ADC Traffic Logs
Vendor Documentation
https://docs.fortinet.com/document/fortiadc/5.3.1/log-reference/378226/anatomy-of-a-log-message https://docs.fortinet.com/document/fortiadc/7.2.0/handbook/536260/using-the-traffic-log |
Classification
Rule Name | Rule Type | Common Event | Classification |
ADC Traffic Logs | Base Rule | General Traffic Log | Network Traffic |
Server Load Balance Layer4 | Sub Rule | SLB-4-WARNING | Warning |
Server Load Balance HTTP | Sub Rule | General HTTP Information | Information |
Server Load Balance TCPS | Sub Rule | General TCP/IP Information | Information |
Server Load Balance RADIUS | Sub Rule | RADIUS Information | Information |
Global Load Balance | Sub Rule | General Load Balancing Message | Information |
Server Load Balance SIP | Sub Rule | VoIP SIP Message | Information |
Server Load Balance RDP | Sub Rule | Network Traffic | Network Traffic |
Server Load Balance DNS | Sub Rule | General DNS Information | Information |
Server Load Balance RTSP | Sub Rule | Network Traffic | Network Traffic |
Server Load Balance SMTP | Sub Rule | SMTP Request | Network Traffic |
Server Load Balance RTMP | Sub Rule | Network Traffic | Network Traffic |
Server Load Balance MySQL | Sub Rule | General MySQL Information | Information |
Server Load Balance DIAMETER | Sub Rule | Network Traffic | Network Traffic |
Link Load Balance | Sub Rule | Network Traffic | Network Traffic |
Server Load Balance FTP | Sub Rule | General FTP Information | Information |
Server Load Balance ISO8583 | Sub Rule | Network Traffic | Network Traffic |
Server Load Balance MSSQL | Sub Rule | General MSSQLSERVER Information | Information |
Mapping with LogRhythm Scheme
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
date | N/A | N/A | Log date |
time | N/A | N/A | Log time |
log_id | <vmid> | Number | Log ID |
type | <vendorinfo> | Text/String | Major Log Type |
subtype | <tag1> | Text/String | Log Subtype |
pri | <severity> | Text/String | Log level |
vd | <account> | Text/String | Virtual domain |
msg_id | N/A | N/A | Message ID |
duration | N/A | N/A | Session duration |
ibytes | <bytesin> | Number | Bytes in |
obytes | <bytesout> | Number | Bytes out |
proto | <protnum> | Number | Protocol |
service | <protname> | Text/String | Service |
src | <sip> | Ip Address | Source IP address in traffic received by FortiADC |
src_port | <sport> | Number | Source port |
dst | <dip> | Ip Address | Destination IP address in traffic received by FortiADC (IP address of the virtual server) |
dst_port | <dport> | Number | Destination port |
trans_src | N/A | N/A | Source IP address in packet sent from FortiADC Address might have been translated |
trans_src_port | N/A | N/A | Source port in packet sent from FortiADC |
trans_dst | N/A | N/A | Destination IP address in packet sent from FortiADC (IP address of the real server) |
trans_dst_port | N/A | N/A | Destination port in packet sent from FortiADC |
policy | <policy> | Text/String | Virtual server name |
action | <action> | Text/String | For most logs, action=none |
http_method | <command> | Text/String | HTTP method |
http_host | <dname> | Text/String | Host IP address |
http_agent | <useragent> | Text/String | HTTP agent |
http_url | <url> | Text/String | Base URL. |
http_qry | N/A | N/A | URL parameters after the base URL |
http_referer | N/A | N/A |
|
http_cookie | N/A | N/A | Cookie name |
http_retcode | <responsecode> | Number | HTTP return code |
user | <login> | Text/String | User name |
usrgrp | <group> | Text/String | User group |
auth_status | <status> | Text/String | Authentication success/failure |
srccountry | N/A | N/A | Location of the source IP address |
dstcountry | N/A | N/A | Location of the destination IP address |
real_server | N/A | N/A | Real server configured name |
sip_method | N/A | N/A | Invite sent from |
sip_uri | N/A | N/A | SIP server IP address. |
sip_from | N/A | N/A | SIP call ID |
sip_to | N/A | N/A |
|
sip_callid | N/A | N/A | Reserved |
sip_retcode | N/A | N/A | Reserved |
fqdn | N/A | N/A | FQDN from client request |
resip | N/A | N/A | DNS response IP address |
srrcountry | N/A | N/A | Location of the source IP address |
gateway | N/A | N/A | Gateway in Link Group |