Description
This article explains using Syslog/FortiAnalyzer filters to forward logs for particular events instead of collecting for the entire category.
Scope
FortiGate.
Solution
The CLI offers the below filtering options for the remote logging solutions:
- Filtering based on logid.
- Filtering based on event severity level.
- Filtering based on both logid and event severity level.
CLI commands:
config log syslogd filter / config log fortianalyzer filter
set filter-type include
set filter <check below details on filters>
end
Input the logid list or level (or both) as filters.
[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfil ter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [ voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-le vel(...)] [dns-level(...)]
See the following 2 examples.
Example 1.
set filter "logid(40704,32042)"
Example 2.
set filter "event-level(information)"
The below line displays all available log severity levels (sorted from left to right from least to the most verbose level):
emergency, alert, critical, error, warning, notification, information, debug.
The 'FortiOS Log Message Reference' document contains more details about logid and log levels.
Example 3.
set filter "event-level(information) traffic-level(alert) logid(40704)"
Note: Add all the filters in the same quotes and leave a space between the two filters.
Important:
Starting v7.0 onwards, the syntax for remote logging filtering has changed.
Refer to 'free-style' filters on those firmware versions:
Technical Tip: Using syslog free-style filters
Technical Tip: Configuring advanced syslog free-style filters
