Description

This article describes how to configure advanced syslog filters using the 'config free-style' command.

Scope

FortiGate v7.0, v7.2.

Solution

With the v7.0 release, syslog free-style filters can be configured directly on FortiOS-based devices to filter logs that are captured, thereby limiting the number of logs sent to the syslog server.

Filters are configured using the 'config free-style' command as defined below. Each filter includes a log category, a specific log fields filter, and a type to define whether the filter is inclusive or exclusive.

config log syslogd filter

    config free-style

        edit 1

            set category {traffic | event | virus | …}

            set filter <string>

            set filter-type {include (include logs that match the filter) | exclude (exclude logs that match the filter)}

        next

    end

end

Note:

A category type can only be used in one free-style filter. Trying to configure a free-style filter with an already used category, for example, the 'traffic' category, gives the following error:

config log syslogd filter

    config free-style

        edit 2

            set category traffic

        traffic is already used by entry 1.

        node_check_object fail! for category traffic

        value parse error before 'traffic'

        Command fail. Return code -15

By default, filters can be defined using the following specific syntax:

config log syslogd filter

    config free-style

        edit 1

            set filter ?

Enter a free-style expression, for example:

"srcip 172.16.1.1"

"(srcip 172.16.1.1) or (dstip 172.16.1.2)"

"(srcip 172.16.1.1) and (dstip 172.16.1.2)"

"((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"

While free-style expressions listed in the example above focus on the source and destination IP addresses and ports, there is actually the possibility to create more complex expressions based on most of the fields contained in a syslog file including the 'service' type, 'srccountry', 'dstcountry', 'policyid', 'policyname', 'proto' type, 'action' type, etc.

Example 1: Assuming it is not wanted to send to the predefined syslog server all 'traffic' type logs that are recorded for the 'DNS' service (service = 'DNS' field in syslog record), this can be done using the following filter:

config log syslogd filter

    config free-style

        edit 1

            set category traffic

            set filter "service DNS"

            set filter-type exclude

        next

    end

end

Example 2: Assuming it is wanted to send to the predefined syslog server only HTTPS traffic type logs that are recorded at session creation time and targeting French country servers, this can be done using the following filter:

config log syslogd filter

    config free-style

        edit 1

            set category traffic

            set filter "(service HTTPS) and (action start) and (dstcountry France)"

            set filter-type include

        next

    end

end

As a result, only records matching the predefined filter (for example, the one below) will be sent to the syslog server:

LOCAL7.NOTICE: date=2022-11-02 time=13:37:42 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667389062138158260 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=49219 srcintf="port3" srcintfrole="undefined" dstip=184.51.105.193 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=29670153 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=49219 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"            

Example 3: Assuming it is wanted to send to the predefined syslog server only HTTP and HTTPS traffic type logs passing through Firewall Policy ID 1 and targeting French country servers, this can be done using the following filter:

config log syslogd filter

    config free-style

        edit 1

            set category traffic

            set filter "((service HTTP) or (service HTTPS)) and (dstcountry France) and (policyid 1)"

            set filter-type include

        next

    end

end

As a result, only records matching the predefined filter (for example, the ones below) will be sent to the Syslog server:

LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328575496239 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50903 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028189 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=50903 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328625674821 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50904 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028191 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTP" trandisp="snat" transip=10.5.23.112 transport=50904 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

Important:

Free-Style filter Logic applies as follows

Top-level filter --> Free style filter.

Top-level filters are determined based on category settings under 'config log syslogd filter'.

config log syslogd filter
get
severity : information
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
ztna-traffic : enable
anomaly : enable
voip : enable

The logs enabled from the top-level filter are forwarded to the 'free style filter' for another round of filtering.

'Free style filter' also applies PER CATEGORY.

Example:

The following freestyle filter only applies to the category 'events':

config log syslogd filter
    config free-style
        edit 1
        set category event
        set filter "(logid 0101039947 0101039948)"
        set filter-type include
    next

If top-level filters are enabled for other categories (ex. forward-traffic,local-traffic etc...), the above free-style filter will filter category:event to logids 0101039947,0101039948, but display all logs from other enabled categories.

If logs from other categories are unwanted, you must either disable those categories from the top-level filter or configure the following free-style filter to manually exclude other categories.

Example:

config log syslogd filter
    config free-style
        edit 1
            set category event
            set filter "(logid 0101039947 0101039948)"
            set filter-type include
        next
            edit 2
                set category traffic
                set filter "(logid *)"
                set filter-type exclude
            next
                edit 3
                    set category app-ctrl
                    set filter "(logid *)"
                    set filter-type exclude
                next
                    edit 4
                        set category webfilter
                        set filter "(logid *)"
                        set filter-type exclude
                    next
                end
            end

To exclude the logs from/to a specific interface.

Example: 

config log syslogd filter
    config free-style
        edit 1
            set category event
            set filter "(srcintf port1) or (dstintf port1)"
            set filter-type exclude
        end

end

Note:

 If the interface name contains a space,e such as 'VLAN 202'. The filter for this interface should look like '(srcintf \"VLAN 202\")' where backslash is the escape character as shown below: 

Send only the filter logs:

If the desired outcome is to forward a specific filter only, then default types should be disabled (enabled by default). Example: Only forward VPN events to the syslog server. (Tested on v7.2.)

config log syslogd filter
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set ztna-traffic disable
    set anomaly disable
    set voip disable
    set gtp disable

    config free-style
        edit 1
            set category event
            set filter "(subtype VPN)"
        next
    end
end

Result:

Log Syslog Example for the 1st filter, event:

  Tue Apr 30 14:23:28 2024;192.168.5.254; <190>date=2024-04-30 time=16:23:27 devname="FGT" devid="FGVM01" eventtime=1714487008050096172 tz="+0200" logid="0101039424" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-web" tunnelid=536577968 remip=10.10.10.10 user="localuser" group="MyLocalGroup" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"

This way is possible to add up each type, subtype, or any specific filter where other log types can be included as well.

Related articles:

Technical Tip: Using syslog free-style filters

Technical Tip: Configuring advanced syslog free-style filters