I'm using FortiAnalyzer 7.4.2 and trying to exclude logs from certain IP addresses from being processed by the Event Handler.
These IP addresses in question are from our unsecure guest network and we don't need to have them reporting anything through the Analyzer. The basic firewall is still sending a ton of logs to the Analyzer, but I want to filter that out. The Event Handler system does not seem to have a method of doing this. It seems only capable of turning logs into events and cannot simply ignore the log. And I'm very hesitant to start messing with the Log Parser. Is there any method of doing this aside from the Log Parser? And if I did have to go down that route, would I need to edit the FortiAnalyzer Log Parser? Or is the FortiAnalyzer Log Parser used for forwarding logs to a SIEM after FAZ has finished with them?
A side question, does FAZ use the log forwarding system to send incident details to a SIEM? Or is the forwarding system only for sending raw JSON files to other FortiAnalyzers?
Thanks!
hi @CharlesX
- the FAZ just receives the logs from the FGT, so filtering logs have to be on the FGT
- separate the source IPs in a separate policy which will not logs the traffic of that sources
- in event handler filter , if you know the IP addresses you can modify the handler and exclude these IP addresses.
check this kb : https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Exclude-or-include-a-source-or-destina...
- for log forwarding, you can use the CEF,syslog and FAZ, so you can forward your logs to any third party log repo
Log Forwarding | FortiAnalyzer 7.4.3 | Fortinet Document Library
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.