Skip to main content
joepalm4
joepalm4
New Member
October 28, 2022
Question

FortiGate syslog filters don't support logid and level

  • October 28, 2022
  • 1 reply
  • 4393 views

FortiOS: 6.2.8

Model: 800D

 

I've been trying to configure the syslog filter to only send LOG_ID_TRAFFIC_END_FORWARD (0000000013) traffic logs to my syslog server.

In the Technical Tip: Using syslog filters on to send only specific logs to syslog server, @vpoluri specifies that you can include both filters. However, when I use the following string, the log stream doesn't limit to LOG_ID_TRAFFIC_END_FORWARD events.

 

set filter "traffic-level(information) logid(0000000013)"

 

However, it does limit to LOG_ID_TRAFFIC_END_FORWARD events when I just use logid.

 

set filter "logid(0000000013)"

 

Ultimately, I would like to send event-level(information), ips-level(alert), and traffic-level(information), but only the "0000000013" logid for traffic.

 

Is this doable?

1 reply

gfleming
Staff
gfleming
Staff
October 28, 2022

Not 100% sure but try changing the traffic-level option to event-level and see if it catches?

 

Also not sure why you need to specify the level because AFAIK the logid 0000000013 is always set to level "Notice"

 

https://docs.fortinet.com/document/fortigate/6.0.3/fortios-log-message-reference/902505/13-log-id-traffic-end-forward

joepalm4
joepalm4Author
New Member
October 31, 2022

@gfleming- I think you're right. If I just wanted to target 0000000013, I probably wouldn't need the traffic-level.

 

My ultimate goal is to specify an event level (no logid filter), ips-level (no logid filter), and isolate on 0000000013 for traffic. I don't think this is possible, unless someone has any ideas.

gfleming
Staff
gfleming
Staff
October 31, 2022

So just to be clear, the only logs you want to send are those with a certain event level or a certain IPS level or ID 13 for traffic?

 

I do not have access to a FGT running FOS 6.2.X. The docs for 6.4 seem to imply it might be possible to use "AND" and "OR" operators in the filters. It's used in the free-style filter for already-captured logs but I wonder if you can do it for the other filter too.

https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/369889/configuring-and-debugging-the-free-style-filter

 

Also it looks like 7.0 changes the filter config significantly allowing multiple entries:

https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/369889/configuring-and-debugging-the-free-style-filter

Terms & ConditionsAccessibility statement