Distinct Log settings for different log categories?

DanielW · ‎03-13-2015

Hello everyone,

I was wondering if someone has a hint for me regarding logging on the FortiAnalyzer. We are using it to aggregate Logs from different central Firewalls which are using different UTM Features.

We now want to seperate the settings for different types of Logs. This means for example: Traffic Log can be deleted after 10 days but UTM Log (AV, IPS, Botnet) should be stored for i.e. 30 days. Perhaps some other german customers understand why we are looking into that.

Since the FA saves all logs as .tlog, there is no way to delete just the logfiles themselves.

It does not need to be an option in the settings. Any approach fullfilling the task would be helpful.

Any suggestions?

Thanks!

Daniel

DanielW · ‎05-28-2015

And we have the solution why there are no distinct vlog and alog files in our case. Official Fortinet support:

Please be informed that starting from firmware version 5.0.7 there are no log browse files like wlog, alog, vlog, dlog. All security logs are merged with traffic logs and starting from 5.0.7 you should be able to see only tlog files (traffic + security logs) and elog file (event log).

View solution in original post

L_FTNT · ‎03-17-2015

I believe this is NOT possible with FAZ today but it would be a very interesting feature to have. It provides much granular control on the log data retention.

Do you know if any other similar product in the market today can do this?

Ling Lu

DanielW · ‎05-26-2015

Nobody has any suggestions how to adress this problem? It is a shame that all logs are aggregated in one log file since 5.0. In times past one could just delete all tlog files

FatalHalt · ‎05-26-2015

I'm not sure what exactly you mean. The FortiAnalyzer keeps different types of logs in different log formats. They all end in the .log extension, but that's trivial. You can view the different types by going to the Log Browse on the Log View tab.

Events: elog

Traffic: tlog

Virus: vlog

App Control: rlog

IPS: alog

Web Filter: wlog

I don't think you can specify different settings for these on the Fortianalyzer itself, but - assuming you're backing up the logs to another server, what you can easily do is create a script which handles these different log types based on the type of log it is.

DanielW · ‎05-26-2015

Hello,

that is true for the old Firmware. Which one are you using? On 4.3 we also had this possibility with the different logs. But Fortinet aggregated them all in tlog in 5.0. Since then, there is no way one can treat variant types of log files differently.... or at least none I am aware of.

FatalHalt · ‎05-27-2015

This is a screenshot of my FortiAnalyzer running 5.0.6. As you can see I have different types of logs. This is just one page, so I can't show you all of the types, but I do have every type I listed in my previous post.

DanielW · ‎05-27-2015

That looks like the old logging system I used to know. I suppose it depends on the Fortigates you feed the Analyzer with. Are these also upgraded to FOS 5.0 in your case?

FatalHalt · ‎05-27-2015

Yes, I'm running a variety of different FortiGate Models (60,90,100,110,111,300,600,1000), but all are running some version of 5.0.

DanielW · ‎05-28-2015

And we have the solution why there are no distinct vlog and alog files in our case. Official Fortinet support:

Please be informed that starting from firmware version 5.0.7 there are no log browse files like wlog, alog, vlog, dlog. All security logs are merged with traffic logs and starting from 5.0.7 you should be able to see only tlog files (traffic + security logs) and elog file (event log).

FatalHalt · ‎05-28-2015

DanielW wrote:

All security logs are merged with traffic logs and starting from 5.0.7 you should be able to see only tlog files (traffic + security logs) and elog file (event log).

Guess I never saw that in the release notes haha. Seems a bit silly though.