firewall.fortinet
The tags beginning with firewall.fortinet identify log events generated by the following Fortinet technologies:
Fortinet FortiGate
Fortinet Unified Threat Management (UTM)
There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible.Â
Tag structure
The full tag must have at least two levels, although most require three and four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type and must be one of event, traffic, ips, utm, or anomaly. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule.Â
Technology | Brand | Type | Subtype |
---|---|---|---|
firewall | fortinet |
| may be fixed and required |
Here's a complete list of valid tags:
firewall.fortinet
firewall.fortinet.anomaly.anomaly
firewall.fortinet.event
firewall.fortinet.event.admin
firewall.fortinet.event.config
firewall.fortinet.event.dhcp
firewall.fortinet.event.dns
firewall.fortinet.event.ha
firewall.fortinet.event.his-performance
firewall.fortinet.event.ipsec
firewall.fortinet.event.pattern
firewall.fortinet.event.perf-historical
firewall.fortinet.event.sslvpn-session
firewall.fortinet.event.sslvpn-user
firewall.fortinet.event.system
firewall.fortinet.event.user
firewall.fortinet.event.vpn
firewall.fortinet.event.wireless
firewall.fortinet.ips.anomaly
firewall.fortinet.traffic
firewall.fortinet.traffic.forward
firewall.fortinet.traffic.local
firewall.fortinet.traffic.multicast
firewall.fortinet.traffic.other
firewall.fortinet.traffic.violation
firewall.fortinet.utm.app-ctrl
firewall.fortinet.utm.dns
firewall.fortinet.utm.emailfilter
firewall.fortinet.utm.ips
firewall.fortinet.utm.virus
firewall.fortinet.utm.webfilter
For more information, read more about Devo tags.
Set up the Devo relay rule
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.Â
The relay rule is different depending on if you are using FortiAnalyzer to manage the logs or if you are simply using FortiGate.
If you are using FortiAnalyzer
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and the target tag definition uses capturing groups to form the 3rd and 4th levels of the tag.
Source Port → 13003
Source Data → type=\"{0,1}([^\s^\"]+)\"{0,1}\ssubtype=\"{0,1}([^\s^\"]+)\"{0,1}
Target Tag → firewall.fortinet.\\D1.\\D2.noncsv
Check the Sent without syslog tag and Stop processing checkboxes
If you are using just FortiGate
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and will depend on the version of FortiGate you are using:
Depending on the format of the sent event data, you must enter a different regular expression in the Source Data field:
Events are received in CSV format without quotes → ,type=([^,]+),subtype=([^,]+)(,|$)
Events are received in CSV format with double quotes → ,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)
Data is then extracted from the event and used to create the third and fourth levels of the tag as needed. In the example below the rule is defined with the following settings:
Source Port → 13003
Source Data → ,type=([^,]+),subtype=([^,]+)(,|$) (this regular expression is based on receiving events in CSV format without quotes, as explained above)
Target Tag → firewall.fortinet.\\D1.\\D2
Check the Sent without syslog tag and Stop processing checkboxes
Â
Configure the forwarding of Fortinet logs
Using FortiAnalyzer
For deployments that aggregate FortiGate log data using FortiAnalyzer, follow the vendor instructions to configure the Devo relay as a remote syslog server using either the admin console or the FortiAnalyzer CLI. In both cases, you only need to enter the IP address of the Devo relay and specify the port on which you created the relay rule.
Using FortiGate/FortiOS
You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product. In our example, here and in the relay rule above, we are sending FortiGate log events to the relay in CSV format.
Using the FortiGate GUI, go to Log & Report → Log Settings and select Remote Logging and Archiving to configure the Devo relay as a remote syslog server.
Using the FortiGate CLI, enter the following commands setting the server to the Devo relay IP address and the port to the relay port on which you created the rule.
Configuring syslog server in FortiGate CLI
config log syslogd setting
set status enable
set csv enable
set reliable
set facility local7
set server <relay_ip>
set port <relay_port>
end
For more details about FortiGate logging, see the vendor documentation.