Description
This article explains how to forward traffic logs from specific source or policy IDs to a syslog server.
Scope
FortiGate.
Solution
To forward only the desired source and policy ID traffic logs while excluding all other event logs, configure the following free-style settings. This feature is not available when FIPS-CC mode is enabled on the device.
The filter operates on an OR basis:
FortiGate (filter) # show
config log syslogd filter
config free-style
edit 1
set category traffic
set filter "(srcip 172.29.6.51)"
next
edit 2
set category traffic
set filter "(policyid 1)"
next
edit 3
set category event
set filter "(logid *)" <----- To exclude all event logs.
set filter-type exclude
next
end
end
To get the policy ID of the firewall policy, see the steps in Technical Tip: How to find policy ID.
If there is a need to include additional categories, a new entry can be created and added under the free-style option.
To apply multiple filters, download the memory event logs, then use the filters specified within the double quotes and configure them as needed.
For example:
The memory event logs are shown below. In this case, the policy name should be filtered to include 'policyname space Internet'.
edit 2
set category traffic
set filter "(policyname Internet)"
next
date=2025-04-23 time=21:47:36 eventtime=1745470055187912854 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.29.6.50 srcport=55107 srcintf="port3" srcintfrole="undefined" dstip=10.5.191.253 dstport=53 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=205132844 proto=17 action="accept" policyid=1 policytype="policy" poluuid="bfd7dcba-f5df-51ef-a74a-ced2698d0951" policyname="Internet" service="DNS" trandisp="snat" transip=10.5.138.29 transport=55107 appcat="unscanned" duration=181 sentbyte=68 rcvdbyte=127 sentpkt=1 rcvdpkt=1
Results:
