Hello. I'd like to set up log filter with ids range, like:
config log syslogd2 filter
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set voip disable
set filter "logid(0100000000-0100999999)"
end
it gets into config, but does not work, nothing coming to syslog with that filter
FortiOs Version 6.4.8, device FG1800F
Is there a solution to this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
what is expected content of those filtered logs ?
I'm not sure there are any Event type messages with Subtype 00.
I'd suggest to have a look into following resources to fine tune filter.
Log Schema Structure
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/738142/log-schema-s...
And to Log ID numbers
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/84948/log-messages
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
event: 1
system: 0
There are plenty of them. Like system config change, performance stats, DHCP messages.
Example:
Apr 13 10:55:12 10.96.62.113 date=2022-04-13 time=10:55:12 devname="red-fg1800-02" devid="FG180Fcut" eventtime=1649829312344813014 tz="+0000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="cut" ui="ha_daemon" action="Add" cfgtid=480584558 cfgpath="vpn.ssl.web.portal:bookmark-group:bookmarks" cfgobj="forticlient:gui-bookmarks:Cut" cfgattr="url[https://some.uri/]" msg="Add vpn.ssl.web.portal:bookmark-group:bookmarks forticlient:gui-bookmarks:Cut"
stupid question .. is syslogd2 enabled ?
Because default is disabled:
config log syslogd2 setting
set status disable
end
If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.
Then basically those will be following steps.
If messages are going out from FortiGate, but not received on syslog server, then:
- any firewall on the way ?
- any firewall on the server itself ?
- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?
- any rules on syslog server itself to discard messages, so anything in server log ?
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
@xsilver_FTNT wrote:stupid question .. is syslogd2 enabled ?
Because default is disabled:config log syslogd2 setting
set status disable
end
If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.Then basically those will be following steps.
If messages are going out from FortiGate, but not received on syslog server, then:
- any firewall on the way ?
- any firewall on the server itself ?
- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?
- any rules on syslog server itself to discard messages, so anything in server log ?
stupid question .. is syslogd2 enabled ?
Where do you think i got those example? :)
I just skipped rest of the config.
If i choose exact logid's as in documentation examples, everything works.
I'm just experimenting and tried to put range into config, which is NOT documented.
Surprisingly it saved into config but does not work. Not saying it actually should.
Well I see explicitly stated that expected is a list of IDs. Not a range.
Fine, CLI might validate that and issue an error. But CLI inline "?" help states it clearly as a list.
camille-esx02 (filter) # set filter
Please input the logid list or level (or both) as filters.
[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfilter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-level(...)] [dns-level(...)] [ssh-level(...)] [ssl-level(...)] [cifs-level(...)] [file-filter-level(...)] [icap-level(...)]
See the following 2 examples.
example 1
set filter "logid(40704,32042)"
example 2
set filter "event-level(information)"
The available levels are as the following:
emergency,alert,critical,error,warning,notice,information,debug
Therefore "not documented => not supported", I would say.
Ger in contact with sales rep. to discuss and possibly get that pushed to Fortinet's R&D should you need that. So it might, but also might not, get implemented in future.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Not a big deal, after all. But could be better.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.