LSO FortiGate - Event : System

Vendor Documentation

Sample logs by log type | Administration Guide

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Header: Severity	<severity>	N/A
date	N/A	N/A
time	N/A	N/A
devname	<objecttype>	N/A
logid	<vmid> <tag1>	<vmid>
type	N/A	<vendorinfo>
subtype	<object>	N/A
level	N/A	<severity>
vd	N/A	<sessiontype>
eventtime	N/A	N/A
logdesc	<vendorinfo>	N/A
sn	<serialnumber>	<serialnumber>
user	<login>	<login>
group	<account>	N/A
ui	<sip>	N/A
method	<sessiontype>	N/A
srcip	<sip>	<sip>
dstip	<dip>	<dip>
src_int	<sinterface>	N/A
dst_int	<dinterface>	N/A
srcport	<sport>	N/A
dstport	<dport>	N/A
proto	<protnum>	N/A
action	<action>	<action>
version	<version>	N/A
status	<status>	<status>
reason	<reason>	<reason>
profile	N/A	N/A
msg	<subject>	<subject>
cfgattr	<result>	<result>
banned_rule	<threatname>	N/A
sensor	<policy>	N/A
interface	<sinterface>	N/A
ip	<sip>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1010178	Event: System	Base Rule	General Event Log Information	Information
	Event Mail Sent Fail	Sub Rule	General Failed Activity	Failed Activity
	Event Reported Report Success	Sub Rule	Report Generation	Information
	Event Reported Report Success	Sub Rule	Report Deleted	Information
	Event Session Clash	Sub Rule	Possible Address Conflict	Information
	Event VWL Volume Status	Sub Rule	VLAN Manager Info Msg	Information
	Event DHCP Ack	Sub Rule	DHCP ACK	Network Traffic
	Event DHCP Stat	Sub Rule	General DHCPServer Information	Information
	Event DHCP Client Lease	Sub Rule	DHCP Lease Obtained	Information
	Event Auth Snmp Query Failed	Sub Rule	Error: SNMP_GET_ERROR1	Error
	Event Admin Login Succ	Sub Rule	Authentication Activity	Authentication Success
	Event Admin Login Fail	Sub Rule	Authentication Failure Activity	Authentication Failure
	Event Admin Login Logout	Sub Rule	Logout Request	Information
	Event Log Roll	Sub Rule	General Disk Information	Information
	Event Admin Login Disable	Sub Rule	Account Disabled	Access Revoked
	Event Log Del Dir	Sub Rule	Object Deleted/Removed	Access Success
	Event Log Del File	Sub Rule	Object Deleted/Removed	Access Success
	Event Log Roll Forticron	Sub Rule	Rotation Information	Information
	Event Report Deleted	Sub Rule	Object Deleted/Removed	Access Success
	Event Report Deleted GUI	Sub Rule	Object Deleted/Removed	Access Success
	Event Backup Conf By Scp	Sub Rule	Backup Completed	Information
	Event Conf Chg	Sub Rule	Configuration Modified: System	Configuration
	Event Sys Perf	Sub Rule	General Performance Statistics	Information
	Event Upd Fgt Succ	Sub Rule	Operation Succeeded	Information
	Event Upd Fsa Virdb	Sub Rule	Database Update Event	Information
	Event Nac Quarantine	Sub Rule	Quarantine	Activity
	Event Delete Object	Sub Rule	Object Deleted/Removed	Access Success
	Event Config Attr	Sub Rule	Object Added	Access Success
	Event Add Object Attribute	Sub Rule	Object Added	Access Success
	Event DSSCC Exec	Sub Rule	General Policy Compliance Information	Other Audit
	Event Ext Remote	Sub Rule	General Remote Access Information	Information

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1013168	V 2.0: Event: System	Base Rule	General System Message	Information
	V 2.0: Event Mail Sent Fail	Sub Rule	General Failed Activity	Failed Activity
	V 2.0: Event Reportd Report Success	Sub Rule	Report Generation	Information
	V 2.0: Event Reportd Report Failure	Sub Rule	Report Deleted	Information
	V 2.0: Event Session Clash	Sub Rule	Session Information	Information
	V 2.0: Event VWL Volume Status	Sub Rule	WAN Module Info Msg	Information
	V 2.0: Event DHCP Ack	Sub Rule	DHCP ACK	Network Traffic
	V 2.0: Event DHCP Stat	Sub Rule	General DHCPServer Information	Information
	V 2.0: Event DHCP Client Lease	Sub Rule	DHCP Lease Obtained	Information
	V 2.0: Event Auth Snmp Query Failed	Sub Rule	General Failed Activity	Failed Activity
	V 2.0: Event Admin Login Succ	Sub Rule	User Logon	Authentication Success
	V 2.0: Event Admin Login Fail	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Event Admin Login Logout	Sub Rule	Logout Request	Information
	V 2.0: Event Log Roll	Sub Rule	General Disk Information	Information
	V 2.0: Event Admin Login Disable	Sub Rule	Account Disabled	Access Revoked
	V 2.0: Event Log Del Dir	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0: Event Log Del File	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0: Event Log Roll Forticron	Sub Rule	Rotation Information	Information
	V 2.0: Event Report Deleted	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0: Event Report Deleted GUI	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0: Event Backup Conf By Scp	Sub Rule	Backup Completed	Information
	V 2.0: Event Conf Chg	Sub Rule	Configuration Modified: System	Configuration
	V 2.0: Event Sys Perf	Sub Rule	General Performance Statistics	Information
	V 2.0: Event Upd Fgt Succ	Sub Rule	Update Successful	Information
	V 2.0: Event Upd Fsa Virdb	Sub Rule	Database Update Event	Information
	V 2.0: Event Nac Quarantine	Sub Rule	Quarantine	Activity
	V 2.0: Event Delete Object	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0: Event Config Attr	Sub Rule	Object Added	Access Success
	V 2.0: Event Add Object Attribute	Sub Rule	Object Modified	Access Success
	V 2.0: Event DSSCC Exec	Sub Rule	General Policy Compliance Information	Other Audit
	V 2.0: Event Ext Remote	Sub Rule	General Error	Error