Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.5.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.0 User Guide
    7.5.0
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Event Dropping

    Event Dropping

    Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped events also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. An example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

    1. Go to Admin > Settings > Event Pipeline > Dropping tab.
    2. Click +.
    3. At the Reporting Device row, deselect All, then click the drop-down and browse the folders to select the device group or individual devices for which you must create a rule.
    4. Click Save.
    5. At the Event Type row, deselect All, then click the drop-down and browse the folders to find the group of event types, or a specific event type for which you must create a rule.
    6. Click Save.
    7. Enter Source IP or Destination IP that you want to filter. The value can be an IP range.
    8. Select the Action that should be taken when the event dropping rule is triggered from the available options.
      • Drop event - Event is dropped and not counted towards licensed EPS.
      • Store event - Event is stored and counted towards licensed EPS.
        • Do not trigger rules - This means that FortiSIEM will store events, but will not trigger rules. Events are available for reporting.
        • Drop attributes - To select the attributes to drop, click the edit icon. In the Event Dropping Rule > Drop Attribute window, from the left pane, select the attribute(s) you want dropped and click the > icon. Dropped attributes appear in the Selected Attributes column. When done, click Save. Only attributes in the left pane are stored. Stored event attributes are available for reporting.
          Note: You can move dropped attributes so they are stored attributes by selecting them from the Selected Attributes column and clicking the < icon. When done, click Save.
    9. For Regex Filter, enter any regular expressions you want to use to filter the log files.
      If any matches are made against your regular expression, then the event will be dropped.
    10. Enter any Description for the rule.
    11. Click Save.

    Notes:

    • All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
    • If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type blank is the same as selecting All Event Types.
    • FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn't use Collectors, then the event will be dropped by the Worker or Supervisor where the event is received.
    • You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate (/sec) as one of the dimensions for Chart to see events that have been dropped to this policy.
    Previous
    Next

    Event Dropping

    Event Dropping

    Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped events also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. An example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

    1. Go to Admin > Settings > Event Pipeline > Dropping tab.
    2. Click +.
    3. At the Reporting Device row, deselect All, then click the drop-down and browse the folders to select the device group or individual devices for which you must create a rule.
    4. Click Save.
    5. At the Event Type row, deselect All, then click the drop-down and browse the folders to find the group of event types, or a specific event type for which you must create a rule.
    6. Click Save.
    7. Enter Source IP or Destination IP that you want to filter. The value can be an IP range.
    8. Select the Action that should be taken when the event dropping rule is triggered from the available options.
      • Drop event - Event is dropped and not counted towards licensed EPS.
      • Store event - Event is stored and counted towards licensed EPS.
        • Do not trigger rules - This means that FortiSIEM will store events, but will not trigger rules. Events are available for reporting.
        • Drop attributes - To select the attributes to drop, click the edit icon. In the Event Dropping Rule > Drop Attribute window, from the left pane, select the attribute(s) you want dropped and click the > icon. Dropped attributes appear in the Selected Attributes column. When done, click Save. Only attributes in the left pane are stored. Stored event attributes are available for reporting.
          Note: You can move dropped attributes so they are stored attributes by selecting them from the Selected Attributes column and clicking the < icon. When done, click Save.
    9. For Regex Filter, enter any regular expressions you want to use to filter the log files.
      If any matches are made against your regular expression, then the event will be dropped.
    10. Enter any Description for the rule.
    11. Click Save.

    Notes:

    • All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
    • If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type blank is the same as selecting All Event Types.
    • FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn't use Collectors, then the event will be dropped by the Worker or Supervisor where the event is received.
    • You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate (/sec) as one of the dimensions for Chart to see events that have been dropped to this policy.
    Previous
    Next