New Member

Question

log filter logid range

Forum|Forum|4 years ago
April 12, 2022
3 replies
3735 views

Hello. I'd like to set up log filter with ids range, like:

config log syslogd2 filter     set forward-traffic disable     set local-traffic disable     set multicast-traffic disable     set sniffer-traffic disable     set voip disable     set filter "logid(0100000000-0100999999)" end

it gets into config, but does not work, nothing coming to syslog with that filter

FortiOs Version 6.4.8, device FG1800F

Is there a solution to this?

FortiGate

xsilver_FTNT

Staff

Hello,

what is expected content of those filtered logs ?

I'm not sure there are any Event type messages with Subtype 00.

I'd suggest to have a look into following resources to fine tune filter.

Log Schema Structure
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/738142/log-schema-structure

And to Log ID numbers
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/84948/log-messages

ShyLionCyAuthor

New Member

event: 1

system: 0

There are plenty of them. Like system config change, performance stats, DHCP messages.

Example:

Apr 13 10:55:12 10.96.62.113 date=2022-04-13 time=10:55:12 devname="red-fg1800-02" devid="FG180Fcut" eventtime=1649829312344813014 tz="+0000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="cut" ui="ha_daemon" action="Add" cfgtid=480584558 cfgpath="vpn.ssl.web.portal:bookmark-group:bookmarks" cfgobj="forticlient:gui-bookmarks:Cut" cfgattr="url[https://some.uri/]" msg="Add vpn.ssl.web.portal:bookmark-group:bookmarks forticlient:gui-bookmarks:Cut"

xsilver_FTNT

Staff

stupid question .. is syslogd2 enabled ?
Because default is disabled:

config log syslogd2 setting
set status disable
end

If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.

Then basically those will be following steps.

If messages are going out from FortiGate, but not received on syslog server, then:

- any firewall on the way ?

- any firewall on the server itself ?

- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?

- any rules on syslog server itself to discard messages, so anything in server log ?

ShyLionCyAuthor

New Member

@xsilver_FTNT wrote:
stupid question .. is syslogd2 enabled ?
Because default is disabled:
config log syslogd2 setting
set status disable
end

If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.
Then basically those will be following steps.
If messages are going out from FortiGate, but not received on syslog server, then:
- any firewall on the way ?
- any firewall on the server itself ?
- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?
- any rules on syslog server itself to discard messages, so anything in server log ?
stupid question .. is syslogd2 enabled ?

Where do you think i got those example? :)

I just skipped rest of the config.

If i choose exact logid's as in documentation examples, everything works.

I'm just experimenting and tried to put range into config, which is NOT documented.

Surprisingly it saved into config but does not work. Not saying it actually should.

xsilver_FTNT

Staff

Well I see explicitly stated that expected is a list of IDs. Not a range.
Fine, CLI might validate that and issue an error. But CLI inline "?" help states it clearly as a list.

camille-esx02 (filter) # set filter
Please input the logid list or level (or both) as filters.
[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfilter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-level(...)] [dns-level(...)] [ssh-level(...)] [ssl-level(...)] [cifs-level(...)] [file-filter-level(...)] [icap-level(...)]
See the following 2 examples.
example 1
set filter "logid(40704,32042)"
example 2
set filter "event-level(information)"
The available levels are as the following:
emergency,alert,critical,error,warning,notice,information,debug

Therefore "not documented => not supported", I would say.

Ger in contact with sales rep. to discuss and possibly get that pushed to Fortinet's R&D should you need that. So it might, but also might not, get implemented in future.

ShyLionCyAuthor

New Member

Not a big deal, after all. But could be better.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded