| Solution | General information: In this example, a FortiAnalyzer will be used to forward logs with a specific filter to another FortiAnalyzer; the procedure is similar when it is needed to forward to a different platform like SIEM (syslog, CEF, etc). Topology -> FortiGate VM (Recording and sending logs) -> FortiAnalyzer (forwards logs with filter to a second FortiAnalyzer) -> FortiAnalyzer (Target). Pre-requisites: - Logging FortiGate to FortiAnalyzer_1.
- FortiAnalyzer_1 (White background) must reach FortiAnalyzer_2 (Dark background), and port 514 must be allowed in the network path.
Test Rules: 
Configuration steps: 1st scenario: The expected logs received in FortiAnalyzer_2 should be policies ID 0 (implicit), 2, 6, 7, and 8. - In 'FortiAnalyzer_1', go to System Settings -> Advanced -> Log Forwarding -> Create new -> configure settings.
In the configuration, the actions will show: - Allow log forwarding to server Type: FortiAnalyzer (FortiAnalyzer_2).
- Send logs only from the device FortiGate-80E.
- Send logs with policy IDs not equal to 3, 4, and 5. Logs for the remaining policies 0, 2, 6, 7 and 8 are going to be forwarded.
 In CLI, it will be shown as below: config log-filter
edit 1
set field free-text
set oper match
set value "policyid!=3"
next
edit 2
set field free-text
set oper match
set value "policyid!=4"
next
edit 3
set field free-text
set oper match
set value "policyid!=5"
next Another method can be used generic filter using only one sentence. The config is: policyid < 3 OR policyid > 5. In the CLI, it will be shown as below: config log-filter edit1
set field free-text
set oper match
set value "policyid < 3 OR policyid > 5"
next - Then select 'OK' and FortiAnalyzer_2 will receive a notification to 'Authorize' the device in Device Manager and accept it.
  - Go to log View -> logs -> Fortinet Logs -> FortiGate and confirm the logs are being received in 'FortiAnalyzer_1' and confirm log rules received in 'FortiAnalyzer_2'.
  - In case a double check is needed, it is possible to configure a filter in 'FortiAnalyzer_2', setting Policies were discarded in the log forward filter.
 2nd Scenario: The expected logs received in 'FortiAnalyzer_2' should be policy IDs 4 and 5. - In 'FortiAnalyzer_1', go to System Settings -> Advanced -> Log Forwarding -> Create new -> configure settings.
In the configuration, the actions will show: - Allow log forwarding to server Type: FortiAnalyzer (FortiAnalyzer_2)
- Send logs only from device FortiGate-80E
- Logs with policy IDs 4 and 5, meaning logs related to policies 0, 2, 3, 6, 7, and 8 are not going to be forwarded.
- Then select 'OK' and 'FortiAnalyzer_2' will receive a notification to 'Authorize' the device in Device Manager and accept it.
- Go to log View -> logs -> Fortinet Logs -> FortiGate and confirm the logs are being received in FortiAnalyzer_1, and confirm log rules received in FortiAnalyzer_2.
  - In case a double check is needed, it is possible to configure a filter in 'FortiAnalyzer_2' setting Policies were discarded in the log forward filter.
 Note: The generic text filter field can be validated by viewing in raw log option for the logs received and using the desired field. It is important to have the exact logical operator to be matched when more than 1 rule is configured (OR/AND). 
Related documents: Configuring log forwarding - FortiAnalyzer 7.4.8 administration guide
Technical Tip: Use of Operators in Event Handler General Filter (syntax) |
