Fortigate - set filters on logs exported to Fortianalyzer or Syslog
Some Facts
-
Free-style filtering is per category, so any filter you configure is for a specific category of logs only, e.g. Events, UTM.
-
You can filter on ANY field in the raw log
-
Value for the filter allows wildcard
*
which matches anything. -
Behavior and syntax changed starting with FortiOS 7.0 and up, all examples below were tested on Fortigate 7.4.3.
-
We have 2 types of filters by action:
include
andexclude
. Forinclude
the matched logs are included and sent to the remote server. For theexclude
it is vice versa. -
Filters have 2-level hierarchy: top level filter and below it the free-style filter. This means that free-style filter can only see and filter logs that top level filter sends to it. E.g.:
config log fortianalyzer filter set forward-traffic disable (1) config free-style edit 1 set category event set filter "logid 0100032002 logid 0100032001" next end end
-
The Forward-traffic logs are disabled at the top level filter, so no matter what we configure at the free-style filter level for Forward Traffic - it will not do anything as such logs are disabled from being sent altogether.
Why
Fortigate produces a lot of logs, both traffic and Event based. When exporting these logs to outside log servers, like Fortianalyzer or Syslog, you may want to separate what logs are sent to which FAZ/Syslog. It is usually to send some logs of highest importance to the log server dedicated for this severity.
For example, you may want to send only (un)successful administrator logins to the dedicated FAZ.
Here is how to do it:
-
First, we need to identify either from logs or FortiOS Log reference the
logid
of the logs we want to single out. In this case these are0100032001
for the success, and0100032002
for the failure. -
NExt, we configure what is called free-style filter for the destination FAZ. If it is 2nd FAZ, we set it under
fortianalyzer2
:
config log fortianalyzer2 setting set status enable set server "10.100.104.177" set serial "FAZAWSTA230023333" set upload-option realtime end config log fortianalyzer2 filter config free-style edit 1 set category event <-- TYPE OF LOGS, EVENT vs TRAFFIC set filter "logid 0100032002 logid 0100032001" <-- MSGS TO INCLUDE set filter-type include <-- THIS DEFAULT, SO WILL NOT APPEAR AFTERWARDS next end end
Now, the FAZ2 will ONLY get events of admin login successful and admin login failed, while receiving ALL traffic logs. The other FAZes configured will not be affected as the filter is per destination server.