0

Tech newbie here.

I want to send Fortigate logs to a syslog server. Previously, I was receiving way too many unnecessary firewall logs, 90% of them with a security level of "notice." I have used this solution in the CLI to change the level of logs that I receive (so I'm not getting a bunch of useless logs anymore).

The problem is, I do want to keep the logs that tell me when I've logged into Fortigate/my system, but since that was labeled as "notice," I'm not receiving login session logs anymore. Is there anyway for me to configure the security level of login session logs to "warning" so I can receive those (and not the other "notice" logs)? And if so, how?

OR, if there's another workaround to this problem other than changing the security level of the individual login session log, any tips are welcome!

Please speak in simple terms - I have just started playing with this :)

Improve this question

1 Answer 1

Reset to default
0

What you can do is set a filter for this login event separately. Look at this:

config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter "logid(0100032001,0100032003)"
set filter-type include

end

You see that you can enable/disable certain sources (which does not include FortiOS itself (the login event is a FortiOS event), which might help in reducing the amount of logs anyway. But, in addition, you would create a filter which allows these events which you would like to see to be sent.

Adding the logID for the event(s) to be included implies all other events are excluded.

You get the logID from "FortiOS Log Message Reference" from docs.fortinet.com. This event is called 'LOG_ID_ADMIN_LOGIN_SUCC'. 32003 is the ID for admin logout.

Lastly, the login/logout events are on level 'information', not 'notice'.

Improve this answer

You must log in to answer this question.