Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VasilyZaycev
New Contributor II

Created on ‎01-17-2024 04:19 AM Edited on ‎03-25-2024 05:37 AM

FortiAnalyzer log forwarding

What filters need to be enabled to transfer the source IP address devname = "device_fortigate" on log forwarding?

 

logver = 604145463 timestamp = 1705406294 devname = "device_fortigate" devid = "FG" vd = "root" date = 2024 - 01 - 16 time = 14: 58: 14 eventtime = 1705406295007253541 tz = "" logid = "15010500" type = "utm" subtype = "dns" eventtype = "dns-response" level = "warning" policyid = 459 sessionid = 1734461551 srcip = IP srcport =  srcintf = "DMZ01" srcintfrole = "dmz" dstip = IP dstport =  dstintf = "DC-Transport" dstintfrole = "lan" proto = 17 profile = "DNS-Log" xid = 25739 qname = "" qtype = "A" qtypeval = 1 qclass = "IN" ipaddr = "127.0.0.1" msg = "A rating error occurs" action = "pass" cat = 255 catdesc = "Unknown" error = "no available Fortiguard SDNS servers"

 

Labels:
3820
0 Kudos
1 Solution
Richie_C
Staff
Staff

Created on ‎01-18-2024 04:56 AM

Hi @VasilyZaycev.

 

Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP 

 

config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end

 

I hope that helps!


end

Take a backup before making any changes

View solution in original post

3757
18 REPLIES 18
jasonhong
Staff
Staff

Created on ‎01-17-2024 06:22 AM

Hi,

 

If you are referring to log forwarding for a specific device, you can enable Device Filters and select the specific device under Log Forwarding Filters.

 

https://docs.fortinet.com/document/fortianalyzer/7.2.4/administration-guide/19991/configuring-log-fo...

2772
VasilyZaycev
New Contributor II

Created on ‎01-17-2024 06:27 AM

I mean the device name also had information about its ip

2769
0 Kudos
Richie_C
Staff
Staff

Created on ‎01-18-2024 04:56 AM

Hi @VasilyZaycev.

 

Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP 

 

config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end

 

I hope that helps!


end

Take a backup before making any changes
3758
VasilyZaycev
New Contributor II
In response to Richie_C

Created on ‎01-18-2024 05:20 AM

Thank you!

And this command also needs to be applied  end device Fotigate or enough on the collector fortianalyzer ?

2722
0 Kudos
Richie_C
Staff
Staff
In response to VasilyZaycev

Created on ‎01-18-2024 05:41 AM

Its a FortiAnalyzer only command. It will spoof the source IP address of the event.  FortiSIEM thinks that the event arrived directly from the firewall. therefore the reporting IP will be the original IP.  It does not add/change the raw event.

Take a backup before making any changes
2717
VasilyZaycev
New Contributor II
In response to Richie_C

Created on ‎01-18-2024 05:45 AM

Thank you! I'll come back with feedback after the test!

2715
VasilyZaycev
New Contributor II
In response to VasilyZaycev

Created on ‎01-21-2024 10:26 PM

Thank you @Richie_C ! it works!

2567
Richie_C
Staff
Staff

Created on ‎01-22-2024 12:25 AM Edited on ‎01-22-2024 12:31 AM

Thanks for letting us know.

Thanks

Take a backup before making any changes
2554
Waloo5
Contributor

Created on ‎03-25-2024 05:24 AM

Hi VasilyZaycev,

Can tell me in this case, how many licence you need ? ( number of firewalls or juste 1 device(FortiAnalyser)

Amir
Amir
2126
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.