Check the report diagnostic log

For reports that take a long time to run, check the report diagnostic log to troubleshoot performance issues.

To retrieve a report diagnostic log, go to Reports > Generated Report, right-click the report and select Retrieve Diagnostic to download the log to your computer. Use a text editor to open the log and check the log for possible causes of performance issues.

Following are parts of a sample report diagnostic log and what to look for when troubleshooting report performance.

NAME SCHEDULED AUTO-CACHE REPORT GROUP REPORT TITLE

==================================================================================

1 V V - Security Analysis

per-device option: disable

hostname-resolve: disable

Report Status

Max pending rpts: 100000

Current pendings: 0

Max running rpts: 10

Current runnings: 2

Section What to look for

Section	What to look for
NAME / SCHEDULED / AUTO‑CACHE / REPORT GROUP / REPORT TITLE	Check the `SCHEDULED`, `AUTO-CACHE`, and `REPORT GROUP` columns. Schedule the reports that run regularly. To configure report schedules, see Scheduling reports in the FortiAnalyzer Administration Guide. Enable auto-cache for reports that run regularly, especially schedule reports. See How auto-cache works and Enabling auto-cache in the FortiAnalyzer Administration Guide. Group reports that run regularly. To group reports, see Grouping reports in the FortiAnalyzer Administration Guide.
`hostname-resolve`	Ensure `hostname-resolve` is set to `disable`. Resolving hostnames usually takes a long time. If the DNS server is slow or does not support reverse DNS, report generation might hang.

NAME / SCHEDULED / AUTO‑CACHE / REPORT GROUP / REPORT TITLE

Check the SCHEDULED, AUTO-CACHE, and REPORT GROUP columns.

Schedule the reports that run regularly. To configure report schedules, see Scheduling reports in the FortiAnalyzer Administration Guide.
Enable auto-cache for reports that run regularly, especially schedule reports. See How auto-cache works and Enabling auto-cache in the FortiAnalyzer Administration Guide.
Group reports that run regularly. To group reports, see Grouping reports in the FortiAnalyzer Administration Guide.

hostname-resolve

Ensure hostname-resolve is set to disable. Resolving hostnames usually takes a long time. If the DNS server is slow or does not support reverse DNS, report generation might hang.

Total Quota Summary:

Total Quota Allocated Available Allocate%

27201.3GB 1024.0GB 26177.3GB 3.8 %

System Storage Summary:

Total Used Available Use%

27501.3GB 1117.6GB 26383.6GB 4.1 %

------------------------------------------

System Performance

Fri Aug 25 12:00:02 2017

------------------------------------------

CPU

Used: 34.4%

Used(Excluded NICE): 34.4%

Memory

Total: 34939888 KB

Used 23899636 KB 68.4%

Hard Disk

Total: 28837161872 KB

Used: 11171927688 KB 38.7%

IoStat:

Log Rate

logs/sec: 20326.8, logs/30sec: 20395.6, logs/60sec: 20274.2

Message Rate

msgs/sec: 3057.4, msgs/30sec: 3068.1, msgs/60sec: 3039.1

Section	What to look for
Total Quota Summary and System Storage Summary	Ensure there is enough disk quota and disk space for logging and reporting. Insufficient disk quota might affect report accuracy. Disk quota must be big enough so that quota enforcement does not affect logs used for reporting. If quota enforcement trims the logs or tables used for the reporting period, there might be empty charts or incorrect data.
System Performance	Check that there is enough system resources including CPU, memory, and disk space. Check that the log rate and message rate is not so high that it slow report generation. If the log rate is higher than the sustained rates for your FortiAnalyzermodel, the hardware is overloaded and needs an upgrade. The sustained rates for FortiAnalyzermodels are listed in the Data Sheet on the FortiAnalyzer web page.

Section

What to look for

Total Quota Summary and System Storage Summary

Ensure there is enough disk quota and disk space for logging and reporting. Insufficient disk quota might affect report accuracy.
Disk quota must be big enough so that quota enforcement does not affect logs used for reporting. If quota enforcement trims the logs or tables used for the reporting period, there might be empty charts or incorrect data.

System Performance

Check that there is enough system resources including CPU, memory, and disk space.
Check that the log rate and message rate is not so high that it slow report generation.
If the log rate is higher than the sustained rates for your FortiAnalyzermodel, the hardware is overloaded and needs an upgrade. The sustained rates for FortiAnalyzermodels are listed in the Data Sheet on the FortiAnalyzer web page.

------------------------------------------

Run Report

Fri Aug 25 12:00:03 2017

------------------------------------------

[12:00:03] Request hcaches for 9 log tables

chart Traffic-Bandwidth-Summary-Day-Of-Month done, 1 subqrys

1/1 took 17.88s, 0 hcaches ready, 2 hcaches requested

overall time used 18.13s

chart Session-Summary-Day-Of-Month done, 1 subqrys

1/1 took 15.54s, 0 hcaches ready, 2 hcaches requested

overall time used 15.80s

chart Traffic-History-By-Active-User done, 1 subqrys

1/1 took 12.79s, 0 hcaches ready, 2 hcaches requested

overall time used 13.07s

chart Top-Attack-Victim done, 1 subqrys

1/1 took 1.71s, 0 hcaches ready, 1 hcaches requested

overall time used 1.71s

chart Top-Attack-Source done, 1 subqrys

1/1 took 1.51s, 0 hcaches ready, 1 hcaches requested

overall time used 1.51s

chart Top-Attacks-Detected done, 1 subqrys

1/1 took 1.91s, 0 hcaches ready, 1 hcaches requested

overall time used 1.94s

…

chart System-Summary-By-Severity done, 1 subqrys

1/1 took 1.22s, 0 hcaches ready, 1 hcaches requested

overall time used 1.22s

chart System-Critical-Severity-Events done, 1 subqrys

1/1 took 1.18s, 0 hcaches ready, 1 hcaches requested

overall time used 1.18s

chart System-High-Severity-Events done, 1 subqrys

1/1 took 0.46s, 0 hcaches ready, 1 hcaches requested

overall time used 0.46s

Section	What to look for
Run Report	Check the number of log tables. Check the number of hcaches requested vs ready. If many hcaches are not ready, then those charts will take a long time. If the number of log tables is high but the number of hcaches ready is low, retrieve the diagnostic log after five minutes. A change in the number of hcaches ready means the report is still running. Since the diagnostic log is updated every five minutes, you can check this log to view reporting progress. Check which charts take a long time to generate and reconfigure those charts to improve performance.

Section

What to look for

Run Report

Check the number of log tables.
Check the number of hcaches requested vs ready.
If many hcaches are not ready, then those charts will take a long time.

If the number of log tables is high but the number of hcaches ready is low, retrieve the diagnostic log after five minutes. A change in the number of hcaches ready means the report is still running.

Since the diagnostic log is updated every five minutes, you can check this log to view reporting progress.
Check which charts take a long time to generate and reconfigure those charts to improve performance.

------------------------------------------

Report Summary

Fri Aug 25 12:00:56 2017

------------------------------------------

Number of charts: 58

Number of tables: 9

Number of hcaches requested: 109

HCACHE building time: 53.32s

Rendering time: 13.33s

Total time: 1m7.67s

Section	What to look for
Report Summary	Check the number of hcaches requested, hcache building time, and rendering time. The `number of hcaches requested` = number of charts per report * number of master tables * number of reports.