Created on
08-03-2017
04:05 PM
Edited on
05-14-2025
09:50 PM
By
Anthony_E
Description
This article explains how to prevent FortiGate from generating specific logs if the requirements are to not store these logs.
This example deals with logs stored in memory, but it also works for the logs stored on disk.
Scope
Confirm that logging to memory is enabled:
show full log memory setting
config log memory setting
set status enable
set diskfull overwrite
Solution
On FortiOSv7.0 onwards, freestyle log filtering is introduced for more filtering capability.
config log memory filter
config free-style
edit 1
set category {event | virus | webfilter | attack | spam | anomaly | voip | dlp | app-ctrl | waf | gtp | dns | ssh | ssl | file-filter | icap}
set filter <string>
set filter-type include
next
end
end
The filter string can be a legal regular filter string. For example, ((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60).
For example, to filter the following log on Disk :
date=2025-05-15 time=08:45:18 eventtime=1747269918986137536 tz="+0800" logid="0100041001" type="event" subtype="system" level="critical" vd="root" logdesc="FortiGate update failed" status="update" msg="Fortigate update failed for no fds allowed.
Configure the following filter to filter by logid 0100041001 criteria :
config log disk filter
config free-style
edit 1
set category event
set filter "logid 0100041001"
set filter-type exclude
next
end
end
It is also possible to configure filter for other type of logging by configuring :
config log <type> filter where type can be : disk / memory / syslogd*/ tacacs+accounting*
Note :
Indicates ability to configure for multiple device such as syslogd2, syslogd3.
For more information on freestyle filter :
Using syslog free-style filters
Configuring advanced syslog free-style filters
By default, there is no filter for logs. By default, the log severity level is INFORMATION. Other severity levels are:
# show full
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ''
set filter-type include
end
Configure filters as below:
execute log filter device 0
execute log filter category 1
The filters applied before will display only event logs in memory:
execute log filter dump
category: event
device: memory
start-line: 1
view-lines: 10
max-checklines: 100
HA member:
field: vd:[ root, ] negate: 0, exact: 0
For example, to filter the following, 'Logid = 0100029014':
Show the logs in memory:
execute log display
75 logs found.
10 logs returned.
1: date=2017-08-03 time=14:21:19 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"
2: date=2017-08-03 time=14:21:19 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"
3: date=2017-08-03 time=14:21:19 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
4: date=2017-08-03 time=14:21:18 logid=0100044546 type=event subtype=system level=information vd=root logdesc="Attribute configured" user="admin" ui="ssh(192.168.82.80)" action=Edit cfgtid=1911423018 cfgpath="log.memory.filter" cfgattr="filter[logid(0103020301)->]filter-type[exclude->include]" msg="Edit log.memory.filter "
5: date=2017-08-03 time=14:21:14 logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=192.168.157.79 locip=192.168.157.82 remport=500 locport=500 outintf="wan1" cookies="14f2d66a3c5a4fb2/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="FGT90_to_FGT80" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK
6: date=2017-08-03 time=14:21:13 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"
7: date=2017-08-03 time=14:21:13 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
8: date=2017-08-03 time=14:21:07 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"
9: date=2017-08-03 time=14:21:07 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
10: date=2017-08-03 time=14:21:01 logid=0100029014 type=event subtype=system level=information vd=root logdesc="PPPD exiting" msg="pppd is exiting"
To filter "Logid = 0100029014":
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter "logid(0100029014)"
set filter-type exclude
end
Clear the logs in memory:
execute log filter dump
execute log delete
execute log display
17 logs found.
10 logs returned.
1: date=2017-08-03 time=14:24:21 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
2: date=2017-08-03 time=14:24:21 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"
3: date=2017-08-03 time=14:24:20 logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=192.168.157.79 locip=192.168.157.82 remport=500 locport=500 outintf="wan1" cookies="8dcd481ec1619e42/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="FGT90_to_FGT80" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK
4: date=2017-08-03 time=14:24:19 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.1 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"
5: date=2017-08-03 time=14:24:15 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
6: date=2017-08-03 time=14:24:11 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"
7: date=2017-08-03 time=14:24:09 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
8: date=2017-08-03 time=14:24:09 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.1 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"
9: date=2017-08-03 time=14:24:03 logid=0100029013 type=event subtype=system level=notice vd=root logdesc="PPPD started" msg="pppd is started"
10: date=2017-08-03 time=14:24:01 logid=0103020301 type=event subtype=router level=warning vd=root logdesc="Routing log" msg="OSPF: RECV[Hello]: From 192.168.157.11 via wan1:192.168.157.82: Invalid Area ID 0.0.0.10"
Logs with "Logid = 010002914" are filtered.
To check other log IDs, refer to the 'FortiOS Log Message Reference' document, which can be found in the Fortinet Documentation Library
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.