Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Giovanna
New Contributor III

Security Logs Fortigate

 

I would like to share only the most relevant security logs from FortiGate to a syslog collector, and I aim to minimize the volume of data being sent.
For example I am interested in User Activity Events, but I would like to filter them further, for example, to include only admin login events.

Is there any official Fortinet documentation that lists the subcategories or log IDs included in “User

fortigate.jpg

Activity Events”, describing their purpose and content?
And more importantly:
Is it possible to apply filters directly on FortiGate (e.g., using CLI) to export only specific subcategories within a log group?

Any example or reference would be greatly appreciated.

1 Solution
smkml
Staff
Staff

config log syslogd filter
set filter "logid(xxx)"
end

 

Or refer below KB for comprehensive explanation or free style method.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-In-log-filter-settings-the-logic-is-AND-be...

View solution in original post

3 REPLIES 3
smkml
Staff
Staff

config log syslogd filter
set filter "logid(xxx)"
end

 

Or refer below KB for comprehensive explanation or free style method.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-In-log-filter-settings-the-logic-is-AND-be...

Giovanna
New Contributor III

Hi, is there maybe a command to use in order to not share the selected logs and share all the others, something like:

config log syslogd filter
set filter not "logid(xxx)"
end

? Many Thanks!

 

funkylicious

https://docs.fortinet.com/document/fortigate/6.4.16/cli-reference/273422104/config-log-syslogd-filte... , set filter-type exclude i think is what u need.

"jack of all trades, master of none"
"jack of all trades, master of none"
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors