LSO FortiGate - Event : VPN
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Header: Severity | <severity> | N/A |
date | N/A | N/A |
time | N/A | N/A |
devname | <objecttype> | N/A |
logid | <vmid> | <vmid> |
type | N/A | <vendorinfo> |
subtype | N/A | N/A |
level | N/A | <severity> |
vd | N/A | N/A |
eventtime | N/A | N/A |
logdesc | <status> | N/A |
msg | <subject> | <subject> |
action | <action> | <action> |
tunnelid | <session> | N/A |
remip | <sip> | <sip> |
tunnelip | <snatip> | N/A |
locip | <dip> | <dip> |
remport | <sport> | <sport> |
locport | <dport> | <dport> |
outintf | <sinterface> | N/A |
cookies | N/A | N/A |
user | <login> | <login> |
group | <group> | <group> |
xauthuser | <objectname> | N/A |
xauthgroup | <useragent> | N/A |
assignip | N/A | N/A |
vpntunnel | N/A | N/A |
status | <status> | <status> |
init | N/A | N/A |
mode | N/A | N/A |
dir | N/A | N/A |
stage | N/A | N/A |
role | N/A | N/A |
result | <result> | <result> |
tunneltype | N/A | <objecttype> |
dst_host | <dname> | <dname> |
reason | <reason> | <reason> |
duration | <seconds> | <seconds> |
sentbyte | <bytesout> | N/A |
rcvdbyte | <bytesin> | <bytesin> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1010177 | Event : VPN | Base Rule | General VPN Traffic Event | Network Traffic |
VPN Neg I P1 Error | Sub Rule | General IPSec Error | Error | |
VPN Neg Progress P1 Error | Sub Rule | IPSec Progress Error | Error | |
VPN Neg Progress P2 Error | Sub Rule | IPSec Progress Error | Error | |
VPN Conn Stats | Sub Rule | General IPSec Information | Information | |
VPN Neg Generic P2 Notif IKEV2 | Sub Rule | IPSec Negotiation | Network Traffic | |
VPN Neg I P1 Error IKEV2 | Sub Rule | IPSec Negotiation Error | Error | |
VPN Neg Progress P1 Notif IKEV2 | Sub Rule | IPSec Information Message | Information | |
VPN Neg Progress P1 Error IKEV2 | Sub Rule | IPSec Progress Error | Error | |
VPN Neg Progress P2 Notif IKEV2 | Sub Rule | IPSec Information Message | Information | |
VPN Install SA IKEV2 | Sub Rule | Installed IPSec Security Association | Information | |
VPN Conn Stats IKEV2 | Sub Rule | IPSec Information Message | Information | |
VPN Event SSL VPN User Tunnel UP | Sub Rule | VPN Session Started | Other Audit Success | |
VPN Event SSL VPN User Tunnel DOWN | Sub Rule | VPN Connection Closed | Other Audit Success | |
VPN Event SSL VPN User SSL Login Fail | Sub Rule | Connection Authentication Failed | Authentication Failure | |
VPN Event SSL VPN Session Cert Ok | Sub Rule | Certificate Valid | Information | |
VPN Event SSL VPN Session New Con | Sub Rule | VPN Session Started | Network Traffic | |
VPN Event SSL VPN Session Tunnel Up | Sub Rule | VPN Session Started | Network Traffic | |
VPN Event SSL VPN Session Tunnel Down | Sub Rule | VPN Session Terminated | Network Traffic | |
VPN Event SSL VPN Session Tunnel Stats | Sub Rule | VPN Session Information | Information | |
VPN Event VPN Cert Regen | Sub Rule | Certificate Renewal Request | Activity |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1013170 | V 2.0 : Event : VPN | Base Rule | VPN Session Information | Information |
V 2.0 : VPN Neg I P1 Error | Sub Rule | General IPSec Error | Error | |
V 2.0 : VPN Neg Progress P1 Error | Sub Rule | IPSec Progress Error | Error | |
V 2.0 : VPN Neg Progress P2 Error | Sub Rule | IPSec Progress Error | Error | |
V 2.0 : VPN Conn Stats | Sub Rule | General IPSec Information | Information | |
V 2.0 : VPN Neg Generic P2 Notif IKEV2 | Sub Rule | Notification Of An IPSec Negotiation | Information | |
V 2.0 : VPN Neg I P1 Error IKEV2 | Sub Rule | IPSec Negotiation Error | Error | |
V 2.0 : VPN Neg Progress P1 Notif IKEV2 | Sub Rule | IPSec Information Message | Information | |
V 2.0 : VPN Neg Progress P1 Error IKEV2 | Sub Rule | IPSec Progress Error | Error | |
V 2.0 : VPN Neg Progress P2 Notif IKEV2 | Sub Rule | IPSec Information Message | Information | |
V 2.0 : VPN Install SA IKEV2 | Sub Rule | Installed IPSec Security Association | Information | |
V 2.0 : VPN Conn Stats IKEV2 | Sub Rule | IPSec Information Message | Information | |
V 2.0 : VPN Event SSL VPN User Tunnel UP | Sub Rule | General TUNNEL Message | Information | |
V 2.0 : VPN Event SSL VPN User Tunnel DOWN | Sub Rule | VPN Tunnel Failure | Warning | |
V 2.0 : VPN Event SSL VPN User SSL Login Fail | Sub Rule | Authentication Failure Activity | Authentication Failure | |
V 2.0 : VPN Event SSL VPN Session Cert Ok | Sub Rule | Certificate Valid | Information | |
V 2.0 : VPN Event SSL VPN Session New Con | Sub Rule | VPN Session Started | Network Traffic | |
V 2.0 : VPN Event SSL VPN Session Tunnel Up | Sub Rule | VPN Session Started | Network Traffic | |
V 2.0 : VPN Event SSL VPN Session Tunnel Down | Sub Rule | VPN Tunnel Failure | Warning | |
V 2.0 : VPN Event SSL VPN Session Tunnel Stats | Sub Rule | VPN Session Information | Information | |
V 2.0 : VPN Event VPN Cert Regen | Sub Rule | Certificate Renewal Request | Activity |