Sumo Logic + Fortigate + Bandwidth Hogs

Finding usage of specific IPs behind your Fortigate firewall is easily done using Sumo Logic and a dashboard or scheduled search result.


  • I have a partition name security_logs for indexing
  • I have a class named fw_security as my category
  • My WAN port is port13
  • I do not want to see any results under 50 MiB of usage
_index=security_logs _sourceCategory=fw_security "action=\"close\""
  | parse "srcip=* " as src_ip
  | parse "srcintf=\"*\" " as src_int
  | parse "dstip=* " as dest_ip
  | parse "dstintf=\"*\" " as dest_int
  | parse "action=* " as action
  | parse "sentbyte=* rcvdbyte=* " as sentbytes, recvbytes
  | where dest_int="port13"
  | sum(sentbytes) as sent_bytes by src_ip, src_int, dest_ip, dest_int
  | where sent_bytes > 50*1024*1024
  | sort by sent_bytes
  | limit 30

Which results in the following output: