Macros

Macros are translated to expressions in the query. For example, ${REPORT_SESSION} is converted to (logflag&1>0). Note that this macro is only available as of FortiAnalyzer 7.4.2.

logflag&1>0 means to filter out other logs than report sessions; logflag&(1|32)>0 means to keep report sessions as well as long live sessions. You can use ${REPORT_SESSION} or ${REPORT_SESSION_WITH_LONGLIVE} instead of the logflag&1 or 32.

More logflag related macros are as follows:

'${FGTLOG_F_REPORT_SESSION}': '1',

'${FGTLOG_F_BLOCKED_ACTION}': '2',

'${FGTLOG_F_CLOUD_APP}' : '4',

'${FGTLOG_F_FCT_SYSUSR}' : '8',

'${FGTLOG_F_BOTNET}' :'16',

'${FGTLOG_F_LONGLIVE_SESSION}' :'32',

'${FGTLOG_F_DNS_QNAME}' :'64',

'${REPORT_SESSION}': '''(logflag&${FGTLOG_F_REPORT_SESSION}>0)''',

'${REPORT_BLOCK_SESSION}': '''(logflag&(${FGTLOG_F_REPORT_SESSION}|${FGTLOG_F_BLOCKED_ACTION})=(${FGTL OG_F_REPORT_SESSION}|${FGTLOG_F_BLOCKED_ACTION}))''',

'${BLOCKED_ACTION}': '''(logflag&${FGTLOG_F_BLOCKED_ACTION}>0)''',

'${IS_CLOUDAPP}': '''(logflag&${FGTLOG_F_CLOUD_APP}>0)''',

'${IS_FCT_ENDUSER}': '''(logflag IS NULL OR logflag&${FGTLOG_F_FCT_SYSUSR}=0)''',

'${IS_BOTNET}': '''(logflag&${FGTLOG_F_BOTNET}>0)''',

'${REPORT_SESSION_WITH_LONGLIVE}': '''(logflag&(${FGTLOG_F_REPORT_SESSION}|${FGTLOG_F_LONGLIVE_SESSION})>0)''',

'${DNS_QNAME}': '''(logflag&${FGTLOG_F_DNS_QNAME}>0)''',