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)

Copyright © 2014 Fortinet, Inc.

75
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND utmevent IS NOT NULL
AND virus IS NOT NULL
ORDER BY totalnum DESC)###
UNION ALL ###
(SELECT count(*) AS totalnum
FROM $log-virus
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND nullifna(virus) IS NOT NULL
ORDER BY totalnum DESC)###) t
SELECT $flex_timescale AS hodex,
sum(coalesce(sentbyte, 0)) AS traffic_out,
sum(coalesce(rcvdbyte, 0)) AS traffic_in
FROM $log
Traffic band- WHERE $filter
Traffic-band-
width Traffic AND logid_to_int(logid) NOT IN (4,
width-timeline 7,
timeline
14)
GROUP BY hodex HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY hodex
SELECT hodex,
cast(sum(delta)/60.0 AS decimal(18, 2)) AS browsetime
FROM ###
(SELECT $flex_timescale AS hodex,
sum($browse_time) AS delta
Traffic-Brows- Traffic brows- FROM $log
WHERE $filter
ing-Time-Sum- ing time sum- Traffic
AND logid_to_int(logid) NOT IN (4,
mary mary 7,
14)
GROUP BY hodex HAVING sum($browse_time)>0
ORDER BY delta DESC)### t
GROUP BY hodex
ORDER BY hodex
SELECT hodex,
cast(sum(delta)/60.0 AS decimal(18, 2)) AS browsetime
FROM ###
(SELECT $flex_timescale AS hodex,
sum($browse_time2) AS delta
Traffic-Brows- Traffic brows- FROM $log
ing-Time-Sum- ing time sum- WHERE $filter
Traffic
mary- mary AND logid_to_int(logid) NOT IN (4,
Enhanced enhanced 7,
14)
GROUP BY hodex HAVING sum($browse_time2)>0
ORDER BY delta DESC)### t
GROUP BY hodex
ORDER BY hodex
SELECT hodex,
count(distinct(user_src)) AS total_user
Traffic-History- Traffic history FROM ###
By-Active- by active Traffic (SELECT $flex_timescale AS hodex,
User user coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) AS user_src
FROM $log

Copyright © 2014 Fortinet, Inc.

76
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY hodex,
user_src
ORDER BY hodex)### t
GROUP BY hodex
ORDER BY hodex
SELECT catdesc,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT catdesc,
sum($browse_time) AS delta,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
Traffic-Top- Traffic top cat- bandwidth
Category-By- egory by FROM $log
Traffic
Browsing- browsing WHERE $filter
Time time AND logid_to_int(logid) NOT IN (4,
7,
14)
AND catdesc IS NOT NULL
GROUP BY catdesc HAVING sum($browse_time)>0
ORDER BY delta DESC)### t
GROUP BY catdesc
ORDER BY browsetime DESC
SELECT catdesc,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT catdesc,
sum($browse_time2) AS delta,
Traffic-Top- Traffic top cat- sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
Category-By- egory by AS bandwidth
FROM $log
Browsing- browsing Traffic
WHERE $filter
Time- time
AND logid_to_int(logid) NOT IN (4,
Enhanced enhanced 7,
14)
AND catdesc IS NOT NULL
GROUP BY catdesc HAVING sum($browse_time2)>0
ORDER BY delta DESC)### t
GROUP BY catdesc
ORDER BY browsetime DESC
SELECT dstcountry,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth,
Traffic-Top- Traffic top sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
Destination- destination
FROM ###
Countries-By- countries by Traffic (SELECT dstcountry,
Browsing- browsing sum($browse_time) AS delta,
Time time sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth,
sum(coalesce(rcvdbyte,
0)) AS traffic_in,

Copyright © 2014 Fortinet, Inc.

77
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
sum
(coalesce(sentbyte, 0)) AS traffic_out
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY dstcountry HAVING sum($browse_time)>0
ORDER BY delta DESC)### t
GROUP BY dstcountry
ORDER BY browsetime DESC
SELECT dstcountry,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM ###
(SELECT dstcountry,
sum($browse_time2) AS delta,
Traffic-Top- Traffic top sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
Destination- destination AS bandwidth,
sum(coalesce(rcvdbyte,
Countries-By- countries by
Traffic 0)) AS traffic_in,
Browsing- browsing
sum
Time- time
(coalesce(sentbyte, 0)) AS traffic_out
Enhanced enhanced FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
GROUP BY dstcountry HAVING sum($browse_time2)>0
ORDER BY delta DESC)### t
GROUP BY dstcountry
ORDER BY browsetime DESC
SELECT hostname,
sum($browse_time) AS browsetime,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
Traffic-Top- Traffic top sum(coalesce(sentbyte, 0)) AS traffic_out
FROM $log
Domains-By- domains by
Traffic WHERE $filter
Browsing- browsing
AND logid_to_int(logid) NOT IN (4,
Time time 7,
14)
AND hostname IS NOT NULL
GROUP BY hostname HAVING sum($browse_time)>0
ORDER BY browsetime DESC
SELECT hostname,
sum($browse_time2) AS browsetime,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
Traffic-Top- Traffic top sum(coalesce(rcvdbyte, 0)) AS traffic_in,
Domains-By- domains by sum(coalesce(sentbyte, 0)) AS traffic_out
Browsing- browsing Traffic FROM $log
Time- time WHERE $filter
Enhanced enhanced AND logid_to_int(logid) NOT IN (4,
7,
14)
AND hostname IS NOT NULL

Copyright © 2014 Fortinet, Inc.

78
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
GROUP BY hostname HAVING sum($browse_time2)>0
ORDER BY browsetime DESC
SELECT hostname,
string_agg(DISTINCT catdesc, ', ') AS agg_catdesc,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM ###
(SELECT hostname,
catdesc,
sum($browse_time) AS delta,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
Traffic-Top- Traffic top bandwidth,
sum(coalesce(rcvdbyte,
Sites-By- sites by
Traffic 0)) AS traffic_in,
Browsing- browsing
sum
Time time
(coalesce(sentbyte, 0)) AS traffic_out
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND hostname IS NOT NULL
GROUP BY hostname,
catdesc HAVING sum($browse_time)>0
ORDER BY delta DESC)### t
GROUP BY hostname
ORDER BY browsetime DESC
SELECT hostname,
string_agg(DISTINCT catdesc, ', ') AS agg_catdesc,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM ###
(SELECT hostname,
catdesc,
sum($browse_time2) AS delta,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
Traffic-Top- Traffic top AS bandwidth,
Sites-By- sites by sum(coalesce(rcvdbyte,
Browsing- browsing Traffic 0)) AS traffic_in,
Time- time sum
Enhanced enhanced (coalesce(sentbyte, 0)) AS traffic_out
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND hostname IS NOT NULL
GROUP BY hostname,
catdesc HAVING sum($browse_time2)>0
ORDER BY delta DESC)### t
GROUP BY hostname
ORDER BY browsetime DESC
Traffic-Top- Traffic top Traffic SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))

Copyright © 2014 Fortinet, Inc.

79
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AS user_src,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
users by
Users-By- AND logid_to_int(logid) NOT IN (4,
bandwidth
Bandwidth 7,
usage 14)
GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT user_src,
sum(delta) AS browsetime,
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
sum($browse_time) AS delta,
Traffic-Top- Traffic top sum(coalesce(sentbyte, 0)
Web-Users- web users by +coalesce(rcvdbyte, 0)) AS bandwidth,
Traffic
By-Browsing- browsing
Time time sum(coalesce(rcvdbyte, 0)) AS traffic_in,

sum(coalesce(sentbyte, 0)) AS traffic_out

FROM $log
WHERE $filter
GROUP BY user_src HAVING sum($browse_time)>0
ORDER BY delta DESC)### t
GROUP BY user_src
ORDER BY browsetime DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
srcssid,
devtype,
coalesce(nullifna(`srcname`), `srcmac`) AS hostname_mac,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
Traffic top WHERE $filter
Traffic-Top- AND logid_to_int(logid) NOT IN (4,
WiFi client by
WiFi-Client- Traffic 7,
bandwidth
By-Bandwidth 14)
usage AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
GROUP BY user_src,
srcssid,
devtype,
hostname_mac HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT 'User: ' || string_agg(DISTINCT coalesce(nullifna(`user`),
'Unknown'), '/') || '
' || 'Source IP: ' || string_agg(DISTINCT coalesce(ipstr(srcip),
Traffic-User- Traffic user 'Unknown'), '/') || '
Traffic
Detail detail ' || 'Hostname (MAC): ' || string_agg(DISTINCT coalesce(host_dev,
'Unknown'), '/') || '
' || 'Source Interface: ' || string_agg(DISTINCT coalesce(nullifna(srcintf),
'Unknown'), '/') || '

Copyright © 2014 Fortinet, Inc.

80
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
|| 'Devices: ' || string_agg(distinct coalesce(devid, 'UNKNOWN'), '/') AS
user_detail
FROM ###
(SELECT `user`,
srcip,
coalesce(nullifna(`srcname`),nullifna(`srcmac`)) AS host_dev,
srcintf,
devid,
count(*) AS events
FROM $log
WHERE $filter
GROUP BY `user`,
srcip,
host_dev,
srcintf,
devid
ORDER BY events DESC)### t
SELECT hourstamp,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
$hour_of_day AS hourstamp,
count(*) AS totalnum
user-drill- User drill- FROM $log
down-Count- down count WHERE $filter-exclude-var
Spam-Activity- spam activity emailfilter AND `to` IS NOT NULL
by-Hour-of- by hour of AND action IN ('detected',
Day day 'blocked')
GROUP BY user_src,
hourstamp
ORDER BY hourstamp)### t
WHERE $filter-var-ONLY
GROUP BY hourstamp
ORDER BY hourstamp
SELECT catdesc,
sum(requests) AS requests
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
catdesc,
action,
count(*) AS requests
user-drill- User drill- FROM $log
down-Top- down top WHERE $filter-exclude-var
webfilter
Allowed-Web- allowed web AND catdesc IS NOT NULL
Categories categories GROUP BY user_src,
catdesc,
action
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
AND action!='blocked'
GROUP BY catdesc
ORDER BY requests DESC

user-drill- User drill- SELECT hostname,

down-Top- down top sum(requests) AS requests
FROM ###
Allowed-Web- allowed web webfilter
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
Sites-By- sites by hostname,
Requests requests action,

Copyright © 2014 Fortinet, Inc.

81
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
count(*) AS requests
FROM $log
WHERE $filter-exclude-var
AND hostname IS NOT NULL
GROUP BY user_src,
hostname,
action
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
AND action!='blocked'
GROUP BY hostname
ORDER BY requests DESC
SELECT attack,
sum(attack_count) AS attack_count
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src, attack,
(CASE WHEN severity IN ('critical',
'high') THEN 1
ELSE 0 END) AS high_severity,
user-drill- User drill-
down-Top- down top count(*) AS attack_count
attack FROM $log
Attacks-By- attacks by
WHERE $filter-exclude-var
Name name
AND nullifna(attack) IS NOT NULL
GROUP BY user_src,
attack,
high_severity
ORDER BY attack_count DESC)### t
WHERE $filter-var-ONLY
GROUP BY attack
ORDER BY attack_count DESC
SELECT attack,
sum(attack_count) AS attack_count
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src, attack,
(CASE WHEN severity IN ('critical',
'high') THEN 1
ELSE 0 END) AS high_severity,

user-drill- User drill- count(*) AS attack_count

down-Top- down top FROM $log
attack
Attacks-High- attacks high WHERE $filter-exclude-var
Severity severity AND nullifna(attack) IS NOT NULL
GROUP BY user_src,
attack,
high_severity
ORDER BY attack_count DESC)### t
WHERE $filter-var-ONLY
AND high_severity=1
GROUP BY attack
ORDER BY attack_count DESC
SELECT catdesc,
user-drill- User drill- sum(requests) AS requests
down-Top- down top FROM ###
webfilter
Blocked-Web- blocked web (SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
Categories categories catdesc,
action,

Copyright © 2014 Fortinet, Inc.

82
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
count(*) AS requests
FROM $log
WHERE $filter-exclude-var
AND catdesc IS NOT NULL
GROUP BY user_src,
catdesc,
action
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
AND action='blocked'
GROUP BY catdesc
ORDER BY requests DESC
SELECT hostname,
sum(requests) AS requests
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
hostname,
action,
user-drill- User drill- count(*) AS requests
down-Top- down top FROM $log
WHERE $filter-exclude-var
Blocked-Web- blocked web webfilter
AND hostname IS NOT NULL
Sites-By- sites by GROUP BY user_src,
Requests requests hostname,
action
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
AND action='blocked'
GROUP BY hostname
ORDER BY requests DESC
SELECT mf_sender,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
`FROM` AS mf_sender,
count(*) AS totalnum
user-drill- User drill- FROM $log
WHERE $filter-exclude-var
down-Top- down top
emailfilter AND `FROM` IS NOT NULL
Spam- spam
AND action IN ('detected',
Sources sources 'blocked')
GROUP BY user_src,
mf_sender
ORDER BY totalnum DESC)### t
WHERE $filter-var-ONLY
GROUP BY mf_sender
ORDER BY totalnum DESC
SELECT virus,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
user-drill- User drill- virus,
down-Top- down top virus count(*) AS totalnum
Virus virus FROM $log
WHERE $filter-exclude-var
AND nullifna(virus) IS NOT NULL
GROUP BY user_src,
virus

Copyright © 2014 Fortinet, Inc.

83
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
ORDER BY totalnum DESC)### t
WHERE $filter-var-ONLY
GROUP BY virus
ORDER BY totalnum DESC
SELECT receiver,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
`to` AS receiver,
count(*) AS totalnum
FROM $log
WHERE $filter-exclude-var
AND subtype='infected'
AND (service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
user-drill- User drill- '465/tcp')
down-Top- down top OR service IN ('pop3',
Virus-Receiv- virus receiv- virus 'POP3',
ers-Over- ers over '110/tcp',
Email email 'imap',
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp'))
AND nullifna(virus) IS NOT NULL
GROUP BY user_src,
receiver
ORDER BY totalnum DESC)### t
WHERE $filter-var-ONLY
GROUP BY receiver
ORDER BY totalnum DESC
SELECT sum(requests) AS requests,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
recipient,
count(*) AS requests,
UTM drill- sum(coalesce(sent-
utm-drilldown- byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
down email
Email-Receiv- Traffic FROM $log
receivers
ers-Summary WHERE $filter-exclude-var
summary
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND recipient IS NOT NULL
AND service IN ('pop3',
'POP3',
'110/tcp',
'imap',

Copyright © 2014 Fortinet, Inc.

84
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
GROUP BY user_src,
recipient
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
SELECT sum(requests) AS requests,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
sender,
count(*) AS requests,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
utm-drilldown- UTM drill- WHERE $filter-exclude-var
Email- down email AND logid_to_int(logid) NOT IN (4,
Traffic 7,
Senders-Sum- senders sum-
14)
mary mary
AND service IN ('smtp',
'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
GROUP BY user_src,
sender
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
SELECT appid,
hostname,
sum(requests) AS requests
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src, appid, hostname, (CASE WHEN utmac-
tion='blocked' THEN 1 ELSE 0 END) AS blocked,

UTM drill- count(*) AS requests

utm-drilldown-
down top FROM $log-traffic
Top-Allowed-
allowed web Traffic WHERE $filter-exclude-var
Web-Sites-By-
sites by AND logid_to_int(logid) NOT IN (4,
Request
request 7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
AND hostname IS NOT NULL
GROUP BY user_src,

Copyright © 2014 Fortinet, Inc.

85
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
appid,
hostname,
blocked
ORDER BY requests DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
0 AS appid, hostname, (CASE
WHEN action='blocked' THEN 1 ELSE 0 END) AS blocked,

count(*) AS requests
FROM $log-webfilter
WHERE $filter-exclude-var
AND (eventtype IS NULL
OR logver = 52)
AND hostname IS NOT NULL
GROUP BY user_src,
appid,
hostname,
blocked
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND blocked=0
GROUP BY appid,
hostname
ORDER BY requests DESC
SELECT appid,
app,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
appid,
app,
sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) AS bandwidth,
UTM drill-
utm-drilldown- down top count(*) AS sessions
Top-App-By- applications Traffic FROM $log
WHERE $filter-exclude-var
Bandwidth by bandwidth
AND logid_to_int(logid) NOT IN (4,
usage
7,
14)
AND nullifna(app) IS NOT NULL
GROUP BY user_src,
appid,
app
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
GROUP BY appid,
app HAVING sum(bandwidth)>0
ORDER BY bandwidth DESC
SELECT appid,
UTM drill- app,
utm-drilldown- down top sum(sessions) AS sessions
Top-App-By- applications Traffic FROM ###
Sessions by session (SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
count cip`)) AS user_src,
appid,

Copyright © 2014 Fortinet, Inc.

86
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
app,
sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) AS bandwidth,

count(*) AS sessions
FROM $log
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND nullifna(app) IS NOT NULL
GROUP BY user_src,
appid,
app
ORDER BY sessions DESC)### t
WHERE $filter-var-ONLY
GROUP BY appid,
app
ORDER BY sessions DESC
SELECT attack,
sum(attack_count) AS attack_count
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
attack,
UTM drill- count(*) AS attack_count
utm-drilldown- FROM $log
down top
Top-Attacks- attack WHERE $filter-exclude-var
attacks by
By-Name AND nullifna(attack) IS NOT NULL
name GROUP BY user_src,
attack
ORDER BY attack_count DESC)### t
WHERE $filter-var-ONLY
GROUP BY attack
ORDER BY attack_count DESC
SELECT appid,
hostname,
sum(requests) AS requests
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src, appid, hostname, (CASE WHEN utmac-
tion='blocked' THEN 1 ELSE 0 END) AS blocked,

count(*) AS requests
UTM drill- FROM $log-traffic
utm-drilldown- WHERE $filter-exclude-var
down top
Top-Blocked- AND logid_to_int(logid) NOT IN (4,
blocked web Traffic
Web-Sites-By- 7,
sites by
Request 14)
request
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
AND hostname IS NOT NULL
GROUP BY user_src,
appid,
hostname,
blocked

Copyright © 2014 Fortinet, Inc.

87
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
ORDER BY requests DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
0 AS appid, hostname, (CASE
WHEN action='blocked' THEN 1 ELSE 0 END) AS blocked,

count(*) AS requests
FROM $log-webfilter
WHERE $filter-exclude-var
AND (eventtype IS NULL
OR logver = 52)
AND hostname IS NOT NULL
GROUP BY user_src,
appid,
hostname,
blocked
ORDER BY requests DESC)###) t
WHERE $filter-var-ONLY
AND blocked=1
GROUP BY appid,
hostname
ORDER BY requests DESC
SELECT recipient,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
recipient,
count(*) AS requests,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
UTM drill- AND service IN ('pop3',
utm-drilldown- 'POP3',
down top
Top-Email- Traffic '110/tcp',
email recip-
Recipients 'imap',
ients
'IMAP',
'143/tcp',
'imaps',
'IMAPS',
'993/tcp',
'pop3s',
'POP3S',
'995/tcp')
GROUP BY user_src,
recipient
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
AND recipient IS NOT NULL
GROUP BY recipient HAVING sum(bandwidth)>0
ORDER BY bandwidth DESC
utm-drilldown- UTM drill- SELECT sender,
Top-Email- down top Traffic sum(bandwidth) AS bandwidth
Senders email FROM ###

Copyright © 2014 Fortinet, Inc.

88
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
sender,
count(*) AS requests,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND service IN ('smtp',
senders 'SMTP',
'25/tcp',
'587/tcp',
'smtps',
'SMTPS',
'465/tcp')
GROUP BY user_src,
sender
ORDER BY requests DESC)### t
WHERE $filter-var-ONLY
AND sender IS NOT NULL
GROUP BY sender HAVING sum(bandwidth)>0
ORDER BY bandwidth DESC
SELECT appid,
app,
dstip,
sum(sessions) AS sessions,
sum(bandwidth) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
appid,
app,
dstip,
count(*) AS sessions,
sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
UTM drill- FROM $log
utm-drilldown-
down top WHERE $filter-exclude-var
Top-User- Traffic
user des- AND logid_to_int(logid) NOT IN (4,
Destination
tination 7,
14)
AND dstip IS NOT NULL
AND nullifna(app) IS NOT NULL
GROUP BY user_src,
appid,
app,
dstip HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
>0
ORDER BY bandwidth DESC)### t
WHERE $filter-var-ONLY
GROUP BY appid,
app,
dstip
ORDER BY bandwidth DESC
utm-drilldown- UTM drill- Traffic SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))

Copyright © 2014 Fortinet, Inc.

89
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AS dldn_user,
count(*) AS SESSION,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(sentbyte, 0)) AS traffic_out,
down top sum(coalesce(rcvdbyte, 0)) AS traffic_in
FROM $log
Top-Users-By- users by
WHERE $filter
Bandwidth bandwidth AND logid_to_int(logid) NOT IN (4,
usage 7,
14)
GROUP BY dldn_user HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT virus,
sum(totalnum) AS totalnum
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
virus,
count(*) AS totalnum
FROM $log-traffic
WHERE $filter-exclude-var
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IS NOT NULL
AND virus IS NOT NULL
UTM drill- GROUP BY user_src,
utm-drilldown- virus
down top Traffic
Top-Virus ORDER BY totalnum DESC)###
virus
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
virus,
count(*) AS totalnum
FROM $log-virus
WHERE $filter-exclude-var
AND (eventtype IS NULL
OR logver = 52)
AND nullifna(virus) IS NOT NULL
GROUP BY user_src,
virus
ORDER BY totalnum DESC)###) t
WHERE $filter-var-ONLY
GROUP BY virus
ORDER BY totalnum DESC
SELECT vuln,
sum(totalnum) AS totalnum
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
utm-drilldown- UTM drill- vuln,
count(*) AS totalnum
Top-Vul- down top vul-
netscan FROM $log
nerability-By- nerability by
WHERE $filter-exclude-var
Name name AND action='vuln-detection'
AND vuln IS NOT NULL
GROUP BY user_src,
vuln
ORDER BY totalnum DESC)### t

Copyright © 2014 Fortinet, Inc.

90
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
WHERE $filter-var-ONLY
GROUP BY vuln
ORDER BY totalnum DESC
SELECT srcip,
srcname
FROM
(SELECT *
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) AS user_src,
srcip,
srcname
FROM $log
utm-drilldown- UTM drill- WHERE $filter-exclude-var
Traffic-Sum- down traffic Traffic AND logid_to_int(logid) NOT IN (4,
mary summary 7,
14)
GROUP BY user_src,
srcip,
srcname)###) t
WHERE $filter-var-ONLY
GROUP BY user_src,
srcip,
srcname) t
GROUP BY srcip,
srcname
SELECT appid,
hostname,
catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
utm-Top- UTM top 7,
Allowed-Web- allowed web- 14)
Traffic
sites-By-Band- sites by band- AND utmevent IN ('webfilter',
width width usage 'banned-word',
'web-content',
'command-block',
'script-filter')
AND hostname IS NOT NULL
GROUP BY appid,
hostname,
catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0))>0
ORDER BY bandwidth DESC
SELECT hostname,
catdesc,
count(*) AS requests
utm-Top- UTM top FROM $log
Allowed-Web- allowed web WHERE $filter
Traffic
Sites-By- sites by AND logid_to_int(logid) NOT IN (4,
Request request 7,
14)
AND utmevent IN ('webfilter',
'banned-word',

Copyright © 2014 Fortinet, Inc.

91
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'web-content',
'command-block',
'script-filter')
AND hostname IS NOT NULL
AND utmaction!='blocked'
GROUP BY hostname,
catdesc
ORDER BY requests DESC
SELECT dstip,
count(*) AS totalnum
FROM $log
utm-Top- UTM top
attack WHERE $filter
Attack-Dest attack dest
AND dstip IS NOT NULL
GROUP BY dstip
ORDER BY totalnum DESC
SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
count(*) AS totalnum
utm-Top- UTM top FROM $log
attack
Attack-Source attack source WHERE $filter
GROUP BY user_src
ORDER BY totalnum DESC
SELECT hostname,
count(*) AS requests
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
utm-Top- UTM top 14)
Blocked-Web- blocked web AND utmevent IN ('webfilter',
Traffic
Sites-By- sites by 'banned-word',
Request request 'web-content',
'command-block',
'script-filter')
AND hostname IS NOT NULL
AND utmaction='blocked'
GROUP BY hostname
ORDER BY requests DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
devtype,
srcname,
count(*) AS requests
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
utm-Top- UTM top 7,
14)
Blocked-Web- blocked web Traffic
AND utmevent IN ('webfilter',
Users users
'banned-word',
'web-content',
'command-block',
'script-filter')
AND utmaction='blocked'
GROUP BY user_src,
devtype,
srcname
ORDER BY requests DESC

Copyright © 2014 Fortinet, Inc.

92
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT appid,
hostname,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out
UTM top FROM $log
utm-Top-
video stream- WHERE $filter
Video-Stream-
ing websites Traffic AND logid_to_int(logid) NOT IN (4,
ing-Websites- 7,
by bandwidth
By-Bandwidth 14)
usage
AND catdesc IN ('Streaming Media and Download')
GROUP BY appid,
hostname HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY bandwidth DESC
SELECT virus,
(CASE
WHEN virus LIKE 'Riskware%' THEN 'Spyware'
WHEN virus LIKE 'Adware%' THEN 'Adware'
ELSE 'Virus'
END) AS malware_type,
sum(totalnum) AS totalnum
FROM (###
(SELECT virus,
count(*) AS totalnum
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
UTM top AND utmevent IS NOT NULL
utm-Top-Virus Traffic
virus AND virus IS NOT NULL
GROUP BY virus
ORDER BY totalnum DESC)###
UNION ALL ###
(SELECT virus,
count(*) AS totalnum
FROM $log-virus
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND nullifna(virus) IS NOT NULL
GROUP BY virus
ORDER BY totalnum DESC)###) t
GROUP BY virus,
malware_type
ORDER BY totalnum DESC
SELECT user_src,
sum(totalnum) AS totalnum
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
utm-Top- UTM top cip`)) AS user_src,
Traffic count(*) AS totalnum
Virus-User virus user
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)

Copyright © 2014 Fortinet, Inc.

93
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND utmevent IS NOT NULL
AND virus IS NOT NULL
GROUP BY user_src
ORDER BY totalnum DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
count(*) AS totalnum
FROM $log-virus
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND nullifna(virus) IS NOT NULL
GROUP BY user_src
ORDER BY totalnum DESC)###) t
GROUP BY user_src
ORDER BY totalnum DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
devtype,
srcname,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out
FROM $log
WHERE $filter
UTM top web AND logid_to_int(logid) NOT IN (4,
utm-Top-Web-
users by 7,
Users-By- Traffic
bandwidth 14)
Bandwidth AND utmevent IN ('webfilter',
usage
'banned-word',
'web-content',
'command-block',
'script-filter')
GROUP BY user_src,
devtype,
srcname HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0))>0
ORDER BY bandwidth DESC
SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
AS user_src,
devtype,
srcname,
count(*) AS requests
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
utm-Top-Web- UTM top web 7,
Users-By- users by Traffic 14)
Request request AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
GROUP BY user_src,
devtype,
srcname
ORDER BY requests DESC
vpn-Authentic- VPN authen- event SELECT f_user,

Copyright © 2014 Fortinet, Inc.

