Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jacobcamp
New Contributor

Can I create custom Fortianalyzer field-list for exclusions

I am trying to reduce the amount of logs sent from FAZ to SIEM via log forwarding, but would still like to forward all FGT logs to FAZ. I can configure log exclusion and set a field-list, but the field-list options are generic and not as granular as I would like (from what I can tell). Can I create a custom field-list that is more detailed, such as a particular destination IP?

I would really prefer the option to exclude based on FGT Internet Service category and destination IP, but am open to nay input.

Thanks

2 REPLIES 2
Mohit_S
Moderator
Moderator

Welcome to the Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!


We see you are facing the issue of creating a custom FortiAnalyzer field-list for exclusion.


You should receive an update from one of the team members soon on. Thanks for your patience on this.

Mohit - Fortinet Community Team
Mohit_S
Moderator
Moderator

Hello jacobcamp,

 

I checked and found in the FAZ configuration the way to do it.

 

https://docs2.fortinet.com/document/fortianalyzer/6.0.4/cli-reference/859805/log-forward

config system log-forward

edit <id> --> logid
set mode {aggregation | disable | forwarding}
set fwd-log-source-ip {local_ip | original_ip}
set log-field-exclusion-status {enable | disable} --> need to be enabled
end

config log-field-exclusion
edit <id>
set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}
set field-list <string>
set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}
end

config log-filter
edit <id>
set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }
set oper {= | != | < | > | <= | >= | contain | not-contain | match}
set value {traffic | event | utm}
end
end

 

Let me know if it helps.

Mohit - Fortinet Community Team