This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Log Filtering

Posted on 10-09-2024 12:26 PM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

So I have this rule over here

rule blocked_inbound_traffic_on_firewall {

  meta:
    author = "Author"

  events:
    $e.metadata.product_name = "Fortigate"
    $e.metadata.event_type = "NETWORK_CONNECTION" or ($e.metadata.event_type = "NETWORK_HTTP")
    $e.security_result.action_details = "deny"
    $e.principal.ip = $ip
    not $e.principal.ip in cidr %internal_ip_ranges

  match:
    $ip over 10m

  outcome:
    $risk_score = 20
  condition:
    $e
}

Now, 
I want to edit the forwarder configuration from here using regex so as to filter out the logs based on this this rule. i.e I don't want to get the logs of the communication which was denied.

 asinghz297_0-1728501786778.png

How exactly am I supposed to do this?



The logs I am getting from this rule are somewhat like this :
srccountry="Netherlands" dstcountry="India" sessionid=587691246 proto=6 action="deny" policyid=0 policytype="local-in-policy"

Can anyone guide me on this?
@AymanC @jstoner @malvarez 

0 1 219
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM
- syslog:
    common:
      regex_filters:
        block_filter :
          regexp: ^.*action="deny".*$
          behavior_on_match: block
      enabled: true
      data_type: FORTINET_FIREWALL
      batch_n_seconds: 10
      batch_n_bytes: 1048576
      metadata:
        labels:
          LAB: LAB_FORTINET_FIREWALL
        namespace: LAB_FORTINET_FIREWALL
    udp_address: 0.0.0.0:10503
    udp_buffer_size: 8192


I have written this in the config file. will this suffice my requirements?

@jstoner @AymanC ?
0 Likes
Top Solution Authors
View all