My filters are:
Level [Equal To] Notice
Destination IP [Not Equal To] serverIP_A
Text filter:
srcintf=port30 and service~RDP and action=start
The log:
itime=2017-08-24 13:12:44 sentbyte=0 rcvdbyte=0 srccountry=Reserved app=UDP_RDP date=2017-08-24 dstip=serverIP_B duration=0 vd=VD1 group=IT service=UDP_RDP proto=17 user=ME dstcountry=Reserved policytype=policy poluuid=45840192-88ea-51e7-b403-e3009408d646 devid=FG000000 dstport=3389 type=traffic dtime=2017-08-24 13:12:43 devname=FG00 time=13:12:43 sessionid=884716921 itime_t=1503594764 policyid=111 srcintf=port30 srcip=10.0.21.101 sentpkt=0 level=notice appcat=unscanned srcport=55887 logid=0000000015 subtype=forward trandisp=noop action=start dstintf=VLAN_6
I'm not getting any hits from that filter.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Alex,
Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.
Bah. Don't know how I missed that. Thanks!
I'm was also having trouble with the keyword filter. I had a filter working fine in previous versions and it suddenly stopped.
The settings are:
[ul]
I even just tried firing on msg="Search phrase detected" but got nothing.
Handler settings attached.
The log:
itime=2017-08-24 15:07:05 sentbyte=0 rcvdbyte=0 agent=Chrome/60.0.3112.101 date=2017-08-24 dstip=13.107.21.200 vd=VD1 group=IT service=HTTP proto=6 eventtype=content hostname=www.bing.com dstintf=port12 msg=Search phrase detected devid=FG000000 dstport=80 type=utm dtime=2017-08-24 15:07:04 profile=PROD_WEB direction=outgoing referralurl=http://www.bing.com/ devname=FG sessionid=885360102 itime_t=1503601625 user=ME srcintf=port32 reqtype=referral srcip=10.0.21.101 keyword=who fixed the event handler level=notice url=/search?q=who+fixed+the+event+handler&qs=n&form=QBLH&sp=-1&pq=who+fixed+the+event+handler&sc=0-25&sk=&cvid=90841C2E9796453D8C64907C4D3770C0 srcport=54561 logid=0314012293 subtype=webfilter time=15:07:04 action=passthrough policyid=4
Alex,
The issue is caused by field "catdesc" is not present in the log, which is defined in handler <Group By>, change Group By to URL, then it works.
Shawn
Yep. That was it. Thanks again!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.