FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mmaubert
Staff
Staff
Article Id 228816

Description

 

This article describes how to configure advanced syslog filters using the 'config free-style' command.

 

Scope

 

FortiOS 7.0.

 

Solution

 

With FortiOS 7.0 release, syslog free-style filters can be configured directly on FortiOS-based devices to filter logs that are captured, thereby limiting the number of logs sent to the syslog server.

 

Filters are configured using the 'config free-style' command as defined below. Each filter includes a log category, a specific log fields filter, and a type to define whether the filter is inclusive or exclusive.

 

# config log syslogd filter

    # config free-style

        edit 1

            set category {traffic | event | virus | …}

            set filter <string>

            set filter-type {include (include logs that match the filter) | exclude (exclude logs that match the filter)}

        next

    end

end

 

Note: a category type can only be used in one free-style filter. Trying to configure a free-style filter with an already used category, for example, the 'traffic' category, gives the following error:

 

# config log syslogd filter

    # config free-style

        edit 2

            set category traffic

 

        traffic is already used by entry 1.

        node_check_object fail! for category traffic

        value parse error before 'traffic'

        Command fail. Return code -15

#

 

By default, filters can be defined using the following specific syntax:

 

# config log syslogd filter

    # config free-style

        edit 1

            set filter ?

 

Enter a free-style expression, for example:

 

"srcip 172.16.1.1"

"(srcip 172.16.1.1) or (dstip 172.16.1.2)"

"(srcip 172.16.1.1) and (dstip 172.16.1.2)"

"((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"

 

While free-style expressions listed in the example above focus on the source and destination IP addresses and ports, there is actually the possibility to create more complex expressions based on most of the fields contained in a syslog file including the 'service' type, 'srccountry', 'dstcountry', 'policyid', 'policyname', 'proto' type, 'action' type, etc.

 

Example 1: Assuming it is not wanted to send to the predefined syslog server all 'traffic' type logs that are recorded for the 'DNS' service (service = 'DNS' field in syslog record), this can be done using the following filter:

 

# config log syslogd filter

    # config free-style

        edit 1

            set category traffic

            set filter "service DNS"

            set filter-type exclude

        next

    end

end

 

Example 2: Assuming it is wanted to send to the predefined syslog server only HTTPS traffic type logs that are recorded at session creation time and targeting French country servers, this can be done using the following filter:

 

# config log syslogd filter

    # config free-style

        edit 1

            set category traffic

            set filter "(service HTTPS) and (action start) and (dstcountry France)"

            set filter-type include

        next

    end

end

 

As a result, only records matching the predefined filter (for example the one below) will be sent to the syslog server:

 

LOCAL7.NOTICE: date=2022-11-02 time=13:37:42 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667389062138158260 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=49219 srcintf="port3" srcintfrole="undefined" dstip=184.51.105.193 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=29670153 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=49219 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"            

 

Example 3: Assuming it is wanted to send to the predefined syslog server only HTTP and HTTPS traffic type logs passing through Firewall Policy ID 1 and targeting French country servers, this can be done using the following filter:

 

# config log syslogd filter

    # config free-style

        edit 1

            set category traffic

            set filter "((service HTTP) or (service HTTPS)) and (dstcountry France) and (policyid 1)"

            set filter-type include

        next

    end

end

 

As a result, only records matching the predefined filter (for example the ones below) will be sent to the syslog server:

 

LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328575496239 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50903 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=443 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028189 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTPS" trandisp="snat" transip=10.5.23.112 transport=50903 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

LOCAL7.NOTICE: date=2022-11-02 time=15:38:49 devname="palladium-asecsp-kvm44" devid="FGVM010000085566" eventtime=1667396328625674821 tz="+0100" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.130.8.206 srcport=50904 srcintf="port3" srcintfrole="undefined" dstip=163.172.32.57 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=30028191 proto=6 action="start" policyid=1 policytype="policy" poluuid="8ef4f1c4-5509-51ed-c543-2afc3a5d656f" policyname="L2W" service="HTTP" trandisp="snat" transip=10.5.23.112 transport=50904 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"