- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- log filter logid range
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
log filter logid range
Hello. I'd like to set up log filter with ids range, like:
config log syslogd2 filter
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set voip disable
set filter "logid(0100000000-0100999999)"
end
it gets into config, but does not work, nothing coming to syslog with that filter
FortiOs Version 6.4.8, device FG1800F
Is there a solution to this?
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
what is expected content of those filtered logs ?
I'm not sure there are any Event type messages with Subtype 00.
I'd suggest to have a look into following resources to fine tune filter.
Log Schema Structure
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/738142/log-schema-s...
And to Log ID numbers
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/84948/log-messages
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
event: 1
system: 0
There are plenty of them. Like system config change, performance stats, DHCP messages.
Example:
Apr 13 10:55:12 10.96.62.113 date=2022-04-13 time=10:55:12 devname="red-fg1800-02" devid="FG180Fcut" eventtime=1649829312344813014 tz="+0000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="cut" ui="ha_daemon" action="Add" cfgtid=480584558 cfgpath="vpn.ssl.web.portal:bookmark-group:bookmarks" cfgobj="forticlient:gui-bookmarks:Cut" cfgattr="url[https://some.uri/]" msg="Add vpn.ssl.web.portal:bookmark-group:bookmarks forticlient:gui-bookmarks:Cut"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stupid question .. is syslogd2 enabled ?
Because default is disabled:
config log syslogd2 setting
set status disable
end
If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.
Then basically those will be following steps.
If messages are going out from FortiGate, but not received on syslog server, then:
- any firewall on the way ?
- any firewall on the server itself ?
- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?
- any rules on syslog server itself to discard messages, so anything in server log ?
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@xsilver_FTNT wrote:stupid question .. is syslogd2 enabled ?
Because default is disabled:config log syslogd2 setting
set status disable
end
If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.Then basically those will be following steps.
If messages are going out from FortiGate, but not received on syslog server, then:
- any firewall on the way ?
- any firewall on the server itself ?
- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?
- any rules on syslog server itself to discard messages, so anything in server log ?
stupid question .. is syslogd2 enabled ?
Where do you think i got those example? :)
I just skipped rest of the config.
If i choose exact logid's as in documentation examples, everything works.
I'm just experimenting and tried to put range into config, which is NOT documented.
Surprisingly it saved into config but does not work. Not saying it actually should.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I see explicitly stated that expected is a list of IDs. Not a range.
Fine, CLI might validate that and issue an error. But CLI inline "?" help states it clearly as a list.
camille-esx02 (filter) # set filter
Please input the logid list or level (or both) as filters.
[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfilter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-level(...)] [dns-level(...)] [ssh-level(...)] [ssl-level(...)] [cifs-level(...)] [file-filter-level(...)] [icap-level(...)]
See the following 2 examples.
example 1
set filter "logid(40704,32042)"
example 2
set filter "event-level(information)"
The available levels are as the following:
emergency,alert,critical,error,warning,notice,information,debug
Therefore "not documented => not supported", I would say.
Ger in contact with sales rep. to discuss and possibly get that pushed to Fortinet's R&D should you need that. So it might, but also might not, get implemented in future.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not a big deal, after all. But could be better.
Related Posts
- Automatically Ban Malicious Inbound IPs using... 290 Views
- Fortigate 60F Sending Wrong LOGS to... 283 Views
- Fortinet Single Sign On (FSSO) for... 231 Views
- Policy based - URL categories does't... 1304 Views
- Policy based - URL categories does't... 418 Views
Labels
-
FortiGate
6,593 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.