FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Article Id 204606
Description

This article describes how to use Syslog Filters to forward logs to syslog for particular events instead of collecting for the entire category.

Scope FortiOS 7.0 and above.
Solution

Note: If FIPS-CC is enabled on the device, this option will not be available.

To verify FIPS status:


get system status

 

From 7.0 FortiOS version Syslog filtering needs to be configured under config free-style as explained below.

CLI commands (note: this can be configured only from CLI):

config log syslogd filter

    config free-style

        edit 1

            set category event

            set filter "(logid 0100032002 0100041000)"

        next

    end

end

 

Note that the logid used for filtering needs to match the logid value seen in the actual log generated.

The ID (logid) is a 10-digit field.

 

It is a unique identifier for that specific log.

The login field is a number assigned to all permutations of the same message.

It classifies a log entry by the nature of the cause of the log message, such as administrator authentication failures or traffic.

 

Other log messages that share the same cause will share the same logid.

 

  • Traffic log IDs begin with '00'.
  • Event log IDs begin with '01'.

 

For example, below is a log generated for the FortiGuard update:

 

date=2022-02-10 time=10:33:10 logid="0100041000" type="event" subtype="system" level="notice" vd="root" eventtime=1644474790154703701 tz="+0400" logdesc="FortiGate update succeeded" status="update" msg="Fortigate scheduled update fcni=yes fdni=yes fsci=yes from 208.184.237.67:443"

 

Make sure to match the category set to what is being used in the filter.

For example, if the 'event' category log is filtered, then the logid should start with 01.

 

Refer to the below link for more details regarding login:

Log ID numbers

 

In the 7.0 version onwards, there is the flexibility to add more entries as below:

 

config log syslogd filter

    config free-style

        edit 1

            set category event

            set filter "(logid 0100032002 0100041000)"

        next

        edit 2

            set category traffic

            set filter "(logid 0000000013)"

        next

    end

end

 

There is an option to set the filter type.

The filter type defines whether you are including the log or excluding the log.

 

config free-style

    edit 1

        set filter-type <include/exclude>

    next

end

 

include <----- Include logs that match the filter.

exclude <----- Exclude logs that match the filter.

 

Depending on the filter type action the log would either be included to be forwarded to Syslog or excluded.

 

The default action is set to 'include'.

 

Important:

Free-Style filter Logic applies as follows.

 

Top-level filter --> 'Free style filter'.

Top-level filters are determined based on category settings under 'config log syslogd filter'.

 

config log syslogd filter
(filter) # get
severity : information
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
ztna-traffic : enable
anomaly : enable
voip : enable

 

The logs enabled from the top-level filter are forwarded to the 'free style filter' for another round of filtering.

 

'Free style filter' also applies PER CATEGORY.

 

Example:
The following freestyle filter only applies to the category 'events':

 

config log syslogd filter
    config free-style
        edit 1
            set category event
            set filter "(logid 0101039947 0101039948)"
            set filter-type include
        next

 

If top-level filters are enabled for other categories (ex. forward-traffic,local-traffic, etc...), the above free-style filter will filter category:event to logids 0101039947,0101039948, but display all logs from other enabled categories.

 

If logs from other categories are unwanted, disable those categories from the top-level filter or configure the following free-style filter to manually exclude other categories.

 

Example:

 

config log syslogd filter
    config free-style
        edit 1
            set category event
            set filter "(logid 0101039947 0101039948)"
            set filter-type include
        next
        edit 2
            set category traffic
            set filter "(logid *)"
            set filter-type exclude
        next
        edit 3
            set category app-ctrl
            set filter "(logid *)"
            set filter-type exclude
        next
        edit 4
            set category webfilter
            set filter "(logid *)"
            set filter-type exclude
        next
    end
end