Technical Note: Creating FortiGate custom log fields - INTERNAL

rakanda · ‎11-29-2017

Purpose

There is an option to create custom log fields in addition to the standard log fields on the FortiGate.

Expectations, Requirements

Custom-field needs to be configured and applied to a policy.

# config log custom-field
    edit "LOGSTRING01"
      set name "LOGSTRING_TEST"
      set value "WTW2 CORE"
    next
end

# config firewall policy
    edit 14
      set srcintf "PCG-Inside_vl5"
      set dstintf "MGMT-ESX"
      set action accept
      set schedule "always"
      set service "All"
      set logtraffic all
      set custom-log-fields "LOGSTRING01"
    next
end

Configuration

Assign the name given to the field on the FortiGate to the FortiAnalyzer log custom field:

# config system log settings
set FGT-custom-field1 "LOGSTRING_TEST"
end

Update dataset to select "LOGSTRING_TEST" where desired.

Since the custom field values are assigned to the policies, the policy data should be accessed in a separate query.

Troubleshooting

FortiAnalyzer log sample

date=2017-07-24 time=16:25:55 bid=3132647 itime="2017-07-24 16:25:56" logver=52 logid=0000000013 type=traffic subtype=forward level=notice vd=Core devid=FG3K2C3Z16800003 action=close trandisp=noop srcport=19615 dstport=443 srcip=10.11.5.108 dstip=10.56.20.154 service=HTTPS proto=6 duration=1 policyid=14 logstring_test=WTW2 CORE sentbyte=132 rcvdbyte=92 sentpkt=3 rcvdpkt=2 srcintf=PCG-Inside_vl5 dstintf=MGMT-ESX sessionid=222952376 app=HTTPS appcat=unscanned dstcountry=Reserved srccountry=Reserved poluuid=cc9d6c00-4181-51e7-a05d-4a38a3bdc25c dtime="2017-07-24 16:25:55" itime_t=1500927956 devname=WTW2config

Technical Note: Creating FortiGate custom log fields - INTERNAL

You are leaving our website