The tags beginning with firewall.fortinet identify log events generated by the following Fortinet technologies:
- Fortinet FortiGate
- Fortinet Unified Threat Management (UTM)
There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible.
The full tag must have at least two levels, although most require three and four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type and must be one of event, traffic, ips, utm, or anomaly. The fourth element is not always required and you are free to define it as you like.
||may be fixed and required|
Here's a complete list of valid tags:
For more information, read more about Devo tags.
Devo Relay rule
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data. Data is extracted from the event and used to create the third and fourth tags as needed.
In the example below the rule is defined with the following settings:
- Source Port → 13003
- Source Data → ,type=([^,]+),subtype=([^,]+)(,|$)
- Target Tag → firewall.fortinet.\\D1.\\D2
- Target Message → \\D0
You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product.
- Using the FortiGate GUI, go to Log & Report → Log settings to configure the Devo Relay as a remote syslog server.
Using the FortiGate CLI, enter the following commands:
config log syslog settings
set status enable set csv enable set reliable disable set facility local7 set server xx.xx.xx.xx (In-House Relay IP) set port 13003 end
For more details about FortiGate logging, see the vendor documentation.