Created on ‎02-09-2022 11:48 PM Edited on ‎01-25-2024 08:03 AM By Jean-Philippe_P
Description |
This article describes how to use Syslog Filters to forward logs to syslog for particular events instead of collecting for the entire category. |
Scope | FortiOS 7.0 and above. |
Solution |
Note: If FIPS-CC is enabled on the device, this option will not be available.
From 7.0 FortiOS version Syslog filtering needs to be configured under config free-style as explained below. config log syslogd filter config free-style edit 1 set category event set filter "(logid 0100032002 0100041000)" next end end
Note that the logid used for filtering needs to match the logid value seen in the actual log generated. The ID (logid) is a 10-digit field.
It is a unique identifier for that specific log. The login field is a number assigned to all permutations of the same message. It classifies a log entry by the nature of the cause of the log message, such as administrator authentication failures or traffic.
Other log messages that share the same cause will share the same logid.
For example, below is a log generated for the FortiGuard update:
date=2022-02-10 time=10:33:10 logid="0100041000" type="event" subtype="system" level="notice" vd="root" eventtime=1644474790154703701 tz="+0400" logdesc="FortiGate update succeeded" status="update" msg="Fortigate scheduled update fcni=yes fdni=yes fsci=yes from 208.184.237.67:443"
Make sure to match the category set to what is being used in the filter. For example, if the 'event' category log is filtered, then the logid should start with 01.
Refer to the below link for more details regarding login:
In the 7.0 version onwards, there is the flexibility to add more entries as below:
config log syslogd filter config free-style edit 1 set category event set filter "(logid 0100032002 0100041000)" next edit 2 set category traffic set filter "(logid 0000000013)" next end end
There is an option to set the filter type. The filter type defines whether you are including the log or excluding the log.
config free-style edit 1 set filter-type <include/exclude> next end
include <----- Include logs that match the filter. exclude <----- Exclude logs that match the filter.
Depending on the filter type action the log would either be included to be forwarded to Syslog or excluded.
The default action is set to 'include'.
Important: Free-Style filter Logic applies as follows.
Top-level filter --> 'Free style filter'. Top-level filters are determined based on category settings under 'config log syslogd filter'.
config log syslogd filter
The logs enabled from the top-level filter are forwarded to the 'free style filter' for another round of filtering.
'Free style filter' also applies PER CATEGORY.
Example:
config log syslogd filter
If top-level filters are enabled for other categories (ex. forward-traffic,local-traffic, etc...), the above free-style filter will filter category:event to logids 0101039947,0101039948, but display all logs from other enabled categories.
If logs from other categories are unwanted, disable those categories from the top-level filter or configure the following free-style filter to manually exclude other categories.
Example:
config log syslogd filter |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.