Sumo Logic + Fortigate = My Dashboard

I createda sample dashboard that extracted the data from the logs but closely matched the look of the Cisco ASA Sumo Logic application. Out of the box the Sumo LogicASA dashboard (and searches) look great and offer an amazing amount of information. But Sumo Logicdoesn’t have a pre-built application for the Fortinet Fortigate series of firewalls so I had to build them myself.


Let’s start with a picture of my 60 minute dashboard:

Sumo Logic Fortigate Dashboard
Sumo Logic Fortigate Dashboard

Or, the same dashboard done as an ‘interactive dashboard‘ and 12hours of data:

2015-08-08-sl-fgt-interactive-dashboard

One downside of an interactive dashboard is that when you select it to view it has to back-fill in the data for the timeframe chosen. If you have a high number of logentries then this can take a long time, upwards of many minutes. The plus side is that you can change your view at any time and it will regenerate immediately.

The downside of a standard dashboard is that the data for the dashboard starts once the panelwas either inserted into the dashboard or updated. This means if you have a 12 hour view for a panel and you started it 5 minutes ago then you only have 5 minutes of data and you need to come back in 11 hours and 55 minutes for the panel to finish filling in. The plus side?When you select the dashboard for view it is immediately displayed without any delays.

I end up having, for some of my dashboards, both a standard and an interactive version. If you are using Sumo Logic Free thenyou may hit the limit of20 operational panels in the account. If you are using a purchased edition than this issue isn’t present. The queries involved between the interactive and standard dashboards is exactly the same. A dashboard can only be one version or the other as mixing of panel types is not allowed.

The following table has links to text files with the queries included as putting all the queries in this blog post will make it very long, and a little unruly.

Left Center Right
Outbound Destinations Outbound Connections Over Time Connections Over Time
Denied Conns by Location Connsto High Risk Countries Top Applications
Bandwidth Served in MiB Drops by Message Top Denied Sources
Protocol Over Time Top IPS hits

As a comparison I have included a base Cisco ASA dashboard:

dayjob-cisco-asa-dashboard-2