Fortigate - set filters on logs exported to Fortianalyzer or Syslog

Some Facts

  • Free-style filtering is per category, so any filter you configure is for a specific category of logs only, e.g. Events, UTM.

  • You can filter on ANY field in the raw log

  • Value for the filter allows wildcard * which matches anything.

  • Behavior and syntax changed starting with FortiOS 7.0 and up, all examples below were tested on Fortigate 7.4.3.

  • We have 2 types of filters by action: include and exclude. For include the matched logs are included and sent to the remote server. For the exclude it is vice versa.

  • Filters have 2-level hierarchy: top level filter and below it the free-style filter. This means that free-style filter can only see and filter logs that top level filter sends to it. E.g.:

config log fortianalyzer filter
    set forward-traffic disable (1)
    config free-style
        edit 1
            set category event
            set filter "logid 0100032002 logid 0100032001"
  1. The Forward-traffic logs are disabled at the top level filter, so no matter what we configure at the free-style filter level for Forward Traffic - it will not do anything as such logs are disabled from being sent altogether.


Fortigate produces a lot of logs, both traffic and Event based. When exporting these logs to outside log servers, like Fortianalyzer or Syslog, you may want to separate what logs are sent to which FAZ/Syslog. It is usually to send some logs of highest importance to the log server dedicated for this severity.

For example, you may want to send only (un)successful administrator logins to the dedicated FAZ.

Here is how to do it:

  1. First, we need to identify either from logs or FortiOS Log reference the logid of the logs we want to single out. In this case these are 0100032001 for the success, and 0100032002 for the failure.

  2. NExt, we configure what is called free-style filter for the destination FAZ. If it is 2nd FAZ, we set it under fortianalyzer2:

config log fortianalyzer2 setting
    set status enable
    set server ""
    set serial "FAZAWSTA230023333"
    set upload-option realtime

config log fortianalyzer2 filter
    config free-style
        edit 1
            set category event  <-- TYPE OF LOGS, EVENT vs TRAFFIC
            set filter "logid 0100032002 logid 0100032001" <-- MSGS TO INCLUDE
            set filter-type include <-- THIS DEFAULT, SO WILL NOT APPEAR AFTERWARDS

Now, the FAZ2 will ONLY get events of admin login successful and admin login failed, while receiving ALL traffic logs. The other FAZes configured will not be affected as the filter is per destination server.