Description
This article describes how to exclude specific logs for being sent to FortiAnalyzer.
Scope
FortiOs.
Solution
It is possible to stop specific logs to be sent to the FortiAnalyzer.
For example:
In FortiGate local traffic logs, multiple logs from source 10.5.59.81 to destination 10.5.63.255 are obtained for netbios forward traffic and if to do not receive these logs in FortiAnalyzer, configure the below script in FortiGate:
# config log fortianalyzer filter
# config free-style
edit 1
set category traffic
set filter "(srcip 10.5.59.81) and (dstip 10.5.63.255)"
set filter-type exclude
next
end
end
So, the logs matching from source 10.5.59.81 to destination 10.5.63.255 will not be sent to FortiAnaylzer, but locally in FortiGate will be present.
FortiGate local traffic logs:
It is possible to see that multiple logs are being received from source 10.5.59.81 to destination 10.5.63.255 in FortiGate till 16:59.
FortiAnalyzer traffic logs:
But in FortiAnalyzer, the logs from source 10.5.59.81 to destination 10.5.63.255 are not visible post 16:40 since from the below system event logs, it is possible to see that logs exclude script are configuredat 16:40 to exclude logs from source 10.5.59.81 to destination 10.5.63.255 to sent it to FortiAnaylzer.
date=2022-09-04 time=16:40:04 eventtime=1662289804659849003 tz="+0530" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(10.32.17.148)" action="Add" cfgtid=504299524 cfgpath="log.fortianalyzer.filter:free-style" cfgobj="1" cfgattr="category[traffic]filter[(srcip 10.5.59.81) and (dstip 10.5.63.255)]filter-type[exclude]" msg="Add log.fortianalyzer.filter:free-style 1"
After configuring the exclude filter script, specific logs are not received in FortiAnalyzer.
