Limit Types of Log Records Sent to Syslog Server

Question

I have my Fortigate sending logs to a syslog server.  It's sending massive amounts of detailed logging, but I'm really only interested in having System events and VPN events sent to the syslog server.  In the GUI, I see options for limiting the types of events that get logged, but selecting these options doesn't seem to limit what gets sent to my syslog server.  Is there a way to limit which event types are sent to a syslog server?

emnoc · Answer

yes some what... You can set the log type and severity from the cli in a filter

e.g

config log syslogd filter

and

config log eventfilter

{

set severity information

set forward-traffic enable

set local-traffic enable

set multicast-traffic enable

set sniffer-traffic enable

set anomaly enable

set netscan-discovery enable

set netscan-vulnerability enable

set voip enable

}

You can also set specific filter for traffic per-se, but you have generic filters that you can apply by policies if you play it smart. You need to determine what fwpolicies and/or create more fwpolicies by service/dst/src etc.

e.g

edit 1

set srcintf "lan"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

---> set service "ALL" <-----HERE

set logtraffic all

set nat enable

e.g

edit 11

set srcintf "lan"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "HTTP"

set logtraffic all

set nat enable

set srcintf "lan"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "HTTPS"

set logtraffic all

set nat enable

set srcintf "lan"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

unset logtraffic

set nat enable

YMMV ;)

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded