Description
This article explains how to use Syslog Filters to collect logs to syslog for particular events instead of collecting for the entire category.
Scope
FortiGate.
Solution
There are two filtering options available for Syslog and these have to be configured from CLI.
- Filtering based on logid.
- Filtering based on event level.
- Filtering based on both logid and event level.
CLI commands:
config log syslogd filter
set filter-type include
set filter <check below details on filters>
end
Input the logid list or level (or both) as filters.
[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfil ter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [ voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-le vel(...)] [dns-level(...)]
See the following 2 examples.
Example 1.
set filter "logid(40704,32042)"
Example 2.
set filter "event-level(information)"
The available levels are as the following
'emergency,alert,critical,error,warning,notice,information,debug'.
Refer above log message reference article for knowing details about logid and log levels.
Example 3.
set filter "event-level(information) traffic-level(alert) logid(40704)"
Note.
Add all the filters in the same quotes, leave a space between the two filters.
Important:
Starting v7.0 onwards, the syslog filtering syntax has changed.
Refer to 'free-style' syslog filters on those Firmware versions:
Technical Tip: Using syslog free-style filters
Technical Tip: Configuring advanced syslog free-style filters
