General information:

In this example, a FortiAnalyzer will be used to forward logs with a specific filter to another FortiAnalyzer; the procedure is similar when it is needed to forward to a different platform like SIEM (syslog, CEF, etc).

Topology -> FortiGate VM (Recording and sending logs) -> FortiAnalyzer (forwards logs with filter to a second FortiAnalyzer) -> FortiAnalyzer (Target).

Pre-requisites:

• Logging FortiGate to FortiAnalyzer_1.
• FortiAnalyzer_1 (White background) must reach FortiAnalyzer_2 (Dark background), and port 514 must be allowed in the network path.

Test Rules:

1st scenario:

The expected logs received in FortiAnalyzer_2 should be policies ID 0 (implicit), 2, 6, 7, and 8.

1. In 'FortiAnalyzer_1', go to System Settings -> Advanced -> Log Forwarding -> Create new -> configure settings.
   In the configuration, the actions will show: Allow log forwarding to server Type: FortiAnalyzer (FortiAnalyzer_2), send logs only about device FortiGate-80E, and logs not equal to policyids 3, 4, and 5 means logs that remain to policies 0,2,6, 7, and 8 are going to be forwarded.
   
   

    

2. Then select 'OK' and in FortiAnalyzer_2 will receive a notification to 'Authorize' the device in Device Manager and accept it.
                                                                    
   

    

   

    

3. Go to log View -> logs -> Fortinet Logs -> FortiGate and confirm the logs are being received in 'FortiAnalyzer_1' and confirm log rules received in 'FortiAnalyzer_2'.
                                                       
   

    

    

4. In case a double check is needed, it is possible to configure a filter in 'FortiAnalyzer_2', setting Policies were discarded in the log forward filter.
                                                         
   

    

2nd Scenario:

The expected logs received in 'FortiAnalyzer_2' should be policy IDs 4 and 5.

1. In 'FortiAnalyzer_1', go to System Settings -> Advanced -> Log Forwarding -> Create new -> configure settings.
   In the configuration, the actions will show: Allow log forwarding to server Type: FortiAnalyzer (FortiAnalyzer_2), send logs only about device FortiGate-80E, and logs equal than policy IDs 4 and 5 means logs related to policies 0, 2, 3, 6, 7, and 8 are not going to be forwarded. 
                                                                               
   

    

2. Then select 'OK' and in 'FortiAnalyzer_2' will receive a notification to 'Authorize' the device in Device Manager and accept it.
   
   
3. Go to log View -> logs -> Fortinet Logs -> FortiGate and confirm the logs are being received in FortiAnalyzer_1, and confirm log rules received in FortiAnalyzer_2.
                                                                                                           
   

    

   

    

4. In case a double check is needed, it is possible to configure a filter in 'FortiAnalyzer_2' setting Policies were discarded in the log forward filter.
                                                                                         
   

    

Note: The generic text filter field can be validated by viewing in raw log option for the logs received and using the desired field. It is important to have the exact logical operator to be matched when more than 1 rule is configured (OR/AND).

Related documents:

Configuring log forwarding
Technical Tip: Use of Operators in Event Handler General Filter (syntax)