Fortigate - set filters on logs exported to Fortianalyzer or Syslog

Yuri Slobodyanyuk Blog on Information Security 2024年07月23日

../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

本文详细介绍了Fortigate日志筛选配置的方法，包括如何针对特定日志类别进行筛选，以及如何设置包含和排除过滤器，以便将重要日志发送到远程服务器。文章还解释了Fortigate产生的大量日志为何需要分类导出，以及如何根据日志ID筛选出管理员登录成功或失败的日志。

📌 Fortigate日志筛选配置允许用户针对日志类别如事件或流量进行自定义筛选。通过配置自由风格过滤器，可以针对任何原始日志字段进行筛选，并使用通配符*匹配任意内容。

📌 筛选器的行为和语法自FortiOS 7.0版本开始发生变化，本文所有示例均在Fortigate 7.4.3版本上测试。筛选器分为包含和排除两种动作：包含动作会将匹配的日志发送到远程服务器，而排除动作则相反。

📌 筛选器具有两级层次结构：顶级筛选器和其下的自由风格筛选器。这意味着自由风格筛选器只能看到并筛选顶级筛选器发送给它的日志。例如，如果顶级筛选器禁用了转发流量日志，那么无论自由风格筛选器如何配置，都不会有任何作用。

📌 Fortigate产生大量日志，包括基于流量的日志和基于事件的日志。为了将不同重要性的日志发送到不同的日志服务器，如Fortianalyzer或Syslog，需要进行筛选配置。通常，我们会将最高重要性的日志发送到专用的日志服务器。

📌 通过识别日志ID，可以配置自由风格筛选器来单独挑出特定的日志，例如管理员登录成功或失败的日志。配置时，需要指定日志类别、要包含的消息以及筛选器类型。每个Fortianalyzer服务器的筛选器配置是独立的，不会影响其他服务器。

Some Facts

Free-style filtering is per category, so any filter you configure is for a specific category of logs only, e.g. Events, UTM.

You can filter on ANY field in the raw log

Value for the filter allows wildcard * which matches anything.

Behavior and syntax changed starting with FortiOS 7.0 and up, all examples below were tested on Fortigate 7.4.3.

We have 2 types of filters by action: include and exclude. For include the matched logs are included and sent to the remote server. For the exclude it is vice versa.

Filters have 2-level hierarchy: top level filter and below it the free-style filter. This means that free-style filter can only see and filter logs that top level filter sends to it. E.g.:

config log fortianalyzer filter    set forward-traffic disable (1)    config free-style        edit 1            set category event            set filter "logid 0100032002 logid 0100032001"        next    endend

The Forward-traffic logs are disabled at the top level filter, so no matter what we configure at the free-style filter level for Forward Traffic - it will not do anything as such logs are disabled from being sent altogether.

Why

Fortigate produces a lot of logs, both traffic and Event based. When exporting these logs to outside log servers, like Fortianalyzer or Syslog, you may want to separate what logs are sent to which FAZ/Syslog. It is usually to send some logs of highest importance to the log server dedicated for this severity.

For example, you may want to send only (un)successful administrator logins to the dedicated FAZ.

Here is how to do it:

First, we need to identify either from logs or FortiOS Log reference the logid of the logs we want to single out. In this case these are 0100032001 for the success, and 0100032002 for the failure.

NExt, we configure what is called free-style filter for the destination FAZ. If it is 2nd FAZ, we set it under fortianalyzer2:

config log fortianalyzer2 setting    set status enable    set server "10.100.104.177"    set serial "FAZAWSTA230023333"    set upload-option realtimeendconfig log fortianalyzer2 filter    config free-style        edit 1            set category event  <-- TYPE OF LOGS, EVENT vs TRAFFIC            set filter "logid 0100032002 logid 0100032001" <-- MSGS TO INCLUDE            set filter-type include <-- THIS DEFAULT, SO WILL NOT APPEAR AFTERWARDS        next    endend

Now, the FAZ2 will ONLY get events of admin login successful and admin login failed, while receiving ALL traffic logs. The other FAZes configured will not be affected as the filter is per destination server.

Some Facts

Why

Fish AI Reader

FishAI

联系邮箱 441953276@qq.com

相关标签