Fortigate 60F Sending Wrong LOGS to Syslog Server - Filter

GLOBALSAT · ‎03-08-2024

Hi everyone

I've been struggling to set up my Fortigate 60F(7.2.7 build 1577 Mature) to send correct logs messages to my rsyslog server on my local network.

By the moment i setup the following config below, the filter seems to not work properly and my syslog server receives all logs based on severity and not by event types, e.g: i've trying to disabled VPN logs but i keep receiving them. See an example below(i've hidden my 60f info)

2024-03-08T14:22:16.215750+00:00 _gateway date=2024-03-08 time=11:22:16 devname="HIDE" devid="HIDE" eventtime=1709907736095925120 tz="-0300" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=HIDE locip=HIDE remport=500 locport=500 outintf="ppp2"

cookies="63d0bea85e9c0400/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" advpnsc=0

2024-03-08T14:22:16.215750+00:00 _gateway date=2024-03-08 time=11:22:16 devname="HIDE" devid="HIDE" eventtime=1709907736095963740 tz="-0300" logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=HIDE locip=HIDE remport=500 locport=500 outintf="ppp2" cookies="63d0bea85e9c0400/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR" advpnsc=0

config log syslogd setting
set status enable
set server "172.31.254.5"
set mode udp
set port 514
set facility user
set source-ip "172.31.254.1"
set format default
set priority default
set max-log-rate 0
set interface-select-method auto
end

config log syslogd filter
set severity warning
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set ztna-traffic disable
set anomaly disable
set voip disable
end
config log eventfilter
set event enable
set system enable
set vpn disable
set user enable
set router disable
set wireless-activity disable
set wan-opt disable
set endpoint disable
set ha disable
set security-rating disable
set fortiextender disable
set connector disable
set sdwan disable
set cifs disable
set switch-controller disable
set webproxy disable
end

My desire is to receive logs based on the following event types: system activity events and user activity events

Has anyone go throught this problem before? Does anyone know what can possibly be wrong in this setup?

Kind Regards

Raghu_Kumar · ‎03-09-2024

Hello,

According to documentation should be possible,
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40645 "Technical Note: Using Syslog Filters on FortiGate to send only specific logs to Syslog Server"

Navigate to Log&Report>Log Settings> Event Logging > Choose customize and then system activity events.

Regards,

Raghuram Kumar