FortiGate firewall configures the Syslog filter

FortiGate firewall configures the Syslog filter

Reference URL :  

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-syslog-free-style-filters/ta-p/204606

Test

Log Example:

ssh login

Jun 28 14:06:00 192.168.100.254 date=2025-06-28 time=14:06:00 devname="Test-FW" devid="FGVMEXXXXXXXXXXX" eventtime=1751090760672765479 tz="+0800" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1751090760" user="admin" ui="ssh(192.168.100.112)" method="ssh" srcip=192.168.100.112 dstip=192.168.100.254 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(192.168.100.112)"

web login 

Jun 28 14:07:10 192.168.100.254 date=2025-06-28 time=14:07:09 devname="Test-FW" devid="FGVMEXXXXXXXXXXX" eventtime=1751090829377377416 tz="+0800" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1751090829" user="admin" ui="http(192.168.100.112)" method="http" srcip=192.168.100.112 dstip=192.168.100.254 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from http(192.168.100.112)"

=======================================================

ssh config 

Jun 28 13:48:30 192.168.100.254 date=2025-06-28 time=13:48:30 devname="Test-FW01" devid="FGVMEXXXXXXXXXXX" eventtime=1751089710571156282 tz="+0800" logid="0100032102" type="event" subtype="system" level="alert" vd="root" logdesc="Configuration changed" user="admin" ui="ssh(192.168.100.112)" msg="Configuration is changed in the admin session"

web config 

Jun 28 13:58:07 192.168.100.254 date=2025-06-28 time=13:58:07 devname="Test-FW" devid="FGVMEXXXXXXXXXXX" eventtime=1751090286557611095 tz="+0800" logid="0100032222" type="event" subtype="system" level="notice" vd="root" logdesc="Global setting changed" user="admin" ui="GUI(192.168.100.112)" field="hostname" old_value="Test-FW01" new_value="Test-FW" msg="User admin changed hostname global setting to Test-FW from GUI(192.168.100.112)"

==================================================

FTG Config 

Test-FW # config log syslogd filter

Test-FW (filter) # show

config log syslogd filter

    config free-style

        edit 1

            set category event

            set filter "logid 0100032001 0100032102 0100032222"

        next

        edit 2

            set category traffic

            set filter "srcintf port1"

        next

    end

end

Test-FW (filter) # get

severity            : information

forward-traffic     : enable

local-traffic       : enable

multicast-traffic   : enable

sniffer-traffic     : enable

ztna-traffic        : enable

anomaly             : enable

voip                : enable

gtp                 : enable

free-style:

    == [ 1 ]

    id:     1       category: event

    == [ 2 ]

    id:     2       category: traffic

Test-FW (filter) #

Rsyslog 收到特定訊息的觸發動作

 

以往都習慣用 Rsyslog + logfmon 這樣的組合去做一些簡單網管小功能.

但 logfmon 這個好工具,已長久不再更新,故想改變一個方式,去取代這樣的組合.

https://xrcd2.blogspot.com/2016/11/logfmon.html

僅用 rsyslog 去做-->收到特定訊息的觸發動作

但不確定這樣的組合是否可以通過高壓測試?

以往 Rsyslog 僅負責將接收到的特定 IP  log 寫入指定位置,

並透過 logfmon 去做特定訊息的分析及觸發動作.

等上線實戰後再來後續處理了.待追蹤~

記錄相關設定如下:

啟用 omprog 模組 在 rsyslog.conf  加上 module(load="omprog")

並啟用相關設定如:

if ($msg contains "Login failed" or $msg contains "Configured" or  $msg contains "LINEPROTO-5-UPDOWN" or  $msg contains "Critical") then {

    action(type="omprog" binary="/usr/local/sbin/XXX.sh")

    stop

}

=========================================

XXX.sh

#!/bin/bash

while read line; do

  echo "收到特定訊息：$line" >> /var/log/trigger.log

  # 這裡可以改成你想做的動作，例如：

  # echo "$line" | mail -s "特定訊息通知" you@example.com

done

 

To use Windows NPS (RADIUS) with a Cisco device

透過 Windows NPS 服務驗証 Cisco 設備登入機制

以往都習慣用 Linux + FreeRADIUS 去完成登入驗證(OTP)

https://xrcd2.blogspot.com/2016/01/cisco-radius-otp.html

這次換成 Windows NPS ,實驗截圖如下: