Fortinet Fortigate¶
Description¶
Constructor : Fortinet
Product : Fortigate
Device : Forti OS
Log format : Version 4¶
Log sample¶
1 | devname=FGT-602803031507 device_id=FGT-602803031507 log_id=0022013001 type=traffic subtype=violation pri=warning vd=root SN=173817 duration=0 user=N/A group=N/A rule=7 policyid=7 proto=6 service=21/tcp app_type=N/A status=deny src=10.60.0.247 srcname=10.60.0.247 dst=10.60.0.101 dstname=10.60.0.101 src_int="dmz" dst_int="internal" sent=0 rcvd=0 src_port=53861 dst_port=21 vpn="N/A" tran_ip=0.0.0.0 tran_port=0 |
1 | devname=FGT80C3909620315 device_id=FGT80C3909620315 log_id=0021000002 type=traffic subtype=allowed pri=notice fwver=040001 status=accept vd="root" dir_disp=org tran_disp=noop src=10.60.0.247 srcname=10.60.0.247 src_port=37655 dst=76.96.34.197 dstname=76.96.34.197 dst_port=80 tran_ip=N/A tran_port=0 service=80/tcp proto=6 app_type=N/A duration=120 rule=4 policyid=4 sent=765 rcvd=760 sent_pkt=6 rcvd_pkt=5 vpn="N/A" src_int="internal" dst_int="dmz" SN=52 user="N/A" group="N/A" carrier_ep="N/A" |
1 | devname=FGT-602803031507 device_id=FGT-602803031507 log_id=0213066000 type=virus subtype=oversize pri=notice vd=root policyid=7 serial=1117 user="N/A" group="N/A" src=192.168.101.100 sport=2693 src_int="wan1" dst=68.142.229.15 dport=80 dst_int="internal" service="http" status=passthrough file="uploaded" url="http://attach.mail.vip.re2.yahoo.com/us.f540.mail.yahoo.com/ya/upload?resulturl=http%3A%2F%2Fus.mg2.mail.yahoo.com%2Fdc% 2Fattach.html%" ref="n/a" msg="File exceeds size limit." |
1 | devname= device_id=log_id=0508020488 type=emailfilter subtype=smtp pri= notice fwver=040004 policyid=12345 serial=312 user="user" group="group" vd="root" src=1.1.1.1 sport=2560 src_port=2560 src_int="lo" dst=2.2.2.2 dport=5120 dst_port=5120 dst_int="eth0" service=mm7 carrier_ep="EndPoint" profile="profile" profilegroup=" " rofiletype=" "status=detected from="from@xxx.com" to="to@xxx.com" tracker="Tracker" agent=N/A msg="SpamEmail" |
Normalized fields¶
| Constructor field | LMC field |
|---|---|
| [type] | [type] |
| [severity] | [alarm][sev] |
| [pri] | [alarm][sev] |
| [status] | [action] |
| [proto] | [app][proto][num] |
| [service] | [app][proto][name] |
| [fwver] | [app][version] |
| [rule] | [rule][uid] |
| [devname] | [init][host][name] |
| [device_id] | [init][host][asn] |
| [src] | [init][host][ip] |
| [src_port] | [init][host][port] |
| [sport] | [init][host][port] |
| [srcname] | [init][usr][name] |
| [dst] | [target][host][ip] |
| [dport] | [target][host][port] |
| [dst_port] | [target][host][port] |
| [dstname] | [target][usr][name] |
| [src_int] | [init][host][net] |
| [dst_int] | [target][host][net] |
| [src_country] | [init][usr][loc][cty] |
| [dst_country] | [target][usr][loc][cty] |
| [url] | [init][uri][full] |
| [tran_ip] | [target][host][nat][ip] |
| [tran_port] | [target][host][nat][port] |
| [trans_ip] | [init][host][nat][ip] |
| [trans_port] | [init][host][nat][port] |
| [sessionid] | [session][id] |
| [rcvd_pkt] | [session][in][packet] |
| [rcvd] | [session][in][byte] |
| [sent_pkt] | [session][out][packet] |
| [sent] | [session][out][byte] |
| [duration] | [session][duration] |
| [rulename] | [rule][name] |
| [vpn] | [fortigate][vpn] |
| [src_mac] | [init][host][mac] |
| [dst_mac] | [target][host][mac] |
| [user] | [init][usr][name] |
| [hostname] | [target][usr][name] |
| [group] | [init][group][name] |
| [from] | [init][usr][mail] |
| [to] | [target][usr][mail] |
| [vd] | [init][usr][domain] |
| [severity] | [alarm][sev] |
Log format : Version 5¶
Log sample¶
1 | devname=DEMO_DEVICE devid=FWF60D9999999999 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=11.22.12.240 srcintf="LAN" dstip=11.22.12.XX dstintf="root" sessionid=7958750 status=accept policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=PING proto=1 app=PING duration=60 sentbyte=0 rcvdbyte=84 sentpkt=0 rcvdpkt=1 |
1 | devname=FG100D devid=FG100D3G12812498 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=10.10.10.10 srcport=60242 srcintf="internal" dstip=10.10.10.10 dstport=80 dstintf="wan2" sessionid=8770388 status=close user="JOHNDOE" group="UnRestricted" policyid=8 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=10.1.10.10 transport=60242 service=HTTP proto=6 applist="block-p2p-bot-games" duration=147 sentbyte=372 rcvdbyte=31842 sentpkt=7 rcvdpkt=27 identidx=1 devtype="Windows PC" osname="Windows" osversion="7" mastersrcmac=e0:69:95:2e:3f:9d srcmac=e0:69:95:2e:3f:9d |
1 | devname=FG100D devid=FG100D3G12812498 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=10.10.10.10 srcname=APCNAME srcport=59704 srcintf="internal" dstip=10.10.10.10 dstport=8010 dstintf="root" sessionid=8774171 status=close policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=8010/tcp proto=6 app=8010/tcp duration=11 sentbyte=1846 rcvdbyte=555 sentpkt=6 rcvdpkt=8 devtype="Windows PC" osname="Windows" osversion="7 Service Pack 1" mastersrcmac=9c:4e:36:c5:bf:c5 srcmac=3c:97:0e:b0:49:2a |
Normalized fields¶
| Constructor field | LMC field |
|---|---|
| [type] | [type] |
| [severity] | [alarm][sev] |
| [pri] | [alarm][sev] |
| [status] | [action] |
| [proto] | [app][proto][num] |
| [service] | [app][proto][name] |
| [fwver] | [app][version] |
| [rule] | [rule][uid] |
| [devname] | [init][host][name] |
| [devid] | [init][host][asn] |
| [src] | [init][host][ip] |
| [srcport] | [init][host][port] |
| [sport] | [init][host][port] |
| [srcname] | [init][usr][name] |
| [dst] | [target][host][ip] |
| [dport] | [target][host][port] |
| [dstport] | [target][host][port] |
| [dstname] | [target][usr][name] |
| [srcintf] | [init][host][net] |
| [dstintf] | [target][host][net] |
| [srccountry] | [init][usr][loc][cty] |
| [url] | [init][uri][full] |
| [tranip] | [target][host][nat][ip] |
| [tranport] | [target][host][nat][port] |
| [transip] | [init][host][nat][ip] |
| [transport] | [init][host][nat][port] |
| [sessionid] | [session][id] |
| [rcvdpkt] | [session][in][packet] |
| [rcvdbyte] | [session][in][byte] |
| [sentpkt] | [session][out][packet] |
| [sentbyte] | [session][out][byte] |
| [duration] | [session][duration] |
| [rulename] | [rule][name] |
| [vpn] | [fortigate][vpn] |
| [srcmac] | [init][host][mac] |
| [dstmac] | [target][host][mac] |
| [user] | [init][usr][name] |
| [hostname] | [target][usr][name] |
| [group] | [init][group][name] |
| [from] | [init][usr][mail] |
| [to] | [target][usr][mail] |
| [vd] | [init][usr][domain] |
| [severity] | [alarm][sev] |