|
Note: If FIPS-CC is enabled on the device, this option will not be available.
To verify FIPS status:
get system status
From 7.0 FortiOS version Syslog filtering needs to be configured under config free-style as explained below.
CLI commands (note: this can be configured only from CLI):
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0100032002 0100041000)"
next
end
end
Note that the logid used for filtering needs to match the logid value seen in the actual log generated.
The ID (logid) is a 10-digit field.
It is a unique identifier for that specific log.
The login field is a number assigned to all permutations of the same message.
It classifies a log entry by the nature of the cause of the log message, such as administrator authentication failures or traffic.
Other log messages that share the same cause will share the same logid.
- Traffic log IDs begin with '00'.
- Event log IDs begin with '01'.
For example, below is a log generated for the FortiGuard update:
date=2022-02-10 time=10:33:10 logid="0100041000" type="event" subtype="system" level="notice" vd="root" eventtime=1644474790154703701 tz="+0400" logdesc="FortiGate update succeeded" status="update" msg="Fortigate scheduled update fcni=yes fdni=yes fsci=yes from 208.184.237.67:443"
Make sure to match the category set to what is being used in the filter.
For example, if the 'event' category log is filtered, then the logid should start with 01.
Refer to the below link for more details regarding login:
Log ID numbers
In the 7.0 version onwards, there is the flexibility to add more entries as below:
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0100032002 0100041000)"
next
edit 2
set category traffic
set filter "(logid 0000000013)"
next
end
end
There is an option to set the filter type.
The filter type defines whether you are including the log or excluding the log.
config free-style
edit 1
set filter-type <include/exclude>
next
end
include <----- Include logs that match the filter.
exclude <----- Exclude logs that match the filter.
Depending on the filter type action the log would either be included to be forwarded to Syslog or excluded.
The default action is set to 'include'.
Important:
Free-Style filter Logic applies as follows.
Top-level filter --> 'Free style filter'.
Top-level filters are determined based on category settings under 'config log syslogd filter'.
config log syslogd filter
(filter) # get
severity : information
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
ztna-traffic : enable
anomaly : enable
voip : enable
The logs enabled from the top-level filter are forwarded to the 'free style filter' for another round of filtering.
'Free style filter' also applies PER CATEGORY.
Example:
The following freestyle filter only applies to the category 'events':
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0101039947 0101039948)"
set filter-type include
next
If top-level filters are enabled for other categories (ex. forward-traffic,local-traffic, etc...), the above free-style filter will filter category:event to logids 0101039947,0101039948, but display all logs from other enabled categories.
If logs from other categories are unwanted, disable those categories from the top-level filter or configure the following free-style filter to manually exclude other categories.
Example:
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0101039947 0101039948)"
set filter-type include
next
edit 2
set category traffic
set filter "(logid *)"
set filter-type exclude
next
edit 3
set category app-ctrl
set filter "(logid *)"
set filter-type exclude
next
edit 4
set category webfilter
set filter "(logid *)"
set filter-type exclude
next
end
end
|
