Fortinet FortiNAC: Fortinet FortiNAC Events

Vendor Documentation

https://docs.fortinet.com/document/fortinac-f/7.2.0/administration-guide/499308/log-events-to-an-external-log-host

https://docs.fortinet.com/document/fortinac-f/7.2.0/administration-guide/338223/examples-of-syslog-messages

Classification

Rule Name	Rule Type	Common Event	Classification
Fortinet FortiNAC Events	Base Rule	General Information Log Message	Information
Telnet Server Timeout	Sub Rule	Server Timed Out	Information
SSH Session Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
MDM Poll Success	Sub Rule	Successful Activity	Other Audit Success
L2 Poll Failed	Sub Rule	General Failed Activity	Failed Activity
Entitlement Polling Success	Sub Rule	Successful Activity	Other Audit Success
Directory Synchronization Success	Sub Rule	Synchronization Finished	Information
Directory User Disabled	Sub Rule	Account Disabled	Access Revoked
Disable Host Success	Sub Rule	Host Disabled	Other Audit
Synchronize Users With Directory Success	Sub Rule	Synchronization Finished	Information
Admin User Timed Out	Sub Rule	User Disconnected Due To Time Out	Information
Database Backup Success	Sub Rule	Backup Succeeded	Information
Adapter Destroyed	Sub Rule	Host Adapter Information	Information
Admin User Login Success	Sub Rule	LOGIN_INFORMATION	Information
RADIUS Authentication Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
Contact Established	Sub Rule	Communication Established	Information
Contact Lost	Sub Rule	Cannot Contact Target Host	Warning
Device Created	Sub Rule	Device Allocated	Other Audit Success
Device Destroyed	Sub Rule	Device De-Allocated	Other Audit Success
Device Profiling Automatic Registration	Sub Rule	Device Registered	Other Audit Success
Device Rule Confirmation Success	Sub Rule	General Information Log Message	Information
DHCP Host Name Changed	Sub Rule	General DHCP	Information
Host Destroyed	Sub Rule	Host Not Found	Warning
Host Passed Security Test	Sub Rule	General Host Information	Information
Invalid Physical Address	Sub Rule	Invalid IP Address	Warning
Management Lost	Sub Rule	General Host Information	Information
MDM Poll Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
Port Uplink Configuration Modified	Sub Rule	General Information Log Message	Information
Possible MAC Address Spoof	Sub Rule	General Information Log Message	Information
RADIUS NAS Client Modified	Sub Rule	General Information Log Message	Information
Report Generation Success	Sub Rule	General Information Log Message	Information
REST API Failure	Sub Rule	General Information Log Message	Information
Security Risk Host	Sub Rule	General Host Warning	Warning
Service Restarted - Radius	Sub Rule	Service Start	Startup and Shutdown
Service Started - Radius	Sub Rule	Service Start	Startup and Shutdown
SNMP Failure	Sub Rule	SNMP Activity	Activity
System Fail Over	Sub Rule	System Failure Occurred	Critical
User Created	Sub Rule	User Account Created	Account Created
VLAN Switch Success	Sub Rule	VLAN Manager Alert	Critical

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhthm Schema	Data Type	Schema Description
Entity ID	N/A	N/A	Entity ID
Entity IP address	<dip>	IP Address	Entity IP address
Entity Name	<dname>	Text/String	Entity Name
Entity physical address	<dmac>	Text/String	Entity physical address
Event Name	<vendorinfo> <tag1>	Text/String	Name of the event that generated the syslog message.
Header	N/A	N/A	Syslog category: This is the defined facility and the severity Default Facility = 4 Security message Severity = 5 Notice Note: This can value optional and it can be Syslog header
ID	<object>	Number	Database ID, AlarmID or ElementID
Log Message	<subject>	Text/String	Log Message
Log Time	N/A	N/A	Log time.
Log Type	<vmid>	Number	Log type: 1 Event 2 Alarm 3 Security Alarm
Severity	<severity>	Number	Severity: 0 Normal 1 Minor 2 Major 3 Critical
Syslog Time	N/A	N/A	Time of the syslog generation.
user ID	<account>	Text/String	Unique Identifier (user ID)