syslog filtering logid 13 - how to filter only local deny traffic?
TLDR: how to filter logid 13 to only log deny traffic from within the network? syslog.
Just few words about my setup:
- sending logs from Fortinet to remote syslog server
- configured IPv4 policy to only allow connections to allowed list of FQDNs, so trying to browse (`curl`) some random web address will result in deny by policy.
At first I did not configure any filtering on my syslogd device on fortinet, so fortinet throws everything into syslog, and log file becomes quite large.
My objective is to log only blocked attempts from inside the network, that is logid 13 and deny action.
What I ended up with for now is this:
config log syslogd filter
set filter "logid(13,14)"
set filter-type exclude
So I am interested in everything, basically, but I certainly do not need any of the detailed logs about blocking external actors.
I know about FortiAnalyzer however my syslog/elasticsearch pipeline is almost complete and sufficient. I only need to figure out how to filter out unnecessary logid 13 from syslog, as it would be too many gigabytes of data in syslog/ELK that we will never look at.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.