Technical Tip: How to exclude a specific set of logs that is sent to FortiAnalyzer from FortiGate firewall

Mohammed_Feroz · ‎07-25-2023

Description

This article describes how to exclude specific logs that have been sent to FortiAnalyzer.

Scope

FortiOS v7.0.

Solution

There might be cases where a set of logs needs to be excluded by the FortiGate firewall from sending it to FortiAnalyzer.

Example:

The log storage on FortiAnalyzer is getting high, or false positive logs are triggering an action in FortiAnalyzer.

In the example below, a filter is configured to exclude specific log IDs:

config log fortianalyzer filter
config free-style
edit 1
set category event
set filter "(logid 0100026003 0100026001)"

set filter-type exclude

Logs:

date=xxxx time=xxxx .. logid="0100026003" type="event" subtype="system" level="information" vd="root" logdesc="DHCP statistics" interface="xxx" total=3 used=0 msg="DHCP statistics" ...

date=xxxx time=xxxx .. logid="0100026001" type="event" subtype="system" level="information" msg="DHCP server sends a DHCPACK" logdesc="DHCP Ack log" ...

LogID can be taken from the generated logs or from the document below:

26003 - LOG_ID_DHCP_STAT
26001 - LOG_ID_DHCP_ACK

Note:

If FIPS-CC is enabled on the device, the command 'config free-style' will not be available.

Related document:

Log ID numbers

Technical Tip: How to exclude a specific set of logs that is sent to FortiAnalyzer from FortiGate firewall

You are leaving our website