94
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
tunneltype,
sum(total) AS total_num,
sum(dura) AS duration
FROM ###
(SELECT t1.f_user AS f_user,
t1.tunneltype AS tunneltype,
t1.total AS total,
t2.dura AS dura
FROM (
(SELECT coalesce(nullifna(`xauthuser`), `user`) AS f_user,
tunneltype,
count(*) AS total,
tunnelid
FROM $log
WHERE $filter
AND subtype='vpn'
AND (tunneltype='ipsec'
OR tunneltype='ssl-web')
AND action='tunnel-up'
AND coalesce(nullifna(`xauthuser`), nullifna(`user`)) IS NOT
NULL
GROUP BY f_user,
tunneltype,
tunnelid
ORDER BY tunnelid) AS t1
INNER JOIN
(SELECT tunnelid,
sum(dura_end-dura_beg) AS dura
FROM
ated-Logins ticated logins (SELECT coalesce(nullifna(`xauthuser`),`user`) AS f_user,
tunneltype,
min(coalesce(duration, 0)) AS
dura_beg,
max(coalesce(dur-
ation,0)) AS dura_end,

tunnelid,

min(coalesce(sentbyte, 0)) AS sent_beg,

max(coalesce(sentbyte, 0)) AS sent_end,

min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end
FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype IN ('ipsec',
'ssl-web')
AND coalesce(nullifna(`xauthuser`), nullifna(`user`)) IS NOT NULL
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY f_user,
tunneltype,
tunnelid
ORDER BY tunnelid) tt
GROUP BY tunnelid HAVING sum(sent_end-sent_beg+rcvd_
end-rcvd_beg)>0) AS t2 ON t1.tunnelid=t2.tunnelid))### t
GROUP BY f_user,

Copyright © 2014 Fortinet, Inc.

95
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
tunneltype
ORDER BY total_num DESC
SELECT f_user,
tunneltype,
sum(total_num) AS total_num
FROM ###
(SELECT coalesce(nullifna(`xauthuser`), `user`) AS f_user,
tunneltype,
count(*) AS total_num
FROM $log
WHERE $filter
vpn-Failed- VPN failed AND subtype='vpn'
event
Logins logins AND (tunneltype='ipsec'
OR left(tunneltype, 3)='ssl')
AND action IN ('ssl-login-fail',
'ipsec-login-fail')
AND coalesce(nullifna(`xauthuser`), nullifna(`user`)) IS NOT NULL
GROUP BY f_user,
tunneltype)### t
GROUP BY f_user,
tunneltype
ORDER BY total_num DESC
SELECT vpn_name,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg) AS traffic_out
FROM ###
(SELECT vpn_trim(vpntunnel) AS vpn_name,
tunnelid,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS
sent_end,
min(coalesce(rcvd-
byte, 0)) AS rcvd_beg,

vpn-Top-Dial- Top dial up max(coalesce(rcvdbyte, 0)) AS rcvd_end

Up-IPSEC- IPsec tunnels FROM $log
event
Tunnels-By- by bandwidth WHERE $filter
Bandwidth usage AND nullifna(vpntunnel) IS NOT NULL
AND subtype='vpn'
AND tunneltype LIKE 'ipsec%'
AND NOT (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY vpn_name,
tunnelid
ORDER BY tunnelid)### t
GROUP BY vpn_name HAVING sum(sent_end-sent_beg+rcvd_end-
rcvd_beg)>0
ORDER BY bandwidth DESC
SELECT user_src,
vpn-Top-Dial- Top dial up remip,
Up-IPSEC- IPsec users sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
event
Users-By- by bandwidth sum(rcvd_end-rcvd_beg) AS traffic_in,
Bandwidth usage sum(sent_end-sent_beg) AS traffic_out
FROM ###

Copyright © 2014 Fortinet, Inc.

96
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
(SELECT coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr
(`remip`)) AS user_src,
remip,
tunnelid,
min(coalesce(sentbyte, 0))
AS sent_beg,
max
(coalesce(sentbyte, 0)) AS sent_end,

min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ipsec%'
AND NOT (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY user_src,
remip,
tunnelid
ORDER BY tunnelid)### t
GROUP BY user_src,
remip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0
ORDER BY bandwidth DESC
SELECT user_src,
remip,
sum(traffic_out) AS traffic_out,
sum(traffic_in) AS traffic_in,
sum(bandwidth) AS bandwidth,
sum(uptime) AS uptime
FROM
(SELECT user_src,
remip,
tunnelid,
devid,
vd,
sum(sent_end-sent_beg) AS traffic_out,
vpn-Top-Dia- Top dialup
sum(rcvd_end-rcvd_beg) AS traffic_in,
lup-IPSEC- IPsec users sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
Users-By- by bandwidth event sum(duration_end-duration_beg) AS uptime
Bandwidth- usage and FROM ###
and-Avail avail (SELECT tunnelid,
coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`))
AS user_src,
remip,
devid,
vd,
min(coalesce(sentbyte,
0)) AS sent_beg,
max
(coalesce(sentbyte, 0)) AS sent_end,

min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

Copyright © 2014 Fortinet, Inc.

97
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
max(coalesce(rcvdbyte, 0)) AS rcvd_end,
min(coalesce(duration, 0)) AS duration_beg,
max(coalesce(duration, 0)) AS duration_end
FROM $log
WHERE $filter
AND subtype='vpn'
AND action='tunnel-stats'
AND tunneltype LIKE 'ipsec%'
AND NOT (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
user_src,
remip,
devid,
vd
ORDER BY tunnelid)### t
GROUP BY user_src,
remip,
tunnelid,
devid,
vd
ORDER BY bandwidth DESC) t
GROUP BY user_src,
remip
ORDER BY bandwidth DESC
SELECT user_src,
sum(dura_end-dura_beg) AS duration,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr
(`remip`)) AS user_src,
tunnelid,
min(coalesce(duration, 0))
AS dura_beg,
max
(coalesce(duration,0)) AS dura_end,

min(coalesce(sentbyte, 0)) AS sent_beg,

vpn-Top-Dial-
Top dial up max(coalesce(sentbyte, 0)) AS sent_end,
Up-IPSEC-
IPsec users event
Users-By-Dur-
by duration min(coalesce(rcvdbyte, 0)) AS rcvd_beg,
ation
max(coalesce(rcvdbyte, 0)) AS rcvd_end
FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ipsec%'
AND NOT (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY user_src,
tunnelid
ORDER BY tunnelid)### t
GROUP BY user_src HAVING sum(sent_end-sent_beg+rcvd_end-

Copyright © 2014 Fortinet, Inc.

98
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
rcvd_beg)>0
ORDER BY duration DESC
SELECT user_src,
tunneltype,
sum(dura_end-dura_beg) AS duration,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr
(`remip`)) AS user_src,
tunneltype,
tunnelid,
min(coalesce(duration, 0))
AS dura_beg,
max
(coalesce(duration,0)) AS dura_end,

min(coalesce(sentbyte, 0)) AS sent_beg,

max(coalesce(sentbyte, 0)) AS sent_end,

vpn-Top-Dial-
Top dial up
Up-VPN- min(coalesce(rcvdbyte, 0)) AS rcvd_beg,
VPN users by event
Users-By-Dur- max(coalesce(rcvdbyte, 0)) AS rcvd_end
duration
ation FROM $log
WHERE $filter
AND subtype='vpn'
AND (tunneltype LIKE 'ssl%'
OR (tunneltype LIKE 'ipsec%'
AND NOT (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))))
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY user_src,
tunneltype,
tunnelid
ORDER BY tunnelid)### t
GROUP BY user_src,
tunneltype HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)
>0
ORDER BY duration DESC
SELECT vpntunnel,
tunneltype,
sum(traffic_out) AS traffic_out,
sum(traffic_in) AS traffic_in,
sum(bandwidth) AS bandwidth,
sum(uptime) AS uptime
vpn-Top-S2S- Top S2S FROM
IPSEC-Tun- IPsec tunnels (SELECT vpntunnel,
tunneltype,
nels-By-Band- by bandwidth event
tunnelid,
width-and- usage and devid,
Avail avail vd,
sum(sent_end-sent_beg) AS traffic_out,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(duration_end-duration_beg) AS uptime
FROM ###
(SELECT tunnelid,

Copyright © 2014 Fortinet, Inc.

99
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
tunneltype,
vpntunnel,
devid,
vd,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS sent_end,
min(coalesce(rcvdbyte, 0)) AS
rcvd_beg,
max
(coalesce(rcvdbyte, 0)) AS rcvd_end,

min(coalesce(duration, 0)) AS duration_beg,

max(coalesce(duration, 0)) AS duration_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND action='tunnel-stats'
AND tunneltype LIKE 'ipsec%'
AND (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND nullifna(`user`) IS NULL
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
tunneltype,
vpntunnel,
devid,
vd
ORDER BY tunnelid)### t
GROUP BY vpntunnel,
tunneltype,
tunnelid,
devid,
vd
ORDER BY bandwidth DESC) t
GROUP BY vpntunnel,
tunneltype
ORDER BY bandwidth DESC
SELECT user_src,
remote_ip,
sum(traffic_out) AS traffic_out,
sum(traffic_in) AS traffic_in,
sum(bandwidth) AS bandwidth,
sum(uptime) AS uptime
FROM
vpn-Top-SSL- Top SSL tun- (SELECT user_src,
Tunnel-Users- nel users by remip AS remote_ip,
By-Band- bandwidth event tunnelid,
width-and- usage and devid,
Avail avail vd,
sum(sent_end-sent_beg) AS traffic_out,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(duration_end-duration_beg) AS uptime
FROM ###
(SELECT tunnelid,
coalesce(nullifna(`user`), ipstr(`remip`)) AS user_src,

Copyright © 2014 Fortinet, Inc.

