Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CharlesX
New Contributor

FortiAnalyzer: how to exclude logs from certain IP's from becoming an event?

I'm using FortiAnalyzer 7.4.2 and trying to exclude logs from certain IP addresses from being processed by the Event Handler. 

 

These IP addresses in question are from our unsecure guest network and we don't need to have them reporting anything through the Analyzer. The basic firewall is still sending a ton of logs to the Analyzer, but I want to filter that out.   The Event Handler system does not seem to have a method of doing this.  It seems only capable of turning logs into events and cannot simply ignore the log.  And I'm very hesitant to start messing with the Log Parser.   Is there any method of doing this aside from the Log Parser? And if I did have to go down that route, would I need to edit the FortiAnalyzer Log Parser?  Or is the FortiAnalyzer Log Parser used for forwarding logs to a SIEM after FAZ has finished with them?  

 

A side question, does FAZ use the log forwarding system to send incident details to a SIEM?  Or is the forwarding system only for sending raw JSON files to other FortiAnalyzers?

 

Thanks!

1 REPLY 1
asrour
Staff
Staff

hi @CharlesX 

 

- the FAZ just receives the logs from the FGT, so filtering logs have to be on the FGT

- separate the source IPs in a separate policy which will not logs the traffic of that sources

- in event handler filter , if you know the IP addresses you can modify the handler and exclude these IP addresses.

check this kb : https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Exclude-or-include-a-source-or-destina...

 

- for log forwarding, you can use the CEF,syslog and FAZ, so you can forward your logs to any third party log repo

Log Forwarding | FortiAnalyzer 7.4.3 | Fortinet Document Library

A Srour
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors