|
FortiAnalyzer does not allow users to perform the 'AND' and 'OR' operations on the same Log Forwarding Filter, so only one operator can be chosen at a time.
Set the 'log-filter-logic' with the 'AND' operator in the CLI to make FortiAnalyzer send relevant logs to the Log Forwarding Filter.
# config system log-forward
edit <id>
set mode {aggregation | disable | forwarding}
set log-filter-logic {and | or}
next
end
When the 'AND' operator is chosen, logs will only match this filter if all of the conditions are met. When the 'OR' operator is chosen, logs will only match this filter if one of the conditions is met.
For example:
# config system log-forward
edit 1
set mode forwarding
set server-name "<name>"
set server-addr "<IP>"
set fwd-server-type syslog
set log-filter-status enable
set log-filter-logic and
config log-filter
edit 1
set oper !=
set value "event"
next
edit 2
set oper !=
set value "utm"
next
edit 3
set field srcip
set oper !=
set value "10.0.1.10"
next
edit 4
set field srcip
set oper !=
set value "10.0.1.253"
next
end
next
end
In this case, since the 'AND' operator was chosen, this filter will match logs that meet all of the conditions.
|
