LSO FortiGate - UTM : WebFilter
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Header: Severity | <severity> | N/A |
date | N/A | N/A |
time | N/A | N/A |
logid | <vmid> | <vmid> |
type | N/A | <vendorinfo> |
subtype | N/A | N/A |
eventtype | N/A | N/A |
level | N/A | <severity> |
vd | N/A | <sessiontype> |
eventtime | N/A | N/A |
policyid | <policy> | <policy> |
sessionid | <session> | <session> |
user | <login> | <login> |
group | <group> | N/A |
srcip | <sip> | <sip> |
srcport | <sport> | <sport> |
srcintf | <sinterface> | <sinterface> |
srcintfrole | N/A | N/A |
dstip | <dip> | <dip> |
dstport | <dport> | <dport> |
dstintf | <dinterface> | <dinterface> |
dstintfrole | N/A | N/A |
proto | <protnum> | <protnum> |
service | <sessiontype> | <parentprocessname> |
hostname | <dname> | <dname> |
profile | N/A | <account> |
action | <action> | <action> |
reqtype | <reason> | <objecttype> |
url | <url> | <url> |
sentbyte | <bytesout> | <bytesout> |
rcvdbyte | <bytesin> | <bytesin> |
keyword | <object> | N/A |
direction | N/A | N/A |
msg | <subject> | <subject> |
method | N/A | <command> |
cat | <size> | N/A |
catdesc | <group> | <threatname> |
User-Agent | <useragent> | N/A |
crscore | N/A | <threatid> |
craction | N/A | N/A |
crlevel | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1010170 | UTM: WebFilter | Base Rule | General WebFilter Event | Information |
Webfilter Url Filter Block | Sub Rule | General WebFilter URLFilter Warning | Warning | |
Webfilter Url Filter Exempt | Sub Rule | General WebFilter URLFilter Information | Information | |
Webfilter Url Filter Allow | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Url Filter Srv Cert Err Blk | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Url Filter Srv Cert Err Pass | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Warning | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Cat Blk | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Cat Warn | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Cat Allow | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Url | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Scriptfilter ActiveX | Sub Rule | General WebFilter URLFilter | Information | |
Web Content Banned Word Found | Sub Rule | Banned Word Notice | Information | |
Web Content MMS Banned Word Found | Sub Rule | Blocked Message Banned Attachment | Failed Activity | |
Web Content Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity | |
Web Content MMS Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity | |
Message Contained A KeyWord In The Profile List | Sub Rule | General WEB Information | Information | |
Search Phrase Detected | Sub Rule | General WebFilter URLFilter | Information | |
Web Content MMS Banned Word | Sub Rule | Banned File Written | Warning | |
The Request Contained An Invalid Domain Name | Sub Rule | Connection Or Ports Invalid | Error | |
HTTP Cert Request Contained An Invalid Domain | Sub Rule | SSL Certificate Invalid | Information | |
HTTP Certificate Request Contained An Invalid Name | Sub Rule | SSL Certificate Signature Invalid | Information | |
HTTPS Certificate Request Contained An Invalid Nam | Sub Rule | SSL Certificate Signature Invalid | Information | |
Insufficient Resources | Sub Rule | Insufficient Resources | Critical | |
Getting The Host Name Failed | Sub Rule | Hostname Not Found | Warning | |
Server Certificate Validation Failed | Sub Rule | Certificate Verification Failure | Error | |
SSL Session Blocked | Sub Rule | Session Invalidated | Warning | |
Service Not Active | Sub Rule | User Session Timeout | Information | |
Rating Error Occurred | Sub Rule | Rating Error | Error | |
URL Passed | Sub Rule | Test Point Passed | Information | |
URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
URL Allowed By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
URL Address Exempted | Sub Rule | General Traffic Allowed Information | Information | |
Rating Error Occurred | Sub Rule | Rating Error | Error | |
Daily FortiGuard Quota Status | Sub Rule | General DiskQuota Information | Information | |
URL Belongs To An Override Rule | Sub Rule | URL Exempted | Activity | |
URL Belongs To An Override Rule | Sub Rule | URL Exempted | Activity | |
FortiGuard Web Filter Category Quota Counting Log | Sub Rule | General DiskQuota Information | Information | |
FortiGuard Web Filter Category Quota ExpiredLogMsg | Sub Rule | General DiskQuota Information | Information | |
Cookie Removed | Sub Rule | Cookie Removed | Information | |
Java Applet Removed | Sub Rule | Java Applet Removed | Information | |
Script Entity Removed | Sub Rule | ActiveX Script Removed | Information | |
Cookie Removed Entirely | Sub Rule | Cookie Removed | Information | |
Referrer Removed From Request | Sub Rule | Object Modified | Access Success | |
Command Blocked | Sub Rule | Process Blocked | Failed Activity | |
Blocked By HTTP Header Content Type | Sub Rule | General WebFilter URLFilter | Information | |
Depends On Info In Msg Field | Sub Rule | General WebFilter URLFilter | Information | |
Depends On Info In Msg Field | Sub Rule | General WebFilter URLFilter | Information |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1013188 | V 2.0: UTM: Web-Filter | Base Rule | General Web Filter Message | Information |
V 2.0: Webfilter Url Filter Block | Sub Rule | Web Activity Blocked | Failed Activity | |
V 2.0: Webfilter Url Filter Exempt | Sub Rule | URL Exempted | Activity | |
V 2.0: Webfilter Url Filter Allow | Sub Rule | General WebFilter URLFilter | Information | |
