Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joepalm4
New Contributor

FortiGate syslog filters don't support logid and level

FortiOS: 6.2.8

Model: 800D

 

I've been trying to configure the syslog filter to only send LOG_ID_TRAFFIC_END_FORWARD (0000000013) traffic logs to my syslog server.

In the Technical Tip: Using syslog filters on to send only specific logs to syslog server, @vpoluri specifies that you can include both filters. However, when I use the following string, the log stream doesn't limit to LOG_ID_TRAFFIC_END_FORWARD events.

 

set filter "traffic-level(information) logid(0000000013)"

 

However, it does limit to LOG_ID_TRAFFIC_END_FORWARD events when I just use logid.

 

set filter "logid(0000000013)"

 

Ultimately, I would like to send event-level(information), ips-level(alert), and traffic-level(information), but only the "0000000013" logid for traffic.

 

Is this doable?

7 REPLIES 7
gfleming
Staff
Staff

Not 100% sure but try changing the traffic-level option to event-level and see if it catches?

 

Also not sure why you need to specify the level because AFAIK the logid 0000000013 is always set to level "Notice"

 

https://docs.fortinet.com/document/fortigate/6.0.3/fortios-log-message-reference/902505/13-log-id-tr...

Cheers,
Graham
joepalm4

@gfleming- I think you're right. If I just wanted to target 0000000013, I probably wouldn't need the traffic-level.

 

My ultimate goal is to specify an event level (no logid filter), ips-level (no logid filter), and isolate on 0000000013 for traffic. I don't think this is possible, unless someone has any ideas.

gfleming

So just to be clear, the only logs you want to send are those with a certain event level or a certain IPS level or ID 13 for traffic?

 

I do not have access to a FGT running FOS 6.2.X. The docs for 6.4 seem to imply it might be possible to use "AND" and "OR" operators in the filters. It's used in the free-style filter for already-captured logs but I wonder if you can do it for the other filter too.

https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/369889/configuring-and-debu...

 

Also it looks like 7.0 changes the filter config significantly allowing multiple entries:

https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/369889/configuring-and-debug...

Cheers,
Graham
joepalm4

Thanks @gfleming. There seems to be a high degree of ambiguity in Fortinet's configuration and documentation of log filters. I would love to see them clear that up, because the solution to my question still isn't clear.

gfleming

Does that mean you tried using "or" statements in your filter and it didn't work?

Cheers,
Graham
joepalm4

Hi @gfleming. I tested this and it didn't work.

joepalm4_0-1668014268181.png

 

gfleming

what about omitting the "or" from the statement. The error message seems to indicate you can include both in your statement.

 

Cheers,
Graham