Technical Tip: Prevent a log from being generated

JohnDevNet_FTNT · ‎08-03-2017

Description
This document explains how to prevent FortiGate from generating specific logs if the requirements are to not store these logs.

This example deals with logs stored in memory, but it also works for the logs stored on disk.

Scope
Confirm that logging to memory is enabled:

# show full log memory setting

config log memory setting

set status enable

set diskfull overwrite

end

Solution
By default there is no filter for logs. By default the log severity level is INFORMATION. Other severity levels are:

0) emergency

1) alert

2) critical

3) error

4) warning

5) notification

6) information

7) debug

# show full

config log memory filter

    set severity information

    set forward-traffic enable

    set local-traffic enable

    set multicast-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip enable

    set filter ''

    set filter-type include

end

Configure filters as below:

# execute log filter device 0

# execute log filter category 1

The filters applied before will display only event logs in memory:

# execute log filter dump

category: event

device: memory

start-line: 1

view-lines: 10

max-checklines: 100

HA member:

field: vd:[ root, ] negate: 0, exact: 0

For example, to filter the following, “Logid = 0100029014”:

Show the logs in memory:

# execute log display

75 logs found.

10 logs returned.

1: date=2017-08-03 time=14:21:19 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

2: date=2017-08-03 time=14:21:19 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

3: date=2017-08-03 time=14:21:19 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

4: date=2017-08-03 time=14:21:18 logid=0100044546 type=event subtype=system level=information vd=root logdesc="Attribute configured" user="admin" ui="ssh(192.168.82.80)" action=Edit cfgtid=1911423018 cfgpath="log.memory.filter" cfgattr="filter[logid(0103020301)->]filter-type[exclude->include]" msg="Edit log.memory.filter "

5: date=2017-08-03 time=14:21:14 logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=192.168.157.79 locip=192.168.157.82 remport=500 locport=500 outintf="wan1" cookies="14f2d66a3c5a4fb2/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="FGT90_to_FGT80" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK

6: date=2017-08-03 time=14:21:13 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

7: date=2017-08-03 time=14:21:13 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

8: date=2017-08-03 time=14:21:07 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

9: date=2017-08-03 time=14:21:07 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

10: date=2017-08-03 time=14:21:01 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

To filter "Logid = 0100029014":

# config log memory filter

    set severity information

    set forward-traffic enable

    set local-traffic enable

    set multicast-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip enable

    set filter "logid(0100029014)"

    set filter-type exclude

end

Clear the logs in memory:

# execute log filter dump

# execute log delete

# execute log display

17 logs found.

10 logs returned.

1: date=2017-08-03 time=14:24:21 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

2: date=2017-08-03 time=14:24:21 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

3: date=2017-08-03 time=14:24:20 logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=192.168.157.79 locip=192.168.157.82 remport=500 locport=500 outintf="wan1" cookies="8dcd481ec1619e42/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="FGT90_to_FGT80" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK

4: date=2017-08-03 time=14:24:19 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.1 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

5: date=2017-08-03 time=14:24:15 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

6: date=2017-08-03 time=14:24:11 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

7: date=2017-08-03 time=14:24:09 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

8: date=2017-08-03 time=14:24:09 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.1 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

9: date=2017-08-03 time=14:24:03 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

10: date=2017-08-03 time=14:24:01 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

Logs with "Logid = 010002914" are filtered.

To check other logs ids, please refer to the "FortiOS Log Message Reference" document which can be found in the Fortinet Documentation Library.