Description

Solution

The CLI offers the below filtering options for the remote logging solutions:

1. Filtering based on logid.
2. Filtering based on event severity level.
3. Filtering based on both logid and event severity level.
   

CLI commands:

config log syslogd filter / config log fortianalyzer filter
    set filter-type include
    set filter <check below details on filters>
end

Input the logid list or level (or both) as filters.

[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfil ter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [ voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-le vel(...)] [dns-level(...)]

See the following 2 examples.

Example 1.

    set filter "logid(40704,32042)"

Example 2.

    set filter "event-level(information)"

The below line displays all available log severity levels (sorted from left to right from least to the most verbose level):
emergency, alert, critical, error, warning, notification, information, debug.

The 'FortiOS Log Message Reference' document contains more details about logid and log levels.

Example 3.

    set filter "event-level(information) traffic-level(alert) logid(40704)"

Note: Add all the filters in the same quotes and leave a space between the two filters.

Important:

Starting v7.0 onwards, the syntax for remote logging filtering has changed.

Refer to 'free-style' filters on those firmware versions:

Technical Tip: Filtering specific event logs that will be forwarded to a syslog server

Technical Tip: Using syslog free-style filters

Technical Tip: Configuring advanced syslog free-style filters