| Description | This article describes that FortiGate can be configured to forward only VPN event logs to the Syslog server. |
| Scope | FortiGate. |
| Solution |
Once the syslog server is configured on the FortiGate, it is possible to create an advanced filter to only forward VPN events.
To create the filter run the following commands:
config log syslogd filter config free-style edit 1 set category event set filter " action ssl-alert ssl-login-fail ssl-new-con tunnel-down tunnel-up ssl-exit-error" set filter-type include next end
If there is a need to filter out certain VPN events or add them, check the action of the log entry and include/exclude that in the set filter 'action' list that is configured above.
To check the VPN events generated by the FortiGate, go to Log & Report -> System Events -> VPN Events and look for the value under the Action tab to add/delete from the filter list:
Example:
Alternative filter example:
set filter "subtype vpn"
Note: To send only logs from the free-style filter, it is necessary to disable all of the default log domains:
config log syslogd filter set forward-traffic disable end
Related documents: Technical Tip: Configuring advanced syslog free-style filters. Technical Tip : How to use the facility function of syslogd. |
