Technical Note: Creating FortiGate custom log fields - INTERNAL
Purpose
Expectations, Requirements
Configuration
Troubleshooting
There is an option to create custom log fields in addition to the standard log fields on the FortiGate.
Expectations, Requirements
Custom-field needs to be configured and applied to a policy.
# config log custom-field
edit "LOGSTRING01"
set name "LOGSTRING_TEST"
set value "WTW2 CORE"
next
end
# config firewall policy
edit 14
set srcintf "PCG-Inside_vl5"
set dstintf "MGMT-ESX"
set action accept
set schedule "always"
set service "All"
set logtraffic all
set custom-log-fields "LOGSTRING01"
next
end
Configuration
Assign the name given to the field on the FortiGate to the FortiAnalyzer log custom field:
Update dataset to select "LOGSTRING_TEST" where desired.
Since the custom field values are assigned to the policies, the policy data should be accessed in a separate query.
# config system log settings
set FGT-custom-field1 "LOGSTRING_TEST"
end
Update dataset to select "LOGSTRING_TEST" where desired.
Since the custom field values are assigned to the policies, the policy data should be accessed in a separate query.
Troubleshooting
FortiAnalyzer log sample
date=2017-07-24 time=16:25:55 bid=3132647 itime="2017-07-24 16:25:56" logver=52 logid=0000000013 type=traffic subtype=forward level=notice vd=Core devid=FG3K2C3Z16800003 action=close trandisp=noop srcport=19615 dstport=443 srcip=10.11.5.108 dstip=10.56.20.154 service=HTTPS proto=6 duration=1 policyid=14 logstring_test=WTW2 CORE sentbyte=132 rcvdbyte=92 sentpkt=3 rcvdpkt=2 srcintf=PCG-Inside_vl5 dstintf=MGMT-ESX sessionid=222952376 app=HTTPS appcat=unscanned dstcountry=Reserved srccountry=Reserved poluuid=cc9d6c00-4181-51e7-a05d-4a38a3bdc25c dtime="2017-07-24 16:25:55" itime_t=1500927956 devname=WTW2config