LSO FortiGate - UTM : App

Vendor Documentation

https://docs.fortinet.com/document/fortigate/7.0.12/administration-guide/986892/sample-logs-by-log-type

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Header: Severity	<severity>	N/A
date	N/A	N/A
time	N/A	N/A
logid	<vmid> <tag1>	<vmid>
type	N/A	<vendorinfo>
subtype	N/A	N/A
eventtype	N/A	N/A
level	N/A	<severity>
vd	N/A	N/A
eventtime	N/A	N/A
appid	<processid>	<object>
user	<account>	<login>
group	<group>	N/A
srcip	<sip>	<sip>
dstip	<dip>	<dip>
srcport	<sport>	<sport>
dstport	<dport>	<dport>
srcintf	<sinterface>	<sinterface>
srcintfrole	N/A	N/A
dstintf	<dinterface>	<dinterface>
dstintfrole	N/A	N/A
proto	<protnum>	<protnum>
service	N/A	<protname>
direction	N/A	N/A
policyid	<policy>	<policy>
policytype	<process>	N/A
sessionid	<session>	<session>
applist	N/A	N/A
appcat	<objectname>	<objecttype>
app	<object>	<objectname>
action	<action>	<action>
hostname	<dname>	<dname>
incidentserialno	N/A	<serialnumber>
url	<url>	<url>
agent	<useragent>	N/A
msg	N/A	<subject>
apprisk	<severity>	N/A
scertcname	<parentprocessname>	N/A
scertissuer	<objecttype>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1010161	UTM : App	Base Rule	General Application Control Message	Information
	UTM App Ctrl IPS Pass	Sub Rule	Traffic Allowed by IDS/IPS	Network Allow
	UTM App Ctrl IPS Block	Sub Rule	Traffic Denied by IDS/IPS	Network Deny
	UTM App Ctrl IPS Reset	Sub Rule	General IPS Message	Information
	LOGID_APP_CTRL_IM_BASIC	Sub Rule	General VDS Basic Provider 1.0 Information	Information
	LOGID_APP_CTRL_IM_BASIC_WITH_STATUS	Sub Rule	Task Status	Information
	LOGID_APP_CTRL_IM_BASIC_WITH_COUNT	Sub Rule	IM Activity	Activity
	LOGID_APP_CTRL_IM_FILE	Sub Rule	Application Control IM Message	Information
	LOGID_APP_CTRL_IM_CHAT	Sub Rule	Application Control IM Message	Information
	LOGID_APP_CTRL_IM_CHAT_BLOCK	Sub Rule	Failed IM/Chat Activity	Failed Misuse
	LOGID_APP_CTRL_IM_BLOCK	Sub Rule	IM/Chat Activity	Misuse
	LOGID_APP_CTRL_SSH_PASS	Sub Rule	SSH Session Opened	Network Traffic
	LOGID_APP_CTRL_SSH_BLOCK	Sub Rule	Denied SSH Session	Warning

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1013190	V 2.0 : UTM : App-Ctrl	Base Rule	General Application Control Message	Information
	V 2.0 : UTM App Ctrl IPS Pass	Sub Rule	Traffic Allowed by IDS/IPS	Network Allow
	V 2.0 : UTM App Ctrl IPS Block	Sub Rule	Traffic Denied by IDS/IPS	Network Deny
	V 2.0 : UTM App Ctrl IPS Reset	Sub Rule	General IPS Message	Information
	V 2.0 : Logid_App_Ctrl_Im_Basic	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Im_Basic_With_Status	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Im_Basic_With_Count	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Im_File	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Im_Chat	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Im_Chat_Block	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Im_Block	Sub Rule	Application Control IM Message	Information
	V 2.0 : Logid_App_Ctrl_Ssh_Pass	Sub Rule	SSH Session Opened	Network Traffic
	V 2.0 : Logid_App_Ctrl_Ssh_Block	Sub Rule	Denied SSH Session	Warning