Description
This article describes how to configure advanced syslog filters using the 'config free-style' command.
Scope
FortiOS 7.0.
Solution
With FortiOS 7.0 release, syslog free-style filters can be configured directly on FortiOS-based devices to filter logs that are captured, thereby limiting the number of logs sent to the syslog server.
Filters are configured using the 'config free-style' command as defined below. Each filter includes a log category, a specific log fields filter, and a type to define whether the filter is inclusive or exclusive.
config log syslogd filter
config free-style
edit 1
set category {traffic | event | virus | …}
set filter <string>
set filter-type {include (include logs that match the filter) | exclude (exclude logs that match the filter)}
next
end
end
Note: a category type can only be used in one free-style filter. Trying to configure a free-style filter with an already used category, for example, the 'traffic' category, gives the following error:
config log syslogd filter
config free-style
edit 2
set category traffic
traffic is already used by entry 1.
node_check_object fail! for category traffic
value parse error before 'traffic'
Command fail. Return code -15
By default, filters can be defined using the following specific syntax:
config log syslogd filter
config free-style
edit 1
set filter ?
Enter a free-style expression, for example:
"srcip 172.16.1.1"
"(srcip 172.16.1.1) or (dstip 172.16.1.2)"
"(srcip 172.16.1.1) and (dstip 172.16.1.2)"
"((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"
While free-style expressions listed in the example above focus on the source and destination IP addresses and ports, there is actually the possibility to create more complex expressions based on most of the fields contained in a syslog file including the 'service' type, 'srccountry', 'dstcountry', 'policyid', 'policyname', 'proto' type, 'action' type, etc.
Example 1: Assuming it is not wanted to send to the predefined syslog server all 'traffic' type logs that are recorded for the 'DNS' service (service = 'DNS' field in syslog record), this can be done using the following filter:
config log syslogd filter
config free-style
edit 1
set category traffic
set filter "service DNS"
set filter-type exclude
next
end
end
Example 2: Assuming it is wanted to send to the predefined syslog server only HTTPS traffic type logs that are recorded at session creation time and targeting French country servers, this can be done using the following filter:
config log syslogd filter
config free-style
edit 1
set category traffic
set filter "(service HTTPS) and (action start) and (dstcountry France)"
set filter-type include
next
end
end
As a result, only records matching the predefined filter (for example the one below) will be sent to the syslog server:
LOCAL7.NOTICE: date=2022-11-02 time=13:37:42 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667389062138158260 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=49219 srcintf="port3" srcintfrole="undefined" dstip=184.51.105.193 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=29670153 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=49219 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
Example 3: Assuming it is wanted to send to the predefined syslog server only HTTP and HTTPS traffic type logs passing through Firewall Policy ID 1 and targeting French country servers, this can be done using the following filter:
# config log syslogd filter
# config free-style
edit 1
set category traffic
set filter "((service HTTP) or (service HTTPS)) and (dstcountry France) and (policyid 1)"
set filter-type include
next
end
end
As a result, only records matching the predefined filter (for example the ones below) will be sent to the Syslog server:
LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328575496239 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50903 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028189 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=50903 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328625674821 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50904 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028191 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTP" trandisp="snat" transip=10.5.23.112 transport=50904 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
Important:
Free-Style filter Logic applies as follows
Top-level filter --> Free style filter.
Top-level filters are determined based on category settings under 'config log syslogd filter'.
config log syslogd filter
(filter) # get
severity : information
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
ztna-traffic : enable
anomaly : enable
voip : enable
The logs enabled from the top-level filter are forwarded to the 'free style filter' for another round of filtering.
'Free style filter' also applies PER CATEGORY.
Example:
The following freestyle filter only applies to the category 'events':
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0101039947 0101039948)"
set filter-type include
next
If top-level filters are enabled for other categories (ex. forward-traffic,local-traffic etc...), the above free-style filter will filter category:event to logids 0101039947,0101039948, but display all logs from other enabled categories.
If logs from other categories are unwanted, you must either disable those categories from the top-level filter or configure the following free-style filter to manually exclude other categories.
Example:
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0101039947 0101039948)"
set filter-type include
next
edit 2
set category traffic
set filter "(logid *)"
set filter-type exclude
next
edit 3
set category app-ctrl
set filter "(logid *)"
set filter-type exclude
next
edit 4
set category webfilter
set filter "(logid *)"
set filter-type exclude
next
end
end
To exclude the logs from/to a specific interface.
Example:
config log syslogd filter
config free-style
edit 1
set category event
set filter "(srcintf port1) or (dstintf port1)"
set filter-type exclude
end
end
