FortiOS: 6.2.8
Model: 800D
I've been trying to configure the syslog filter to only send LOG_ID_TRAFFIC_END_FORWARD (0000000013) traffic logs to my syslog server.
In the Technical Tip: Using syslog filters on to send only specific logs to syslog server, @vpoluri specifies that you can include both filters. However, when I use the following string, the log stream doesn't limit to LOG_ID_TRAFFIC_END_FORWARD events.
set filter "traffic-level(information) logid(0000000013)"
However, it does limit to LOG_ID_TRAFFIC_END_FORWARD events when I just use logid.
set filter "logid(0000000013)"
Ultimately, I would like to send event-level(information), ips-level(alert), and traffic-level(information), but only the "0000000013" logid for traffic.
Is this doable?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Not 100% sure but try changing the traffic-level option to event-level and see if it catches?
Also not sure why you need to specify the level because AFAIK the logid 0000000013 is always set to level "Notice"
@gfleming- I think you're right. If I just wanted to target 0000000013, I probably wouldn't need the traffic-level.
My ultimate goal is to specify an event level (no logid filter), ips-level (no logid filter), and isolate on 0000000013 for traffic. I don't think this is possible, unless someone has any ideas.
So just to be clear, the only logs you want to send are those with a certain event level or a certain IPS level or ID 13 for traffic?
I do not have access to a FGT running FOS 6.2.X. The docs for 6.4 seem to imply it might be possible to use "AND" and "OR" operators in the filters. It's used in the free-style filter for already-captured logs but I wonder if you can do it for the other filter too.
Also it looks like 7.0 changes the filter config significantly allowing multiple entries:
Created on 10-31-2022 01:05 PM Edited on 10-31-2022 01:06 PM
Thanks @gfleming. There seems to be a high degree of ambiguity in Fortinet's configuration and documentation of log filters. I would love to see them clear that up, because the solution to my question still isn't clear.
Does that mean you tried using "or" statements in your filter and it didn't work?
what about omitting the "or" from the statement. The error message seems to indicate you can include both in your statement.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1029 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.