The tags beginning with firewall.fortinet identify log events generated by the following Fortinet technologies:
- Fortinet FortiGate
- Fortinet Unified Threat Management (UTM)
There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible.
The full tag must have at least two levels, although most require three and four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type and must be one of event, traffic, ips, utm, or anomaly. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule.
|firewall||fortinet||may be fixed and required|
Here's a complete list of valid tags:
For more information, read more about Devo tags.
Devo Relay rule
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data.
Depending on the format of the sent event data, you must enter a different regular expression in the Source Data field:
- Regular expression to use when events are received in CSV format without quotes → ,type=([^,]+),subtype=([^,]+)(,|$)
- Regular expression to use when events are received in CSV format with double quotes → ,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)
Data is then extracted from the event and used to create the third and fourth levels of the tag as needed. In the example below the rule is defined with the following settings:
- Source Port → 13003
- Source Data → ,type=([^,]+),subtype=([^,]+)(,|$) (this regular expression is based on receiving events in CSV format without quotes, as explained above)
- Target Tag → firewall.fortinet.\\D1.\\D2
- Target Message → \\D0
You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product. In our example, here and in the relay rule above, we are sending FortiGate log events to the relay in CSV format.
- Using the FortiGate GUI, go to Log & Report → Log settings to configure the Devo Relay as a remote syslog server.
- Using the FortiGate CLI, enter the following commands:
config log syslog settings
set status enable set csv enable set reliable disable set facility local7 set server xx.xx.xx.xx set port 13003 end
- Where the set server command sets the Devo Relay IP address.
For more details about FortiGate logging, see the vendor documentation.