100
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
remip,
devid,
vd,
min(coalesce(sentbyte, 0)) AS sent_
beg,
max(coalesce(sent-
byte, 0)) AS sent_end,
min
(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end,

min(coalesce(duration, 0)) AS duration_beg,

max(coalesce(duration, 0)) AS duration_end
FROM $log
WHERE $filter
AND subtype='vpn'
AND action='tunnel-stats'
AND tunneltype IN ('ssl-tunnel',
'ssl')
AND coalesce(nullifna(`user`), ipstr(`remip`)) IS NOT NULL
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
user_src,
remip,
devid,
vd
ORDER BY tunnelid)### t
GROUP BY user_src,
remote_ip,
tunnelid,
devid,
vd
ORDER BY bandwidth DESC) t
GROUP BY user_src,
remote_ip
ORDER BY bandwidth DESC
SELECT user_src,
remote_ip,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg) AS traffic_out
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`remip`)) AS user_src,
remip AS remote_ip,
Top SSL tunnelid,
vpn-Top-SSL-
VPN tunnel min(coalesce(sentbyte, 0)) AS
VPN-Tunnel-
users by event sent_beg,
Users-By- max(coalesce
bandwidth
Bandwidth (sentbyte, 0)) AS sent_end,
usage

min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ssl-tunnel'

Copyright © 2014 Fortinet, Inc.

101
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND action='tunnel-stats'
AND coalesce(nullifna(`user`), ipstr(`remip`)) IS NOT NULL
GROUP BY tunnelid,
user_src,
remip
ORDER BY tunnelid)### t
GROUP BY user_src,
remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)
>0
ORDER BY bandwidth DESC
SELECT user_src,
remote_ip,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg) AS traffic_out
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`remip`)) AS user_src,
remip AS remote_ip,
tunnelid,
min(coalesce(sentbyte, 0)) AS
sent_beg,
max(coalesce
(sentbyte, 0)) AS sent_end,

Top SSL min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

vpn-Top-SSL-
VPN users by
VPN-Users- event
bandwidth max(coalesce(rcvdbyte, 0)) AS rcvd_end
By-Bandwidth
usage FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ssl%'
AND action='tunnel-stats'
AND coalesce(nullifna(`user`), ipstr(`remip`)) IS NOT NULL
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
user_src,
remip
ORDER BY tunnelid)### t
GROUP BY user_src,
remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)
>0
ORDER BY bandwidth DESC
SELECT user_src,
tunneltype,
sum(dura_end-dura_beg) AS duration,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`remip`)) AS user_src,
vpn-Top-SSL- Top SSL tunneltype,
VPN-Users- VPN users by event min(coalesce(duration, 0)) AS dura_
By-Duration duration beg,
max(coalesce(dur-
ation, 0)) AS dura_end,
tun-
nelid,
min
(coalesce(sentbyte, 0)) AS sent_beg,

Copyright © 2014 Fortinet, Inc.

102
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name

max(coalesce(sentbyte, 0)) AS sent_end,

min(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end
FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ssl%'
AND action='tunnel-stats'
AND coalesce(nullifna(`user`), ipstr(`remip`)) IS NOT NULL
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
user_src,
tunneltype
ORDER BY tunnelid)### t
GROUP BY user_src,
tunneltype HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)
>0
ORDER BY duration DESC
SELECT user_src,
remote_ip,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg) AS traffic_out
FROM ###
(SELECT coalesce(nullifna(`user`), ipstr(`remip`)) AS user_src,
remip AS remote_ip,
tunnelid,
min(coalesce(sentbyte, 0)) AS
sent_beg,
max(coalesce
(sentbyte, 0)) AS sent_end,
Top SSL
vpn-Top-SSL- min(coalesce(rcvdbyte, 0)) AS rcvd_beg,
VPN web
VPN-Web-
mode users event
Mode-Users- max(coalesce(rcvdbyte, 0)) AS rcvd_end
by bandwidth
By-Bandwidth FROM $log
usage
WHERE $filter
AND subtype='vpn'
AND tunneltype='ssl-web'
AND action='tunnel-stats'
AND coalesce(nullifna(`user`), ipstr(`remip`)) IS NOT NULL
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
user_src,
remip
ORDER BY tunnelid)### t
GROUP BY user_src,
remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)
>0
ORDER BY bandwidth DESC

vpn-Top-SSL- Top SSL web SELECT user_src,

Web-Users- users by remote_ip,
sum(traffic_out) AS traffic_out,
By-Band- bandwidth event
sum(traffic_in) AS traffic_in,
width-and- usage and sum(bandwidth) AS bandwidth,
Avail avail sum(uptime) AS uptime

Copyright © 2014 Fortinet, Inc.

103
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
FROM
(SELECT user_src,
remip AS remote_ip,
tunnelid,
devid,
vd,
sum(sent_end-sent_beg) AS traffic_out,
sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
sum(duration_end-duration_beg) AS uptime
FROM ###
(SELECT tunnelid,
coalesce(nullifna(`user`), ipstr(`remip`)) AS user_src,
remip,
devid,
vd,
min(coalesce(sentbyte, 0)) AS sent_
beg,
max(coalesce(sent-
byte, 0)) AS sent_end,
min
(coalesce(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end,

min(coalesce(duration, 0)) AS duration_beg,

max(coalesce(duration, 0)) AS duration_end
FROM $log
WHERE $filter
AND subtype='vpn'
AND action='tunnel-stats'
AND tunneltype='ssl-web'
AND coalesce(nullifna(`user`), ipstr(`remip`)) IS NOT NULL
AND tunnelid IS NOT NULL
GROUP BY tunnelid,
user_src,
remip,
devid,
vd
ORDER BY tunnelid)### t
GROUP BY user_src,
remote_ip,
tunnelid,
devid,
vd HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0
ORDER BY bandwidth DESC) t
GROUP BY user_src,
remote_ip
ORDER BY bandwidth DESC
SELECT vpn_name,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth,
vpn-Top- Top static sum(rcvd_end-rcvd_beg) AS traffic_in,
sum(sent_end-sent_beg) AS traffic_out
Static-IPSEC- IPsec tunnels
event FROM ###
Tunnels-By- by bandwidth (SELECT vpn_trim(vpntunnel) AS vpn_name,
Bandwidth usage tunnelid,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS

Copyright © 2014 Fortinet, Inc.

104
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
sent_end,
min(coalesce(rcvd-
byte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND tunneltype LIKE 'ipsec%'
AND (tunnelip IS NULL
OR (tunnelip='0.0.0.0'
AND coalesce(logver, 0)!=52))
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY vpn_name,
tunnelid
ORDER BY tunnelid)### t
GROUP BY vpn_name HAVING sum(sent_end-sent_beg+rcvd_end-
rcvd_beg)>0
ORDER BY bandwidth DESC
SELECT hodex,
sum(coalesce(ssl_bandwidth, 0)) AS ssl_bandwidth,
sum(coalesce(ipsec_bandwidth, 0)) AS ipsec_bandwidth
FROM ###
(SELECT coalesce(t1.hodex, t2.hodex) AS hodex,
ssl_bandwidth,
ipsec_bandwidth
FROM
(SELECT hodex,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS ssl_band-
width
FROM
(SELECT $flex_timescale AS hodex,
tunnelid,
devid,
vd,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS
vpn-Traffic-
VPN traffic sent_end,
Usage-Trend- event
usage trend min(coalesce
VPN
(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
AND tunneltype LIKE 'ssl%'
GROUP BY hodex,
tunnelid,
devid,
vd
ORDER BY tunnelid) t_ssl
GROUP BY hodex) AS t1
FULL JOIN
(SELECT hodex,
sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS ipsec_band-

Copyright © 2014 Fortinet, Inc.

105
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
width
FROM
(SELECT $flex_timescale AS hodex,
tunnelid,
devid,
vd,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS
sent_end,
min(coalesce
(rcvdbyte, 0)) AS rcvd_beg,

max(coalesce(rcvdbyte, 0)) AS rcvd_end

FROM $log
WHERE $filter
AND subtype='vpn'
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
AND tunneltype LIKE 'ipsec%'
GROUP BY hodex,
tunnelid,
devid,
vd
ORDER BY tunnelid) t_ipsec
GROUP BY hodex) AS t2 ON t1.hodex = t2.hodex)### t
GROUP BY hodex
ORDER BY hodex
SELECT hodex,
count(*) AS total_num
FROM ###
(SELECT t1.hodex AS hodex
FROM (
(SELECT $flex_timescale AS hodex,
tunnelid
FROM $log
WHERE $filter
AND subtype='vpn'
AND (tunneltype='ipsec'
OR tunneltype='ssl-web')
AND action='tunnel-up'
AND coalesce(nullifna(`xauthuser`), nullifna(`user`)) IS NOT
NULL
vpn-User- VPN user
event GROUP BY hodex,
Login-history login history tunnelid
ORDER BY hodex DESC) AS t1
INNER JOIN
(SELECT tunnelid
FROM
(SELECT tunnelid,
min(coalesce(sentbyte, 0)) AS sent_beg,
max(coalesce(sentbyte, 0)) AS sent_end,
min(coalesce(rcvdbyte,
0)) AS rcvd_beg,
max
(coalesce(rcvdbyte, 0)) AS rcvd_end
FROM $log
WHERE $filter
AND subtype='vpn'

Copyright © 2014 Fortinet, Inc.

106
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND tunneltype IN ('ipsec',
'ssl-web')
AND action='tunnel-stats'
AND tunnelid IS NOT NULL
GROUP BY tunnelid
ORDER BY tunnelid) tt
GROUP BY tunnelid HAVING sum(sent_end-sent_beg+rcvd_
end-rcvd_beg)>0) AS t2 ON t1.tunnelid=t2.tunnelid))### t
GROUP BY hodex
ORDER BY total_num DESC
SELECT FROM_dtime(dtime) AS TIMESTAMP,
catdesc,
hostname AS website,
action AS status,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT dtime,
catdesc,
hostname,
action,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log-traffic
WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
web-Detailed- Web detailed 'script-filter')
GROUP BY dtime,
Website- website Traffic
catdesc,
Browsing-Log browsing log hostname,
action
ORDER BY dtime DESC)###
UNION ALL ###
(SELECT dtime,
catdesc,
hostname,
action,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log-webfilter
WHERE $filter
AND hostname IS NOT NULL
AND (eventtype IS NULL
OR logver=52)
GROUP BY dtime,
catdesc,
hostname,
action
ORDER BY dtime DESC)###) t
GROUP BY dtime,
catdesc,
website,

Copyright © 2014 Fortinet, Inc.

107
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
status
ORDER BY dtime DESC
SELECT catdesc,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
Webfilter cat- 'command-block',
webfilter-Cat-
egories by 'script-filter')
egories-By- webfilter
bandwidth AND catdesc IS NOT NULL
Bandwidth GROUP BY catdesc
usage
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND catdesc IS NOT NULL
GROUP BY catdesc
ORDER BY bandwidth DESC)###) t
GROUP BY catdesc
ORDER BY bandwidth DESC
SELECT catdesc,
sum(requests) AS requests
FROM (###
(SELECT catdesc,
count(*) AS requests
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
webfilter-Top- Webfilter top AND utmevent IN ('webfilter',
'banned-word',
Allowed-Web- allowed web webfilter
'web-content',
Categories categories 'command-block',
'script-filter')
AND catdesc IS NOT NULL
AND utmaction!='blocked'
GROUP BY catdesc
ORDER BY requests DESC)###
UNION ALL ###
(SELECT catdesc,
count(*) AS requests
FROM $log-webfilter
WHERE $filter

Copyright © 2014 Fortinet, Inc.

108
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
AND (eventtype IS NULL
OR logver = 52)
AND catdesc IS NOT NULL
AND action!='blocked'
GROUP BY catdesc
ORDER BY requests DESC)###) t
GROUP BY catdesc
ORDER BY requests DESC
SELECT DOMAIN,
string_agg(DISTINCT catdesc, ', ') AS agg_catdesc,
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM (###
(SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN,
catdesc,
sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) AS bandwidth,
sum
(coalesce(rcvdbyte, 0)) AS traffic_in,

sum(coalesce(sentbyte, 0)) AS traffic_out

FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
webfilter-Top- Webfilter top 'script-filter')
Allowed-Web- allowed web AND utmaction!='blocked'
webfilter GROUP BY DOMAIN,
Sites-by-Band- sites by band-
width width usage catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN,
catdesc,
sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) AS bandwidth,
sum
(coalesce(rcvdbyte, 0)) AS traffic_in,

sum(coalesce(sentbyte, 0)) AS traffic_out

FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND action!='blocked'
GROUP BY DOMAIN,
catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY bandwidth DESC)###) t
GROUP BY DOMAIN,
catdesc
ORDER BY bandwidth DESC

Copyright © 2014 Fortinet, Inc.

109
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT DOMAIN,
string_agg(DISTINCT catdesc, ', ') AS agg_catdesc,
sum(requests) AS requests
FROM (###
(SELECT hostname AS DOMAIN,
catdesc,
count(*) AS requests
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
webfilter-Top- Webfilter top AND hostname IS NOT NULL
Allowed-Web- allowed web AND utmaction!='blocked'
webfilter
Sites-By- sites by GROUP BY DOMAIN,
Requests requests catdesc
ORDER BY requests DESC)###
UNION ALL ###
(SELECT hostname AS DOMAIN,
catdesc,
count(*) AS requests
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND hostname IS NOT NULL
AND catdesc IS NOT NULL
AND action!='blocked'
GROUP BY DOMAIN,
catdesc
ORDER BY requests DESC)###) t
GROUP BY DOMAIN
ORDER BY requests DESC
SELECT catdesc,
sum(requests) AS requests
FROM (###
(SELECT catdesc,
count(*) AS requests
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
webfilter-Top- Webfilter top 14)
Blocked-Web- blocked web webfilter AND utmevent IN ('webfilter',
Categories categories 'banned-word',
'web-content',
'command-block',
'script-filter')
AND catdesc IS NOT NULL
AND utmaction='blocked'
GROUP BY catdesc
ORDER BY requests DESC)###
UNION ALL ###
(SELECT catdesc,

Copyright © 2014 Fortinet, Inc.

110
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
count(*) AS requests
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND catdesc IS NOT NULL
AND action='blocked'
GROUP BY catdesc
ORDER BY requests DESC)###) t
GROUP BY catdesc
ORDER BY requests DESC
SELECT DOMAIN,
catdesc,
sum(requests) AS requests
FROM (###
(SELECT hostname AS DOMAIN,
catdesc,
count(*) AS requests
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
webfilter-Top- Webfilter top AND hostname IS NOT NULL
AND utmaction='blocked'
Blocked-Web- blocked web
webfilter GROUP BY DOMAIN,
Sites-By- sites by
catdesc
Requests requests ORDER BY requests DESC)###
UNION ALL ###
(SELECT hostname AS DOMAIN,
catdesc,
count(*) AS requests
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND hostname IS NOT NULL
AND catdesc IS NOT NULL
AND action='blocked'
GROUP BY DOMAIN,
catdesc
ORDER BY requests DESC)###) t
GROUP BY DOMAIN,
catdesc
ORDER BY requests DESC
SELECT keyword,
count(*) AS requests
webfilter-Top- Webfilter top FROM $log
Search- search webfilter WHERE $filter
Phrases phrases AND keyword IS NOT NULL
GROUP BY keyword
ORDER BY requests DESC
webfilter-Top- Webfilter top webfilter SELECT DOMAIN,

Copyright © 2014 Fortinet, Inc.

111
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM (###
(SELECT coalesce(nullifna(root_domain(hostname)), 'other') AS
DOMAIN,
sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) AS bandwidth,

sum(coalesce(rcvdbyte, 0)) AS traffic_in,

sum(coalesce(sentbyte, 0)) AS traffic_out

FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
video stream-
Video-Stream- 'script-filter')
ing websites
ing-Websites- AND catdesc IN ('Streaming Media and Download')
by bandwidth GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+co-
By-Bandwidth
usage alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(root_domain(hostname)), 'other') AS
DOMAIN,
sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) AS bandwidth,

sum(coalesce(rcvdbyte, 0)) AS traffic_in,

sum(coalesce(sentbyte, 0)) AS traffic_out

FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND catdesc IN ('Streaming Media and Download')
GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###) t
GROUP BY DOMAIN
ORDER BY bandwidth DESC
SELECT user_src,
devtype,
hostname_mac,
sum(requests) AS requests
webfilter-Top- Webfilter top FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
Web-Users- web users by
webfilter cip`)) AS user_src,
By-Allowed- allowed
devtype,
Requests requests coalesce(nullifna(`srcname`), `srcmac`) AS hostname_mac,
count(*) AS requests
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,

Copyright © 2014 Fortinet, Inc.

112
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
AND coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) IS
NOT NULL
AND utmaction!='blocked'
GROUP BY user_src,
devtype,
hostname_mac
ORDER BY requests DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
'0' AS devtype,
ipstr(`srcip`) AS hostname_mac,
count(*) AS requests
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND coalesce(nullifna(`user`), ipstr(`srcip`)) IS NOT NULL
AND action!='blocked'
GROUP BY user_src,
devtype,
hostname_mac
ORDER BY requests DESC)###) t
GROUP BY user_src,
devtype,
hostname_mac
ORDER BY requests DESC
SELECT user_src,
devtype,
hostname_mac,
sum(bandwidth) AS bandwidth,
sum(traffic_in) AS traffic_in,
sum(traffic_out) AS traffic_out
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
devtype,
coalesce(nullifna(`sr-
Webfilter top
webfilter-Top- cname`), `srcmac`) AS hostname_mac,
web users by
Web-Users- webfilter
bandwidth
By-Bandwidth sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth,
usage
sum(coalesce(rcvdbyte, 0)) AS traffic_in,
sum(coalesce(sentbyte, 0)) AS traffic_out
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',

Copyright © 2014 Fortinet, Inc.

