Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
3pointD
New Contributor

Stop Monitor / Logging

Hello,

 

Quick question: In order to allow Skype to continue to function after putting P2P blocking in place I had place a monitoring rule explicitly for Skype above it. This allow access to Skype but fills up my logs with constant entries. What's the best way to set this up so I don't monitor Skype at all?

 

Thanks!

1 Solution
ede_pfau
Esteemed Contributor III

(There is no 'allow' action in AppCtrl.)

In

conf log (mem|disk|whatever) filter
, set
set severity notification
instead of
set severity information
.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
7 REPLIES 7
neonbit
Valued Contributor

Change your action from 'monitor' to 'allow', that way it will be allowed but not logged.

ede_pfau
Esteemed Contributor III

(There is no 'allow' action in AppCtrl.)

In

conf log (mem|disk|whatever) filter
, set
set severity notification
instead of
set severity information
.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3pointD

Thanks for this Ede.

 

I guess I'm so used to finding most of the features I need in the gui that I forget that there is more under the hood in the cli. 

 

Also, a related question. How do I configure for FortiCloud? I have another unit that is connected to Forticloud and I want to limit the log entries sent there to avoid filling up the space so quickly. I tried to 'get log forticloud filter' but there was nothing to be found.

 

FYI just tried 'get log fortianalyzer filter' is this where I configure for Forticloud?

 

Thanks!

Dirty_Wizard_FTNT

5.2 has "Allow" for App. Control Overrides, 5.0 does not. 

 

For FortiCloud, just "Activate" in the License Information widget.

Then enable in Log settings, OR: #config log fortiguard setting.

 

To change FortiCloud log filters: #config log fortiguard filter

 

The 1GB free FortiCloud version quota is per-device not per-account. 

 

 

3pointD

This is a 20C running version 4.0 MR3 Patch 14. My goal is to fine tune what is logged to forticloud. For the most part I'm having to delete everything in Forticloud once a week due to the 1GB limit.

 

This business doesn't have a need for the features of forticloud but apparently (notice in the box) on the 20C it's recommended because the logging locally is detrimental to the unit's longevity. I had one die already withing a year of use.

 

Any suggestions would be greatly appreciated!

 

 

ede_pfau
Esteemed Contributor III

As dirty_wizard already posted,

config log fortiguard filter
is where to look for settings. Even in v4.3, when FortiCloud was named 'FortiGuard Analysis Service' you have these options.

You can always (read: as a last resort) try to globally log less by setting the log severity from 'information' to 'notice'. But this will affect all log sources, not only AppCtrl.

 

You should try to stop the logging for the Skype (exemption) pattern...

In the CLI Reference for v4.3 it says:

config application list
   edit <listname>
      config entries
         edit <id>
            set action pass
            set log disable
             ...
         end
      next
end
This would stop logging for the 'Skype' entry in your AC list.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3pointD

OK, thanks. I can work with that. I appreciate the help!

Labels
Top Kudoed Authors