Some Facts

Free-style filtering is per category, so any filter you configure is for a specific category of logs only, e.g. Events, UTM.

You can filter on ANY field in the raw log

Value for the filter allows wildcard * which matches anything.

Behavior and syntax changed starting with FortiOS 7.0 and up, all examples below were tested on Fortigate 7.4.3.

We have 2 types of filters by action: include and exclude. For include the matched logs are included and sent to the remote server. For the exclude it is vice versa.

Filters have 2-level hierarchy: top level filter and below it the free-style filter. This means that free-style filter can only see and filter logs that top level filter sends to it. E.g.:

config log fortianalyzer filter
set forward-traffic disable (1)
config free-style
edit 1
set category event
set filter “logid 0100032002 logid 0100032001”
next
end
end

The Forward-traffic logs are disabled at the top level filter, so no matter what we configure at the free-style filter level for Forward Traffic – it will not do anything as such logs are disabled from being sent altogether.

Why

Fortigate produces a lot of logs, both traffic and Event based. When exporting these logs to outside log servers, like Fortianalyzer or Syslog, you may want to separate what logs are sent to which FAZ/Syslog. It is usually to send some logs of highest importance to the log server dedicated for this severity.

For example, you may want to send only (un)successful administrator logins to the dedicated FAZ.

Here is how to do it:

First, we need to identify either from logs or FortiOS Log reference the logid of the logs we want to single out. In this case these are 0100032001 for the success, and 0100032002 for the failure.

NExt, we configure what is called free-style filter for the destination FAZ. If it is 2nd FAZ, we set it under fortianalyzer2:

config log fortianalyzer2 setting
set status enable
set server “10.100.104.177”
set serial “FAZAWSTA230023333”
set upload-option realtime
end

config log fortianalyzer2 filter
config free-style
edit 1
set category event <– TYPE OF LOGS, EVENT vs TRAFFIC
set filter “logid 0100032002 logid 0100032001” <– MSGS TO INCLUDE
set filter-type include <– THIS DEFAULT, SO WILL NOT APPEAR AFTERWARDS
next
end
end

Now, the FAZ2 will ONLY get events of admin login successful and admin login failed, while receiving ALL traffic logs. The other FAZes configured will not be affected as the filter is per destination server.

Posted in Tech Articles News

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*