Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VasilyZaycev
New Contributor II

FortiAnalyzer log forwarding

What filters need to be enabled to transfer the source IP address devname = "device_fortigate" on log forwarding?

 

logver = 604145463 timestamp = 1705406294 devname = "device_fortigate" devid = "FG" vd = "root" date = 2024 - 01 - 16 time = 14: 58: 14 eventtime = 1705406295007253541 tz = "" logid = "15010500" type = "utm" subtype = "dns" eventtype = "dns-response" level = "warning" policyid = 459 sessionid = 1734461551 srcip = IP srcport =  srcintf = "DMZ01" srcintfrole = "dmz" dstip = IP dstport =  dstintf = "DC-Transport" dstintfrole = "lan" proto = 17 profile = "DNS-Log" xid = 25739 qname = "" qtype = "A" qtypeval = 1 qclass = "IN" ipaddr = "127.0.0.1" msg = "A rating error occurs" action = "pass" cat = 255 catdesc = "Unknown" error = "no available Fortiguard SDNS servers"

 

1 Solution
Richie_C
Staff
Staff

Hi @VasilyZaycev.

 

Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP 

 

config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end

 

I hope that helps!


end

Take a backup before making any changes

View solution in original post

18 REPLIES 18
jasonhong
Staff
Staff

Hi,

 

If you are referring to log forwarding for a specific device, you can enable Device Filters and select the specific device under Log Forwarding Filters.

 

https://docs.fortinet.com/document/fortianalyzer/7.2.4/administration-guide/19991/configuring-log-fo...

VasilyZaycev
New Contributor II

I mean the device name also had information about its ip

Richie_C
Staff
Staff

Hi @VasilyZaycev.

 

Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP 

 

config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end

 

I hope that helps!


end

Take a backup before making any changes
VasilyZaycev

Thank you!

And this command also needs to be applied  end device Fotigate or enough on the collector fortianalyzer ?

Richie_C

Its a FortiAnalyzer only command. It will spoof the source IP address of the event.  FortiSIEM thinks that the event arrived directly from the firewall. therefore the reporting IP will be the original IP.  It does not add/change the raw event.

Take a backup before making any changes
VasilyZaycev

Thank you! I'll come back with feedback after the test!

VasilyZaycev

Thank you @Richie_C ! it works!

Richie_C
Staff
Staff

Thanks for letting us know.

Thanks

Take a backup before making any changes
Waloo5
New Contributor III

Hi VasilyZaycev,

Can tell me in this case, how many licence you need ? ( number of firewalls or juste 1 device(FortiAnalyser)

Amir
Amir
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors