ADC Security Logs
Vendor Documentation
https://docs.fortinet.com/document/fortiadc/5.3.1/log-reference/378226/anatomy-of-a-log-message https://docs.fortinet.com/document/fortiadc/7.2.0/handbook/536260/using-the-traffic-log |
Classification
Rule Name | Rule Type | Common Event | Classification |
ADC Security Logs | Base Rule | General Security Information | Information |
Security: IP Reputation Events | Sub Rule | IP Reputation | Information |
Security: Geo Logs | Sub Rule | General Security Alert | Warning |
Web Application Firewall Events | Sub Rule | General Security Alert | Warning |
Security: DDOS Synflood Attacks | Sub Rule | General Attack Activity | Attack |
Security: Anti-virus Module | Sub Rule | General Antivirus Warning | Warning |
Security: Intrusion Prevention System Module | Sub Rule | Intrusion Prevention System Alert | Information |
Mapping with LogRhythm Scheme
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
date | N/A | N/A | Log date |
time | N/A | N/A | Log time |
log_id | <vmid> | Number | Log ID |
type | <vendorinfo> | Text/String | Major Log Type |
subtype | <tag1> | Text/String | Log Subtype |
pri | N/A | N/A | Log level |
vd | <account> | Text/String | Virtual domain |
msg_id | N/A | N/A | Message ID |
count | N/A | N/A | The Count column is only available for security logs related to DoS Protection, Geo IP Blocklist, and IP Reputation Rule match count |
severity | <severity> | Text/String | The Service column is only available for security logs related to Anti Virus, Geo IP Blocklist, IPS and WAF Specifies the security level |
proto | <protnum> | Number | Protocol |
service | <protname> | Text/String | The Service column is only available for security logs related to Anti Virus and IPS Specifies the service type |
src | <sip> | Ip Address | Source IP address in traffic received by FortiADC |
src_port | <sport> | Number | Source port |
dst | <dip> | Ip Address | Destination IP address in traffic received by FortiADC (IP address of the virtual server) |
dst_port | <dport> | Number | Destination port |
policy | <policy> | Text/String | Virtual server name |
action | <action> | Text/String | Action type that was taken as a result |
srccountry | N/A | N/A | Location of the source IP address |
dstcountry | N/A | N/A | Location of the destination IP address |
WAF Subcategory | <objecttype> | Text/String | The WAF Subcategory column is only available for security logs related to WAF Specifies the Web Application Firewall subcategory |
Virus Category | <threatname> | Text/String | The Virus Category column is only available for security logs related to Anti Virus Specifies the virus category |
Rule Name | <policy> | Text/String | The Rule Name column is only available for security logs related to IPS Specifies the security rule name |