You can apply filters to the message list. Filters are not case-sensitive by default. If available, select Tools > Case Sensitive Search to create case-sensitive filters.
Filtering messages using filters in the toolbar
- Go to the view you want.
Click Add Filter and select a filter from the dropdown list, then type a value. Only displayed columns are available in the dropdown list. You can use search operators in regular search.
Switching between regular search and advanced search
At the right end of the Add Filter box, click the Switch to Advanced Search icon or click the Switch to Regular Search icon .
In Advanced Search mode, enter the search criteria (log field names and values).
Search operators and syntax
If available, click at the right end of the Add Filter box to view search operators and syntax. See also Filter search operators and syntax.
CLI string “freestyle” search
Searches the string within the indexed fields configured using the CLI command:
For example, if the indexed fields have been configured using these CLI commands:
config system sql
set value "app,dstip,proto,service,srcip,user,utmaction"
Then if you type “
Skype” in the Add Filter box, FortiAnalyzer searches for “Skype” within these indexed fields:
You can combine freestyle search with other search methods, for example:
- In the toolbar, make other selections such as devices, time period, which columns to display, etc.
Filtering messages using the right-click menu
In a log message list, right-click an entry and select a filter criterion. The search criterion with a icon returns entries matching the filter values, while the search criterion with a icon returns entries that do not match the filter values.
Depending on the column in which your cursor is placed when you right-click, Log View uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.
To see log field name of a filter/column, right-click the column of a log entry and select a context-sensitive filter. The Add Filter box shows log field name.
Context-sensitive filters are available for each log field in the log details pane. See Viewing message details.
Filtering messages using smart action filters
For Log View windows that have an Action column, the Action column displays smart information according to policy (log field action) and utmaction (UTM profile action).
The Action column displays a green checkmark Accept icon when both policy and UTM profile allow the traffic to pass through, that is, both the log field action and UTM profile action specify allow to this traffic.
The Action column displays a red X Deny icon and the reason when either the log field action or UTM profile action deny the traffic.
If the traffic is denied due to policy, the deny reason is based on the policy log field action.
If the traffic is denied due to UTM profile, the deny reason is based on the FortiView
craction shows which type of threat triggered the UTM action. The
crscore fields are configured in FortiGate in Log & Report. For more information, see the FortiOS - Log Message Reference in the Fortinet Document Library.
A filter applied to the Action column is always a smart action filter.
The smart action filter uses the FortiGate UTM profile to determine what the Action column displays. If the FortiGate UTM profile has set an action to allow, then the Action column will display that line with a green Accept icon, even if the
In the scenario where the
Operators or symbols
Find log entries containing all the search terms. Connect the terms with a space character, or “and”. Examples:
Find log entries containing any of the search terms. Separate the terms with “or” or a comma “,”. Examples:
Find log entries that do NOT contain the search terms. Add “-” before the field name. Example:
Find log entries greater than or less than a value, or within a range. This operator only applies to integer fields. Example:
IP subnet/range search
Find log entries within a certain IP subnet or range. Examples:
You can use wildcard searches for all field types. Examples:
Filtering FortiClient log messages in FortiGate traffic logs
For FortiClient endpoints registered to FortiGate devices, you can filter log messages in FortiGate traffic log files that are triggered by FortiClient.
To Filter FortiClient log messages:
- Go to Log View > Traffic.
- In the Add Filter box, type
fct_devid=*. A list of FortiGate traffic logs triggered by FortiClient is displayed.
- In the message log list, select a FortiGate traffic log to view the details in the bottom pane.
- Click the FortiClient tab, and double-click a FortiClient traffic log to see details.
The FortiClient tab is available only when the FortiGate traffic logs reference FortiClient traffic logs.