FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
farhanahmed
Staff
Staff
Article Id 288099
Description

 

The article describes how to use the generic free-text filter in FortiAnalyzer to filter log forwarding.

 

Scope

 

FortiAnalyzer

 

Solution

 

In Log Forwarding the Generic free-text filter is used to match raw log data. It uses POSIX syntax, escape characters should be used when needed.

 

  1. Under FortiAnalyzer -> System Settings -> Advanced -> Log Forwarding, select server and 'Edit' -> Log Forwarding Filters, enable 'Log Filters' and from the drop-down select 'Generic free-text filter'

 

1.png

 

In this example, FortiAnalyzer is forwarding logs where the policy ID is not equal to 0 (implicit deny).

 

  1. Another example of a Generic free-text filter is to filter logs for where administrator accounts are added or deleted by the user 'admin' only.

Value is set to: user==admin AND (msg ~ "Add" OR msg ~ "Delete").

 

 

2.png

 

 

  1. Checking the system event logs on the sender FortiAnalyzer (where log-forwarding is enabled):

 

3.png

 

 

  1. Checking the system event logs on the receiver FortiAnalyzer:

 

 

4.png

 

 

The sender FortiAnalyzer is only forwarding the logs where the user 'admin' added and deleted administrator accounts.

 

 

Note 1: 

The generic free-text filter can also be configured from FortiAnalyzer CLI:

 

config system log-forward
    edit 1
        set mode forwarding
        set server-name "FAZ"
        set server-addr "172.31.200.138"
        set log-filter-status enable
            config log-filter
                edit 1
                    set field free-text
                    set oper match
                    set value "policyid!=0"
                next

                       edit 2
                    set field free-text
                    set oper match
                    set value "user==admin AND (msg ~ \"Add\" OR msg ~ \"Delete\")" 
                next
                edit 3
                    set field free-text
                    set oper match
                    set value "appcat==Video/Audio"<----- Filtering logs where the application category is Video/Audio.
                next
            end
    next
end

 

 

Note 2:

In GUI, quotations can be used for a specific item, not for the whole value (In CLI it automatically inserts the quotation for the whole value).

For example: If cannot use ("appcat==Video/Audio") in GUI it will give an error for an invalid value. But using (appcat=="Video/Audio") will work.


Note 3:

Generic text filters are also used in Event handlers.

 

Related documents:

Technical Note: Use of Operators in Event Handler General Filter (syntax)

Using the Generic Text Filter

Technical Note: How to configure an Event Handler with a generic text filter