113
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'command-block',
'script-filter')
GROUP BY user_src,
devtype,
hostname_mac HAVING sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
'0' AS devtype,
ipstr(`srcip`) AS hostname_mac,
sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) AS bandwidth,

sum(coalesce(rcvdbyte, 0)) AS traffic_in,

sum(coalesce(sentbyte, 0)) AS traffic_out

FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
GROUP BY user_src,
devtype,
hostname_mac HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC)###) t
GROUP BY user_src,
devtype,
hostname_mac
ORDER BY bandwidth DESC
SELECT user_src,
devtype,
hostname_mac,
sum(requests) AS requests
FROM (###
(SELECT coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) AS user_src,
devtype,
coalesce(nullifna(`sr-
cname`), `srcmac`) AS hostname_mac,

count(*) AS requests
webfilter-Top- Webfilter top FROM $log-traffic
Web-Users- web users by WHERE $filter
webfilter
By-Blocked- blocked AND logid_to_int(logid) NOT IN (4,
Requests requests 7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
AND coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) IS NOT NULL
AND utmaction='blocked'
GROUP BY user_src,
devtype,
hostname_mac

Copyright © 2014 Fortinet, Inc.

114
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
ORDER BY requests DESC)###
UNION ALL ###
(SELECT coalesce(nullifna(`user`), ipstr(`srcip`)) AS user_src,
'0' AS devtype,
ipstr(`srcip`) AS hostname_mac,
count(*) AS requests
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND coalesce(nullifna(`user`), ipstr(`srcip`)) IS NOT NULL
AND action='blocked'
GROUP BY user_src,
devtype,
hostname_mac
ORDER BY requests DESC)###) t
GROUP BY user_src,
devtype,
hostname_mac
ORDER BY requests DESC
SELECT hodex,
sum(coalesce(allowed_request, 0)) AS allowed_request,
sum(coalesce(blocked_request, 0)) AS blocked_request
FROM (###
(SELECT coalesce(t1.hodex, t2.hodex) AS hodex,
allowed_request,
blocked_request
FROM
(SELECT $flex_timescale AS hodex,
count(*) AS allowed_request
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
webfilter-Web- Webfilter web 'web-content',
'command-block',
Activity-Sum- activity sum-
webfilter 'script-filter')
mary-By- mary by
AND utmaction!='blocked'
Requests requests GROUP BY hodex
ORDER BY hodex) AS t1
FULL JOIN
(SELECT $flex_timescale AS hodex,
count(*) AS blocked_request
FROM $log-traffic
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
'command-block',
'script-filter')
AND utmaction='blocked'
GROUP BY hodex
ORDER BY hodex) AS t2 ON t1.hodex = t2.hodex)###

Copyright © 2014 Fortinet, Inc.

115
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
UNION ALL ###
(SELECT coalesce(t1.hodex, t2.hodex) AS hodex,
allowed_request,
blocked_request
FROM
(SELECT $flex_timescale AS hodex,
count(*) AS allowed_request
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND action!='blocked'
GROUP BY hodex
ORDER BY hodex) AS t1
FULL JOIN
(SELECT $flex_timescale AS hodex,
count(*) AS blocked_request
FROM $log-webfilter
WHERE $filter
AND (eventtype IS NULL
OR logver = 52)
AND action='blocked'
GROUP BY hodex
ORDER BY hodex) AS t2 ON t1.hodex = t2.hodex)###) t
GROUP BY hodex
ORDER BY hodex
SELECT hod,
website,
sum(hits) AS hits
FROM (###
(SELECT $hour_of_day AS hod, (hostname || ' (' || coalesce(`cat-
desc`, 'Unknown') || ')') AS website,
count(*) AS hits
FROM $log-traffic
WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
web-Hourly- Web hourly 'banned-word',
'web-content',
Category-and- category and
Traffic 'command-block',
Website-Hits- website hits
'script-filter')
Action action GROUP BY hod,
website
ORDER BY hod,
hits DESC)###
UNION ALL ###
(SELECT $hour_of_day AS hod, (hostname || ' (' || coalesce(`cat-
desc`, 'Unknown') || ')') AS website ,
count(*) AS hits
FROM $log-webfilter
WHERE $filter
AND hostname IS NOT NULL
AND (eventtype IS NULL
OR logver=52)
GROUP BY hod,
website

Copyright © 2014 Fortinet, Inc.

116
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
ORDER BY hod,
hits DESC)###) t
GROUP BY hod,
website
ORDER BY hod,
hits DESC
SELECT website,
catdesc,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT hostname AS website,
catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
Web top cat- 'web-content',
web-Top-Cat- 'command-block',
egory and
egory-and- 'script-filter')
websites by Traffic
Websites-by- GROUP BY website,
bandwidth catdesc
Bandwidth
usage ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT hostname AS website,
catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-webfilter
WHERE $filter
AND hostname IS NOT NULL
AND (eventtype IS NULL
OR logver=52)
GROUP BY website,
catdesc
ORDER BY bandwidth DESC)###) t
GROUP BY website,
catdesc
ORDER BY bandwidth DESC
SELECT website,
catdesc,
sum(hits) AS hits
FROM (###
(SELECT hostname AS website,
web-Top-Cat- Web top cat- catdesc,
egory-and- egory and count(*) AS hits
Traffic
Websites-by- websites by FROM $log-traffic
Session session WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',

Copyright © 2014 Fortinet, Inc.

117
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
'banned-word',
'web-content',
'command-block',
'script-filter')
GROUP BY website,
catdesc
ORDER BY hits DESC)###
UNION ALL ###
(SELECT hostname AS website,
catdesc,
count(*) AS hits
FROM $log-webfilter
WHERE $filter
AND hostname IS NOT NULL
AND (eventtype IS NULL
OR logver=52)
GROUP BY website,
catdesc
ORDER BY hits DESC)###) t
GROUP BY website,
catdesc
ORDER BY hits DESC
SELECT website,
catdesc,
sum(bandwidth) AS bandwidth
FROM (###
(SELECT hostname AS website,
catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-traffic
WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
web-Top- Web top user 'web-content',
User-Visted- visted web- 'command-block',
Traffic
Websites-by- sites by band- 'script-filter')
Bandwidth width usage GROUP BY hostname,
catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY bandwidth DESC)###
UNION ALL ###
(SELECT hostname AS website,
catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS
bandwidth
FROM $log-webfilter
WHERE $filter
AND hostname IS NOT NULL
AND (eventtype IS NULL
OR logver=52)
GROUP BY hostname,
catdesc
ORDER BY bandwidth DESC)###) t

Copyright © 2014 Fortinet, Inc.

118
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
GROUP BY website,
catdesc
ORDER BY bandwidth DESC
SELECT website,
catdesc,
sum(sessions) AS sessions
FROM (###
(SELECT hostname AS website,
catdesc,
count(*) AS sessions
FROM $log-traffic
WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND utmevent IN ('webfilter',
'banned-word',
'web-content',
web-Top- Web top user 'command-block',
User-Visted- visted web- 'script-filter')
Traffic
Websites-by- sites by ses- GROUP BY hostname,
Session sion catdesc
ORDER BY sessions DESC)###
UNION ALL ###
(SELECT hostname AS website,
catdesc,
count(*) AS sessions
FROM $log-webfilter
WHERE $filter
AND hostname IS NOT NULL
AND (eventtype IS NULL
OR logver=52)
GROUP BY hostname,
catdesc
ORDER BY sessions DESC)###) t
GROUP BY website,
catdesc
ORDER BY sessions DESC
SELECT FROM_dtime(dtime) AS TIMESTAMP,
user_src,
website,
catdesc,
cast(sum(dura)/60 AS decimal(18, 2)) AS dura,
sum(bandwidth) AS bandwidth
FROM ###(
Web top web- SELECT dtime,
web-Top-Web- coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) AS
site sessions
site-Sessions- Traffic user_src,
by bandwidth
by-Bandwidth hostname AS website,
usage catdesc,
sum(coalesce(duration, 0)) AS dura,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
AND hostname IS NOT NULL
AND logid_to_int(logid) NOT IN (4,
7,

Copyright © 2014 Fortinet, Inc.

119
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
14)
AND action IN ('accept',
'close',
'timeout')
GROUP BY dtime,
user_src,
website,
catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>
0
ORDER BY bandwidth DESC)### t
GROUP BY dtime,
user_src,
website,
catdesc
ORDER BY bandwidth DESC
SELECT count(DISTINCT srcmac) AS totalnum
FROM ###
(SELECT srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac,
count(*) AS subtotal
FROM $log
WHERE $filter
wifi-Num- WiFi num dis- AND logid_to_int(logid) NOT IN (4,
Traffic
Distinct-Client tinct client 7,
14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
AND srcmac IS NOT NULL
GROUP BY srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac
ORDER BY subtotal DESC)### t
SELECT sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS band-
width
FROM $log
wifi-Overall- WiFi overall WHERE $filter
Traffic AND logid_to_int(logid) NOT IN (4,
Traffic Traffic
7,
14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
SELECT srcintf,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
Top access
wifi-Top-AP- AND logid_to_int(logid) NOT IN (4,
point by band- Traffic
By-Bandwidth 7,
width usage 14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
GROUP BY srcintf HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-

Copyright © 2014 Fortinet, Inc.

