FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JohnDevNet_FTNT
Article Id 189906

Description


This article explains how to prevent FortiGate from generating specific logs if the requirements are to not store these logs.



This example deals with logs stored in memory, but it also works for the logs stored on disk.


Scope


Confirm that logging to memory is enabled:

 

show full log memory setting

config log memory setting
    set status enable

set diskfull overwrite

 end


Solution

 

On FortiOSv7.0 onwards, freestyle log filtering is introduced for more filtering capability.

 

config log memory filter
config free-style
edit 1
set category {event | virus | webfilter | attack | spam | anomaly | voip | dlp | app-ctrl | waf | gtp | dns | ssh | ssl | file-filter | icap}
set filter <string>
set filter-type include
next
end
end

 

The filter string can be a legal regular filter string. For example, ((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60).

 

For example, to filter the following log on Disk :

 

date=2025-05-15 time=08:45:18 eventtime=1747269918986137536 tz="+0800" logid="0100041001" type="event" subtype="system" level="critical" vd="root" logdesc="FortiGate update failed" status="update" msg="Fortigate update failed for no fds allowed.

 

Configure the following filter to filter by logid 0100041001 criteria :

 

config log disk filter
config free-style
edit 1
set category event
set filter "logid 0100041001"
set filter-type exclude
next
end
end

 

It is also possible to configure filter for other type of logging by configuring :

 

config log <type> filter where type can be :  disk / memory / syslogd*/ tacacs+accounting* 

 

Note :

Indicates ability to configure for multiple device such as syslogd2, syslogd3.

 

For more information on freestyle filter :

Using syslog free-style filters 

Configuring advanced syslog free-style filters 


By default, there is no filter for logs. By default, the log severity level is INFORMATION. Other severity levels are:

  1. emergency
  2. alert
  3. critical
  4. error
  5. warning
  6. notification
  7. information
  8. debug

 

# show full

config log memory filter

    set severity information

    set forward-traffic enable

    set local-traffic enable

    set multicast-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip enable

    set filter ''

    set filter-type include

end

Configure filters as below:

 

execute log filter device 0  
execute log filter category 1


The filters applied before will display only event logs in memory:

 

execute log filter dump

category: event

device: memory


start-line: 1

view-lines: 10

max-checklines: 100

HA member:

field: vd:[ root,  ] negate: 0, exact: 0

 

For example, to filter the following, 'Logid = 0100029014':

Show the logs in memory:

 

execute log display

75 logs found.

10 logs returned.


 1: date=2017-08-03 time=14:21:19 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

 2: date=2017-08-03 time=14:21:19 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

 3: date=2017-08-03 time=14:21:19 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 4: date=2017-08-03 time=14:21:18 logid=0100044546 type=event subtype=system level=information vd=root logdesc="Attribute configured" user="admin" ui="ssh(192.168.82.80)" action=Edit cfgtid=1911423018 cfgpath="log.memory.filter" cfgattr="filter[logid(0103020301)->]filter-type[exclude->include]" msg="Edit log.memory.filter "

 5: date=2017-08-03 time=14:21:14 logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=192.168.157.79 locip=192.168.157.82 remport=500 locport=500 outintf="wan1" cookies="14f2d66a3c5a4fb2/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="FGT90_to_FGT80" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK

 6: date=2017-08-03 time=14:21:13 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

 7: date=2017-08-03 time=14:21:13 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 8: date=2017-08-03 time=14:21:07 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"

 9: date=2017-08-03 time=14:21:07 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 10: date=2017-08-03 time=14:21:01 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"


To filter "Logid = 0100029014":

 

config log memory filter

    set severity information

    set forward-traffic enable

    set local-traffic enable

    set multicast-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip enable

    set filter "logid(0100029014)"

    set filter-type exclude

end

Clear the logs in memory:

 

execute log filter dump

execute log delete

execute log display

17 logs found.

10 logs returned.
 

 1: date=2017-08-03 time=14:24:21 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 2: date=2017-08-03 time=14:24:21 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

 3: date=2017-08-03 time=14:24:20 logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=192.168.157.79 locip=192.168.157.82 remport=500 locport=500 outintf="wan1" cookies="8dcd481ec1619e42/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="FGT90_to_FGT80" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK

 4: date=2017-08-03 time=14:24:19 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.1 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

 5: date=2017-08-03 time=14:24:15 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 6: date=2017-08-03 time=14:24:11 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

 7: date=2017-08-03 time=14:24:09 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 8: date=2017-08-03 time=14:24:09 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.1 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

 9: date=2017-08-03 time=14:24:03 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"

 10: date=2017-08-03 time=14:24:01 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"

Logs with "Logid = 010002914" are filtered.

To check other log IDs, refer to the 'FortiOS Log Message Reference' document, which can be found in the Fortinet Documentation Library