ADC Traffic Logs | LogRhythm Documentation

Vendor Documentation

https://docs.fortinet.com/document/fortiadc/5.3.1/log-reference/378226/anatomy-of-a-log-message

https://docs.fortinet.com/document/fortiadc/7.2.0/handbook/536260/using-the-traffic-log

Classification

Rule Name	Rule Type	Common Event	Classification
ADC Traffic Logs	Base Rule	General Traffic Log	Network Traffic
Server Load Balance Layer4	Sub Rule	SLB-4-WARNING	Warning
Server Load Balance HTTP	Sub Rule	General HTTP Information	Information
Server Load Balance TCPS	Sub Rule	General TCP/IP Information	Information
Server Load Balance RADIUS	Sub Rule	RADIUS Information	Information
Global Load Balance	Sub Rule	General Load Balancing Message	Information
Server Load Balance SIP	Sub Rule	VoIP SIP Message	Information
Server Load Balance RDP	Sub Rule	Network Traffic	Network Traffic
Server Load Balance DNS	Sub Rule	General DNS Information	Information
Server Load Balance RTSP	Sub Rule	Network Traffic	Network Traffic
Server Load Balance SMTP	Sub Rule	SMTP Request	Network Traffic
Server Load Balance RTMP	Sub Rule	Network Traffic	Network Traffic
Server Load Balance MySQL	Sub Rule	General MySQL Information	Information
Server Load Balance DIAMETER	Sub Rule	Network Traffic	Network Traffic
Link Load Balance	Sub Rule	Network Traffic	Network Traffic
Server Load Balance FTP	Sub Rule	General FTP Information	Information
Server Load Balance ISO8583	Sub Rule	Network Traffic	Network Traffic
Server Load Balance MSSQL	Sub Rule	General MSSQLSERVER Information	Information

Mapping with LogRhythm Scheme

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
date	N/A	N/A	Log date
time	N/A	N/A	Log time
log_id	<vmid>	Number	Log ID
type	<vendorinfo>	Text/String	Major Log Type
subtype	<tag1>	Text/String	Log Subtype
pri	<severity>	Text/String	Log level
vd	<account>	Text/String	Virtual domain
msg_id	N/A	N/A	Message ID
duration	N/A	N/A	Session duration
ibytes	<bytesin>	Number	Bytes in
obytes	<bytesout>	Number	Bytes out
proto	<protnum>	Number	Protocol
service	<protname>	Text/String	Service
src	<sip>	Ip Address	Source IP address in traffic received by FortiADC
src_port	<sport>	Number	Source port
dst	<dip>	Ip Address	Destination IP address in traffic received by FortiADC (IP address of the virtual server)
dst_port	<dport>	Number	Destination port
trans_src	N/A	N/A	Source IP address in packet sent from FortiADC Address might have been translated
trans_src_port	N/A	N/A	Source port in packet sent from FortiADC
trans_dst	N/A	N/A	Destination IP address in packet sent from FortiADC (IP address of the real server)
trans_dst_port	N/A	N/A	Destination port in packet sent from FortiADC
policy	<policy>	Text/String	Virtual server name
action	<action>	Text/String	For most logs, action=none
http_method	<command>	Text/String	HTTP method
http_host	<dname>	Text/String	Host IP address
http_agent	<useragent>	Text/String	HTTP agent
http_url	<url>	Text/String	Base URL.
http_qry	N/A	N/A	URL parameters after the base URL
http_referer	N/A	N/A
http_cookie	N/A	N/A	Cookie name
http_retcode	<responsecode>	Number	HTTP return code
user	<login>	Text/String	User name
usrgrp	<group>	Text/String	User group
auth_status	<status>	Text/String	Authentication success/failure
srccountry	N/A	N/A	Location of the source IP address
dstcountry	N/A	N/A	Location of the destination IP address
real_server	N/A	N/A	Real server configured name
sip_method	N/A	N/A	Invite sent from
sip_uri	N/A	N/A	SIP server IP address.
sip_from	N/A	N/A	SIP call ID
sip_to	N/A	N/A
sip_callid	N/A	N/A	Reserved
sip_retcode	N/A	N/A	Reserved
fqdn	N/A	N/A	FQDN from client request
resip	N/A	N/A	DNS response IP address
srrcountry	N/A	N/A	Location of the source IP address
gateway	N/A	N/A	Gateway in Link Group