120
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
byte, 0))>0
ORDER BY bandwidth DESC
SELECT srcintf,
count(DISTINCT srcmac) AS totalnum
FROM ###
(SELECT srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac,
count(*) AS subtotal
FROM $log
WHERE $filter
Top access AND logid_to_int(logid) NOT IN (4,
wifi-Top-AP-
point by cli- Traffic 7,
By-Client
ent 14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
AND srcmac IS NOT NULL
GROUP BY srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac
ORDER BY subtotal DESC)### t
GROUP BY srcintf
ORDER BY totalnum DESC
SELECT appid,
app,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
Top WiFi AND logid_to_int(logid) NOT IN (4,
wifi-Top-App- applications 7,
Traffic
By-Bandwidth by bandwidth 14)
usage AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
AND nullifna(app) IS NOT NULL
GROUP BY appid,
app HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT (coalesce(srcname, srcmac, 'unknown') || ' (' || coalesce(dev-
type, 'unknown') || ', ' || coalesce(osname, '') || (CASE WHEN osversion
IS NULL THEN '' ELSE ' ' || osversion END) || ')') AS client,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
wifi-Top-Cli- Top WiFi cli- WHERE $filter
AND logid_to_int(logid) NOT IN (4,
ent-By-Band- ent by band- Traffic
7,
width width usage
14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
GROUP BY client HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY bandwidth DESC

Copyright © 2014 Fortinet, Inc.

121
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
SELECT devtype,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
Top WiFi AND logid_to_int(logid) NOT IN (4,
wifi-Top- 7,
device by
Device-By- Traffic 14)
bandwidth AND (srcssid IS NOT NULL
Bandwidth
usage OR dstssid IS NOT NULL)
AND devtype IS NOT NULL
GROUP BY devtype HAVING sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0))>0
ORDER BY bandwidth DESC
SELECT devtype,
count(DISTINCT srcmac) AS totalnum
FROM ###
(SELECT srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac,
count(*) AS subtotal
FROM $log
WHERE $filter
wifi-Top- Top WiFi AND logid_to_int(logid) NOT IN (4,
7,
Device-By-Cli- device by cli- Traffic
14)
ent ent AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
AND srcmac IS NOT NULL
GROUP BY srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac
ORDER BY subtotal DESC)### t
WHERE devtype IS NOT NULL
GROUP BY devtype
ORDER BY totalnum DESC
SELECT (coalesce(osname, 'unknown') || ' ' || coalesce(osversion, ''))
AS os,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
Top WiFi os AND logid_to_int(logid) NOT IN (4,
wifi-Top-OS-
by bandwidth Traffic 7,
By-Bandwidth
usage 14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
GROUP BY os HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0))>0
ORDER BY bandwidth DESC
SELECT (coalesce(osname, 'unknown') || ' ' || coalesce(osversion, ''))
wifi-Top-OS- Top WiFi os AS os,
Traffic
By-WiFi-Client by WiFi client count(DISTINCT srcmac) AS totalnum
FROM ###

Copyright © 2014 Fortinet, Inc.

122
 Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
(SELECT srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac,
count(*) AS subtotal
FROM $log
WHERE $filter
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
AND srcmac IS NOT NULL
GROUP BY srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac
ORDER BY subtotal DESC)### t
GROUP BY os
ORDER BY totalnum DESC
SELECT srcssid,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth
FROM $log
WHERE $filter
Top SSIDs by AND logid_to_int(logid) NOT IN (4,
wifi-Top-SSID-
bandwidth Traffic 7,
By-Bandwidth 14)
usage
AND srcssid IS NOT NULL
GROUP BY srcssid HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0))>0
ORDER BY bandwidth DESC
SELECT srcssid,
count(DISTINCT srcmac) AS totalnum
FROM ###
(SELECT srcintf,
srcssid,
osname,
osversion,
devtype,
srcmac,
count(*) AS subtotal
FROM $log
wifi-Top-SSID- Top SSIDs by
Traffic WHERE $filter
By-Client client
AND logid_to_int(logid) NOT IN (4,
7,
14)
AND (srcssid IS NOT NULL
OR dstssid IS NOT NULL)
AND srcmac IS NOT NULL
GROUP BY srcintf,
srcssid,
osname,
osversion,
devtype,

Copyright © 2014 Fortinet, Inc.

123
All Rights Reserved
Dataset Reference List
FortiAnalyzer v5.0.8 Datasets

Dataset
Description Log Category Query Syntax
Name
srcmac
ORDER BY subtotal DESC)### t
WHERE srcssid IS NOT NULL
GROUP BY srcssid
ORDER BY totalnum DESC

Copyright © 2014 Fortinet, Inc.

124
 Macro Reference List
FortiAnalyzer v5.0.8 Datasets

Macro Reference List

The following table lists the available predefined macros that can be used in a report layout to display the log data
as text (XML format) dynamically.

Macro Name Description Dataset Used Log Category

Application Category with Application category with the App-Sessions-By-Cat-
Traffic
Highest Session Count highest session count egory
Application with Highest Band- Application with the highest band-
Top-App-By-Bandwidth Traffic
width width usage
Application with Highest Session Applications with the highest ses-
Top-App-By-Sessions Traffic
Count sion count
Attack with Highest Session
Attack with highest session count Utm-Top-Attack-Source Attack
Count
Botnet with Highest Session Botnet with the highest session
Detected-Botnet Traffic
Count count
Destination with Highest Band- Destination with the highest band- Top-Destinations-By-
Traffic
width width usage Bandwidth
Destination with Highest Session Destination with the highest ses- Top-Destinations-By-
Traffic
Count sion count Sessions
Highest Bandwidth Consumed Highest bandwidth consumed by App-Risk-App-Usage-
Traffic
(Application) Category application category By-Category
Highest Bandwidth Consumed Highest bandwidth consumed by
Top-App-By-Bandwidth Traffic
(Application) application
Highest Bandwidth Consumed Highest bandwidth consumed by Top-Destinations-By-
Traffic
(Destination) destination Bandwidth
Highest Bandwidth Consumed Highest bandwidth consumed by Top-P2P-App-By-Band-
Traffic
(P2P Application) P2P application width
Highest Bandwidth Consumed Highest bandwidth consumed by Top-Users-By-Band-
Traffic
(Source) source width
Highest Bandwidth Consumed () Highest bandwidth consumed by Top-Web-Category-by-
Web Filter
Web Category) website category Bandwidth
Highest Bandwidth Consumed Highest bandwidth consumed by Top-Web-Sites-by-
Web Filter
(Website) website Bandwidth
Highest Risk Application with Highest risk application with the High-Risk-Application-
Traffic
Highest Bandwidth highest bandwidth usage By-Bandwidth
Highest Risk Application with Highest risk application with the High-Risk-Application-
Traffic
Highest Session Count highest session count By-Sessions
Highest Session Count by Applic- Highest session count by applic- App-Sessions-By-Cat-
Traffic
ation Category ation category egory
Highest Session Count by Applic- Highest session count by applic-
Top-App-By-Sessions Traffic
ation ation
Highest Session Count by Attack Highest session count by attack Utm-Top-Attack-Source Attack
Highest Session Count by Botnet Highest session count by botnet Detected-Botnet Traffic
Highest Session Count by Destin- Highest session count by des- Top-Destinations-By-
Traffic
ation tination Sessions
Highest Session Count by Highest session count by highest Threat-Attacks-By- Attack

Copyright © 2014 Fortinet, Inc.

125
All Rights Reserved
Macro Reference List
FortiAnalyzer v5.0.8 Datasets

Macro Name Description Dataset Used Log Category

Highest Severity Attack severity attack Severity
Highest Session Count by P2P Highest session count by P2P Top-P2P-App-By-Ses-
Traffic
Application application sions
Top-User-Source-By-
Highest Session Count by Source Highest session count by source Traffic
Sessions
Highest Session Count by Virus Highest session count by virus Utm-Top-Virus Traffic
Highest Session Count by Web Highest session count by website Top-Web-Category-by-
Web Filter
Category category Sessions
Highest Session Count by Web- Top-Web-Sites-by-Ses-
Highest session count by website Web Filter
site sions
Highest Severity Attack with Highest severity attack with the Threat-Attacks-By-
Attack
Highest Session Count highest session count Severity
P2P Application with Highest P2P applications with the highest Top-P2P-App-By-Band-
Traffic
Bandwidth bandwidth usage width
P2P Application with Highest Ses- P2P applications with the highest Top-P2P-App-By-Ses-
Traffic
sion Count session count sions
Source with the highest bandwidth Top-Users-By-Band-
Source with Highest Bandwidth Traffic
usage width
Source with Highest Session Source with the highest session Top-User-Source-By-
Traffic
Count count Sessions
Total Number of Attacks Total number of attacks detected Total-Attack-Source Attack
Total-Number-of-Bot-
Total Number of Botnet Events Total number of botnet events Traffic
net-Events
Total-Number-of-
Total Number of Viruses Total number of viruses detected Traffic
Viruses
User Details User details of traffic Traffic-User-Detail Traffic
Virus with the highest session
Virus with Highest Session Count Utm-Top-Virus Traffic
count
Web Category with Highest Band- Web filtering category with the Top-Web-Category-by-
Web Filter
width highest bandwidth usage Bandwidth
Web Category with Highest Ses- Web filtering category with the Top-Web-Category-by-
Web Filter
sion Count highest session count Sessions
Website with the highest bandwidth Top-Web-Sites-by-
Website with Highest Bandwidth Web Filter
usage Bandwidth
Website with Highest Session Website with the highest session Top-Web-Sites-by-Ses-
Web Filter
Count count sions

Copyright © 2014 Fortinet, Inc.

126