Skip to main content

So I have this rule over here

rule blocked_inbound_traffic_on_firewall {

  meta:
    author = "Author"

  events:
    $e.metadata.product_name = "Fortigate"
    $e.metadata.event_type = "NETWORK_CONNECTION" or ($e.metadata.event_type = "NETWORK_HTTP")
    $e.security_result.action_details = "deny"
    $e.principal.ip = $ip
    not $e.principal.ip in cidr %internal_ip_ranges

  match:
    $ip over 10m

  outcome:
    $risk_score = 20
  condition:
    $e
}

Now, 
I want to edit the forwarder configuration from here using regex so as to filter out the logs based on this this rule. i.e I don't want to get the logs of the communication which was denied.

 

How exactly am I supposed to do this?



The logs I am getting from this rule are somewhat like this :
srccountry="Netherlands" dstcountry="India" sessionid=587691246 proto=6 action="deny" policyid=0 policytype="local-in-policy"

Can anyone guide me on this?
@AymanC @jstoner @malvarez12 

- syslog:
    common:
      regex_filters:
        block_filter :
          regexp: ^.*action="deny".*$
          behavior_on_match: block
      enabled: true
      data_type: FORTINET_FIREWALL
      batch_n_seconds: 10
      batch_n_bytes: 1048576
      metadata:
        labels:
          LAB: LAB_FORTINET_FIREWALL
        namespace: LAB_FORTINET_FIREWALL
    udp_address: 0.0.0.0:10503
    udp_buffer_size: 8192


I have written this in the config file. will this suffice my requirements?

@jstoner @AymanC ?
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.