Description
This article describes how to configure advanced syslog filters using the 'config free-style' command.
Scope
FortiOS 7.0.
Solution
With FortiOS 7.0 release, syslog free-style filters can be configured directly on FortiOS-based devices to filter logs that are captured, thereby limiting the number of logs sent to the syslog server.
Filters are configured using the 'config free-style' command as defined below. Each filter includes a log category, a specific log fields filter, and a type to define whether the filter is inclusive or exclusive.
# config log syslogd filter
# config free-style
edit 1
set category {traffic | event | virus | …}
set filter <string>
set filter-type {include (include logs that match the filter) | exclude (exclude logs that match the filter)}
next
end
end
Note: a category type can only be used in one free-style filter. Trying to configure a free-style filter with an already used category, for example, the 'traffic' category, gives the following error:
# config log syslogd filter
# config free-style
edit 2
set category traffic
traffic is already used by entry 1.
node_check_object fail! for category traffic
value parse error before 'traffic'
Command fail. Return code -15
#
By default, filters can be defined using the following specific syntax:
# config log syslogd filter
# config free-style
edit 1
set filter ?
Enter a free-style expression, for example:
"srcip 172.16.1.1"
"(srcip 172.16.1.1) or (dstip 172.16.1.2)"
"(srcip 172.16.1.1) and (dstip 172.16.1.2)"
"((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"
While free-style expressions listed in the example above focus on the source and destination IP addresses and ports, there is actually the possibility to create more complex expressions based on most of the fields contained in a syslog file including the 'service' type, 'srccountry', 'dstcountry', 'policyid', 'policyname', 'proto' type, 'action' type, etc.
Example 1: Assuming it is not wanted to send to the predefined syslog server all 'traffic' type logs that are recorded for the 'DNS' service (service = 'DNS' field in syslog record), this can be done using the following filter:
# config log syslogd filter
# config free-style
edit 1
set category traffic
set filter "service DNS"
set filter-type exclude
next
end
end
Example 2: Assuming it is wanted to send to the predefined syslog server only HTTPS traffic type logs that are recorded at session creation time and targeting French country servers, this can be done using the following filter:
# config log syslogd filter
# config free-style
edit 1
set category traffic
set filter "(service HTTPS) and (action start) and (dstcountry France)"
set filter-type include
next
end
end
As a result, only records matching the predefined filter (for example the one below) will be sent to the syslog server:
LOCAL7.NOTICE: date=2022-11-02 time=13:37:42 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667389062138158260 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=49219 srcintf="port3" srcintfrole="undefined" dstip=184.51.105.193 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=29670153 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=49219 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
Example 3: Assuming it is wanted to send to the predefined syslog server only HTTP and HTTPS traffic type logs passing through Firewall Policy ID 1 and targeting French country servers, this can be done using the following filter:
# config log syslogd filter
# config free-style
edit 1
set category traffic
set filter "((service HTTP) or (service HTTPS)) and (dstcountry France) and (policyid 1)"
set filter-type include
next
end
end
As a result, only records matching the predefined filter (for example the ones below) will be sent to the syslog server:
LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328575496239 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50903 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028189 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=50903 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328625674821 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50904 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028191 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTP" trandisp="snat" transip=10.5.23.112 transport=50904 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
