I have my Fortigate sending logs to a syslog server. It's sending massive amounts of detailed logging, but I'm really only interested in having System events and VPN events sent to the syslog server. In the GUI, I see options for limiting the types of events that get logged, but selecting these options doesn't seem to limit what gets sent to my syslog server. Is there a way to limit which event types are sent to a syslog server?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
yes some what... You can set the log type and severity from the cli in a filter
e.g
config log syslogd filter
and
config log eventfilter
{
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set netscan-discovery enable
set netscan-vulnerability enable
set voip enable
}
You can also set specific filter for traffic per-se, but you have generic filters that you can apply by policies if you play it smart. You need to determine what fwpolicies and/or create more fwpolicies by service/dst/src etc.
e.g
edit 1
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
---> set service "ALL" <-----HERE
set logtraffic all
set nat enable
next
That might generate excessive log traffic is you only want logging for HTTP/HTTPS traffic. So you could add a HTTP/HTTPS services in a fwpolicy, and remove the logging from the more broader traffic
e.g
edit 11
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "HTTP"
set logtraffic all
set nat enable
next
edit 10
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "HTTPS"
set logtraffic all
set nat enable
next
edit 1
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
unset logtraffic
set nat enable
next
You have a limit means for traffic log filter and system events but it is doable to some degree. Just think it out and play with your filters and define logging on policies that you deem necessary.
YMMV ;)
Ken
PCNSE
NSE
StrongSwan
Yes and because my logs are empty which does give me conformation.
XXXXXXX (setting) # show
config log setting
set fwpolicy-implicit-log enable
set local-in-allow enable
set local-in-deny-unicast enable
set local-in-deny-broadcast enable
set local-out enable
end
XXXXXXX # execute log filter cat 0
XXXXXXX # execute log filter field action deny XXXXXXX # execute log display
0 logs found.
0 logs returned.
What fortiOS version ?
try this for starters
execute log filter reset
execute log filter cat 0
execute log filter field policed 0
exec log display
And ;
diag debug application miglogd -1
diag debug en
diag test application miglogd 22
diag test application miglogd 6 |grep syslog ( do you see it increasing )
diag test application miglogd 101 | grep traffic <----find the correct number for you root or whatever vodka if your in vodom mode )
PCNSE
NSE
StrongSwan
Version 5.4.1
Seems like you have no syslog configured but I still lost on why you have no memory logging. Do you have memory logging and/or forticloud enabled ?
PCNSE
NSE
StrongSwan
I think the evidence is right in front of you. That toggle switch needs to be enable but let's double check
Can you execute the following from cli "show full log syslogd setting | grep status "
The output should be set status enable
PCNSE
NSE
StrongSwan
Hi Emoc,
Thank you but I am not piping the logs to syslog. I just want the logs to go to memory.
So , I see you hi-jack the OP ( andy ) thread . So in your snapshot what are you trying to do now so we can follow your issues ?
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.