Hi
I am attempting to forward particular logs from FortiAnalyzer to Splunk and I am attempting to use the Log Forwarding Filters to identify the logs that I want to forward using the Source IP, Equal To, 10.10.10.0/24 in the belief that this would forward any logs where the source IP is in the 10.10.10.0/24 subnet. However when I turn this filter on I see the FAZ forwarding all logs rather than only forwarding those that match the criteria above.
I'd be grateful if someone could advise if the FAZ is able to identify particular logs to forward in this way, or if there is another method that will allow me to selectively forward logs from FAZ to Splunk?
Thanks in advance.
Hello Jambo,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Jambo,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hello Jambo,
I found this documentation:
Could you please have a look and tell me if it helps?
Regards,
Hi Jambo,
I think that this would take your filter string literally and look for logs that match srcip="10.10.10.0/24".
Usually filters are added to the SQL query's WHERE clause when the logs are fetched from the database, at least that's the case for log view but it might be different for log forwarding - it doesn't make sense to me to wait for the logs to be inserted to the database before forwarding them but the filter might behave in the same way.
The behaviour that you mention though seems the opposite - everything is being forwarded when I would expect nothing to be forwarded if the filter doesn't match.
You could try a filter for log messages that match Source IP > Contain > "10.10.10."
For deeper investigation and testing I would suggest to open a TAC ticket.
Mark.
Hi Mark,
Thanks for coming back to me. Yes I found it odd that all logs are forwarded when the criteria is not matched. Perhaps it is simply disregarding the match criteria and sending everything, but then you might expect a validation error to indicate that the filter is not accepted.
In any case your suggestion got me onto the correct track. It seems that you have to get creative with regular expressions. I ended up with
Source IP > Contain > "10.10.10.*" (anything from 10.10.10.0/24) and you can manipulate this to take subnets such as "10.10.\b1[0-1]\b.*" (anything from 10.10.10.0/23)
Thanks again for the advice.
Jambo
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.