V 2.0: Webfilter Url Filter Srv Cert Err Blk | Sub Rule | Session Information | Information | |
V 2.0: Webfilter Url Filter Srv Cert Err Pass | Sub Rule | Session Information | Information | |
V 2.0: Webfilter Web Ftgd Warning | Sub Rule | Rating Error | Error | |
V 2.0: Webfilter Web Ftgd Cat Blk | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: Webfilter Web Ftgd Cat Warn | Sub Rule | General Warning | Warning | |
V 2.0: Webfilter Web Ftgd Cat Allow | Sub Rule | URL Information | Information | |
V 2.0: Webfilter Web Url | Sub Rule | URL Information | Information | |
V 2.0: Webfilter Web Scriptfilter ActiveX | Sub Rule | ActiveX Script Removed | Information | |
V 2.0: Web Content Banned Word Found | Sub Rule | Banned Word Notice | Information | |
V 2.0: Web Content MMS Banned Word Found | Sub Rule | Blocked Message Banned Attachment | Failed Activity | |
V 2.0: Web Content Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity | |
V 2.0: Web Content MMS Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity | |
V 2.0: Message Contain A KeyWord In Profile List | Sub Rule | General WEB Information | Information | |
V 2.0: Search Phrase Detected | Sub Rule | Search | Information | |
V 2.0: Web Content MMS Banned Word | Sub Rule | Banned Word Notice | Information | |
V 2.0: Request Contained An Invalid Domain Name | Sub Rule | Invalid Domain Name | Information | |
V 2.0: HTTP Cert Request Contain Invalid Domain | Sub Rule | Invalid Domain Name | Information | |
V 2.0: HTTP Certi Req Contained An Invalid Name | Sub Rule | Invalid Name | Warning | |
V 2.0: HTTP Certi Req Contained An Invalid Name | Sub Rule | Invalid Name | Warning | |
V 2.0: Insufficient Resources | Sub Rule | Insufficient Resources | Critical | |
V 2.0: Getting The Host Name Failed | Sub Rule | Hostname Not Found | Warning | |
V 2.0: Server Certificate Validation Failed | Sub Rule | Certificate Verification Failure | Error | |
V 2.0: SSL Session Blocked | Sub Rule | Session Invalidated | Warning | |
V 2.0: Service Not Active | Sub Rule | FortiGuard Service Not Enabled | Critical | |
V 2.0: Rating Error Occurred | Sub Rule | Rating Error | Error | |
V 2.0: URL Passed | Sub Rule | URL Information | Information | |
V 2.0: URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
V 2.0: URL Blocked With Redirect Msg By Websense | Sub Rule | Web Site Blocked - Category | Failed Activity | |
V 2.0: URL Allowed By Websense Service | Sub Rule | URL Information | Information | |
V 2.0: URL Address Exempted | Sub Rule | URL Exempted | Activity | |
V 2.0: Rating Error Occurred | Sub Rule | Rating Error | Error | |
V 2.0: Daily FortiGuard Quota Status | Sub Rule | URL Access Statistics | Information | |
V 2.0: URL Belongs To An Override Rule | Sub Rule | URL Information | Information | |
V 2.0: URL Belongs To An Override Rule | Sub Rule | URL Information | Information | |
V 2.0: FortiGuard Web Filter Category Quota Expir | Sub Rule | URL Access Statistics | Information | |
V 2.0: Cookie Removed | Sub Rule | Cookie Removed | Information | |
V 2.0: Java Applet Removed | Sub Rule | Java Applet Removed | Information | |
V 2.0: Script Entity Removed | Sub Rule | ActiveX Script Removed | Information | |
V 2.0: Cookie Removed Entirely | Sub Rule | Cookie Removed | Information | |
V 2.0: Referrer Removed From Request | Sub Rule | Object Modified | Access Success | |
V 2.0: Command Blocked | Sub Rule | Process Blocked | Failed Activity | |
V 2.0: Blocked By HTTP Header Content Type | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: Depends On Info In Msg Field | Sub Rule | General WEB Information | Information | |
V 2.0: Depends On Info In Msg Field | Sub Rule | General WEB Information | Information | |
V 2.0: FortiGuard WebFilter Cate Quota Count Log | Sub Rule | URL Access Statistics | Information | |
V 2.0: CONTENT_TYPE_EXEMPT | Sub Rule | URL Exempted | Activity | |
V 2.0: ANTIPHISH_MATCH_URL_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: ANTIPHISH_MATCH_FTGD_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: ANTIPHISH_MATCH_DEFAULT_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: ANTIPHISH_MATCH_URL_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: ANTIPHISH_MATCH_FTGD_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: ANTIPHISH_MATCH_DEFAULT_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: VIDEOFILTER_CATEGORY_BLOCK | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: VIDEOFILTER_CATEGORY_MONITOR | Sub Rule | General MONITOR Message | Information | |
V 2.0: VIDEOFILTER_CATEGORY_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: VIDEOFILTER_CHANNEL_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: VIDEOFILTER_CHANNEL_MONITOR | Sub Rule | General MONITOR Message | Information | |
V 2.0: VIDEOFILTER_CHANNEL_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: UNKNOWN_CE_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: UNKNOWN_CE_BYPASS | Sub Rule | Traffic Redirected | Network Traffic | |
V 2.0: VIDEOFILTER_TITLE_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: VIDEOFILTER_TITLE_MONITOR | Sub Rule | General MONITOR Message | Information | |
V 2.0: VIDEOFILTER_TITLE_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: VIDEOFILTER_DESCRIPTION_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: VIDEOFILTER_DESCRIPTION_MONITOR | Sub Rule | General MONITOR Message | Information | |
V 2.0: VIDEOFILTER_DESCRIPTION_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |