Skip to content

Fortinet Fortigate

Description

Constructor : Fortinet

Product : Fortigate

Device : Forti OS

Log format : Version 4

Log sample

1
devname=FGT-602803031507 device_id=FGT-602803031507 log_id=0022013001 type=traffic subtype=violation pri=warning vd=root SN=173817 duration=0 user=N/A group=N/A rule=7 policyid=7 proto=6 service=21/tcp app_type=N/A status=deny src=10.60.0.247 srcname=10.60.0.247 dst=10.60.0.101 dstname=10.60.0.101 src_int="dmz" dst_int="internal" sent=0 rcvd=0 src_port=53861 dst_port=21 vpn="N/A" tran_ip=0.0.0.0 tran_port=0 
1
devname=FGT80C3909620315 device_id=FGT80C3909620315 log_id=0021000002 type=traffic subtype=allowed pri=notice fwver=040001 status=accept vd="root" dir_disp=org tran_disp=noop src=10.60.0.247 srcname=10.60.0.247 src_port=37655 dst=76.96.34.197 dstname=76.96.34.197 dst_port=80 tran_ip=N/A tran_port=0 service=80/tcp proto=6 app_type=N/A duration=120 rule=4 policyid=4 sent=765 rcvd=760 sent_pkt=6 rcvd_pkt=5 vpn="N/A" src_int="internal" dst_int="dmz" SN=52 user="N/A" group="N/A" carrier_ep="N/A"
1
devname=FGT-602803031507 device_id=FGT-602803031507 log_id=0213066000 type=virus subtype=oversize pri=notice vd=root policyid=7 serial=1117 user="N/A" group="N/A" src=192.168.101.100 sport=2693 src_int="wan1" dst=68.142.229.15 dport=80 dst_int="internal" service="http" status=passthrough file="uploaded" url="http://attach.mail.vip.re2.yahoo.com/us.f540.mail.yahoo.com/ya/upload?resulturl=http%3A%2F%2Fus.mg2.mail.yahoo.com%2Fdc% 2Fattach.html%" ref="n/a" msg="File exceeds size limit." 
1
devname= device_id=log_id=0508020488 type=emailfilter subtype=smtp pri= notice fwver=040004 policyid=12345 serial=312 user="user" group="group" vd="root" src=1.1.1.1 sport=2560 src_port=2560 src_int="lo" dst=2.2.2.2 dport=5120 dst_port=5120 dst_int="eth0" service=mm7 carrier_ep="EndPoint" profile="profile" profilegroup=" " rofiletype=" "status=detected from="from@xxx.com" to="to@xxx.com" tracker="Tracker" agent=N/A msg="SpamEmail"

Normalized fields

Constructor field LMC field
[type] [type]
[severity] [alarm][sev]
[pri] [alarm][sev]
[status] [action]
[proto] [app][proto][num]
[service] [app][proto][name]
[fwver] [app][version]
[rule] [rule][uid]
[devname] [init][host][name]
[device_id] [init][host][asn]
[src] [init][host][ip]
[src_port] [init][host][port]
[sport] [init][host][port]
[srcname] [init][usr][name]
[dst] [target][host][ip]
[dport] [target][host][port]
[dst_port] [target][host][port]
[dstname] [target][usr][name]
[src_int] [init][host][net]
[dst_int] [target][host][net]
[src_country] [init][usr][loc][cty]
[dst_country] [target][usr][loc][cty]
[url] [init][uri][full]
[tran_ip] [target][host][nat][ip]
[tran_port] [target][host][nat][port]
[trans_ip] [init][host][nat][ip]
[trans_port] [init][host][nat][port]
[sessionid] [session][id]
[rcvd_pkt] [session][in][packet]
[rcvd] [session][in][byte]
[sent_pkt] [session][out][packet]
[sent] [session][out][byte]
[duration] [session][duration]
[rulename] [rule][name]
[vpn] [fortigate][vpn]
[src_mac] [init][host][mac]
[dst_mac] [target][host][mac]
[user] [init][usr][name]
[hostname] [target][usr][name]
[group] [init][group][name]
[from] [init][usr][mail]
[to] [target][usr][mail]
[vd] [init][usr][domain]
[severity] [alarm][sev]

Log format : Version 5

Log sample

1
devname=DEMO_DEVICE devid=FWF60D9999999999 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=11.22.12.240 srcintf="LAN" dstip=11.22.12.XX dstintf="root" sessionid=7958750 status=accept policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=PING proto=1 app=PING duration=60 sentbyte=0 rcvdbyte=84 sentpkt=0 rcvdpkt=1
1
devname=FG100D devid=FG100D3G12812498 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=10.10.10.10 srcport=60242 srcintf="internal" dstip=10.10.10.10 dstport=80 dstintf="wan2" sessionid=8770388 status=close user="JOHNDOE" group="UnRestricted" policyid=8 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=10.1.10.10 transport=60242 service=HTTP proto=6 applist="block-p2p-bot-games" duration=147 sentbyte=372 rcvdbyte=31842 sentpkt=7 rcvdpkt=27 identidx=1 devtype="Windows PC" osname="Windows" osversion="7" mastersrcmac=e0:69:95:2e:3f:9d srcmac=e0:69:95:2e:3f:9d
1
devname=FG100D devid=FG100D3G12812498 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=10.10.10.10 srcname=APCNAME srcport=59704 srcintf="internal" dstip=10.10.10.10 dstport=8010 dstintf="root" sessionid=8774171 status=close policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=8010/tcp proto=6 app=8010/tcp duration=11 sentbyte=1846 rcvdbyte=555 sentpkt=6 rcvdpkt=8 devtype="Windows PC" osname="Windows" osversion="7 Service Pack 1" mastersrcmac=9c:4e:36:c5:bf:c5 srcmac=3c:97:0e:b0:49:2a

Normalized fields

Constructor field LMC field
[type] [type]
[severity] [alarm][sev]
[pri] [alarm][sev]
[status] [action]
[proto] [app][proto][num]
[service] [app][proto][name]
[fwver] [app][version]
[rule] [rule][uid]
[devname] [init][host][name]
[devid] [init][host][asn]
[src] [init][host][ip]
[srcport] [init][host][port]
[sport] [init][host][port]
[srcname] [init][usr][name]
[dst] [target][host][ip]
[dport] [target][host][port]
[dstport] [target][host][port]
[dstname] [target][usr][name]
[srcintf] [init][host][net]
[dstintf] [target][host][net]
[srccountry] [init][usr][loc][cty]
[url] [init][uri][full]
[tranip] [target][host][nat][ip]
[tranport] [target][host][nat][port]
[transip] [init][host][nat][ip]
[transport] [init][host][nat][port]
[sessionid] [session][id]
[rcvdpkt] [session][in][packet]
[rcvdbyte] [session][in][byte]
[sentpkt] [session][out][packet]
[sentbyte] [session][out][byte]
[duration] [session][duration]
[rulename] [rule][name]
[vpn] [fortigate][vpn]
[srcmac] [init][host][mac]
[dstmac] [target][host][mac]
[user] [init][usr][name]
[hostname] [target][usr][name]
[group] [init][group][name]
[from] [init][usr][mail]
[to] [target][usr][mail]
[vd] [init][usr][domain]
[severity] [alarm][sev]