FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ydong01
Staff
Staff
Article Id 230236
Description

This article describes how, when configuring a syslogd filter or FortiAnalyzer filter (in 6.x,), it is possible to define both logid list and log level. However, the logic is not described between the log ID and log level.

Scope FortiGate 6.x, 7.0.x.
Solution

Use the following command to set the filter on 6.x:

 

set filter


Input the logid list or level (or both) as filters.


[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfilter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-level(...)] [dns-level(...)] [ssh-level(...)] [ssl-level(...)] [cifs-level(...)] [file-filter-level(...)] [icap-level(...)]


See the following 2 examples:


Example 1:

 

set filter "logid(40704,32042)"

 

Example 2:

 

set filter "event-level(information)"

 

The available levels are as follows:

 

  • 'emergency'.
  • 'alert'.
  • 'critical'.
  • 'error'.
  • 'warning'.
  • 'notice'.
  • 'information'.
  • 'debug'.

 

The logic between the log ID and log level is AND.

 

Below is an example in 6.x:

 

show log syslogd filter

config log syslogd filter
    set filter "event-level(notice) logid(22923)"
end

 

It is not possible to know the logic between the event level and logid from this.

 

After the upgrade to 7.0.x, the same configuration was changed to:

 

FGT-1 # show log syslogd filter
config log syslogd filter
    config free-style
        edit 1
            set category event
            set filter "((level notice warning error critical alert emergency) and (logid 22923))"
        next
    end
end

 

From the new version output, the logic between log level and log id is AND.


In version 7.0 and higher the logid has to be used as a full logid from the log itself. For example, 'logid 0100032001' and not only 'logid 32001'.

 

Filter more logid(s) - the filters below are equivalent:

 

    set filter "logid 0100032001 0100032003"
    set filter "(logid 0100032001 0100032003)"
    set filter "(logid 0100032001) or (logid 0100032003)"

 

To disable logging of some logs, use set filter-type exclude.

Below is an example of how to disable DHCP logging:

 

config log disk filter
    config free-style
        edit 1
            set category event
            set filter "logid 0100026001 0100026002 0100026003"
            set filter-type exclude
        next
    end
end

 

Another note:

 

In 6.x, the event-level (notice) is not level == notice (5). Instead, it is <= notice (5), which means level == emergency (0), alert (1), critical (2), error (3), warning (4), notice (5).

 

See this Linux syslog article for more information.

 

The log level

 

Every printk() message has its own log level. If the log level is not explicitly specified as part of the message, it defaults to default_message_loglevel. The conventional meaning of the log level is as follows:

 

Kernel constant Level value Meaning
KERN_EMERG 0 System is unusable
KERN_ALERT 1 Action must be taken immediately
KERN_CRIT 2 Critical conditions
KERN_ERR  3 Error conditions
KERN_WARNING 4 Warning conditions
KERN_NOTICE 5 Normal but significant condition
KERN_INFO
6 Informational
KERN_DEBUG
7 Debug-level messages'.