Breadcrumbs

Syslog - Fortinet FortiGate (Log Source Optimization)

Device Details

Device Name

Syslog - Fortinet FortiGate

Vendor

Fortinet

Device Type

FortiGate Firewall

Supported Model Name/Number

N/A

Supported Software Version

N/A

Collection Method

Syslog

Configurable Log Output

N/A

Log Source Type

Syslog - Fortinet FortiGate

Log Processing Policy

LogRhythm Default V 2.0

Exceptions

N/A

Valid Log Format For Parser

The Syslog - Fortinet FortiGate Log Source Type supports log samples where key-value pairs are formatted with the values enclosed inside double quotation marks ("). For an example of the supported format, see the Traffic Logs > Forward Traffic sample log in the link below.

https://docs.fortinet.com/document/fortigate/7.0.12/administration-guide/986892/sample-logs-by-log-type

Users should contact the Fortinet support team for assistance if there is any other format for the values appearing in logs.

Additional Information

N/A

Supported Log Messages

(List of LR tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

V 2.0: Catch-All

N/A

<severity>, <tag1>

V 2.0: Event Connector

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <object>, <action>, <tag1>, <sip>, <subject>

V 2.0: Event Endpoint

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <action>, <tag1>, <status>, <objecttype>, <quantity>, <login>, <sip>, <objectname>, <object>, <subject>

V 2.0: Event FortiExtender

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <serialnumber>, <sip>, <action>, <reason>, <parentprocessname>, <bytesin>, <bytesout>, <subject>

V 2.0: Event HA

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <subject>, <group>, <serialnumber>

V 2.0: Event Rest-API

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <login>, <sinterface>, <command>, <status>, <url>

V 2.0: Event Router

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <parentprocessname>, <action>, <dmac>, <sinterface>, <subject>, <objecttype>, <sip>, <status>

V 2.0: Event SDWAN

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <objecttype>, <object>, <dinterface>, <status>, <subject>

V 2.0: Event Security Rating

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <subject>, <result>

V 2.0: Event Switch-Controller

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <login>, <sinterface>, <serialnumber>, <subject>

V 2.0: Event System

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <serialnumber>, <login>, <sip>, <dip>, <action>, <status>, <reason>, <result>, <subject>

V 2.0: Event User

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <dip>, <sinterface>, <login>, <group>, <action>, <status>, <reason>, <subject>

V 2.0: Event VPN

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <subject>, <action>, <dip>, <sip>, <dport>, <sport>, <login>, <group>, <status>, <result>, <objecttype>, <dname>, <seconds>, <bytesin>, <reason>, <object>

V 2.0: Event WAD

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <session>, <policy>, <sip>, <sport>, <dip>, <dport>, <action>, <threatid>, <threatname>, <subject>

V 2.0: Event Wireless

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <action>, <object>, <objectname>, <objecttype>, <smac>, <quantity>, <status>, <login>, <domainorigin>, <sip>, <reason>, <subject>

V 2.0: System event Endpoint

N/A

<version>, <vendorinfo>, <severity>, <sessiontype>, <sname>, <domainorigin>, <sip>, <smac>, <policy>, <objecttype>, <login>, <action>, <status>

V 2.0: Systemevent System

N/A

<version>, <vendorinfo>, <severity>, <sessiontype>, <sname>, <domainorigin>, <sip>, <smac>, <policy>, <objecttype>, <login>, <action>

V 2.0: Traffic Forward

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <sname>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <session>, <protnum>, <action>, <tag1>, <policy>, <parentprocessname>, <snatip>, <snatport>, <object>, <objectname>, <objecttype>, <threatname>, <seconds>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <status>, <tag2>, <quantity>, <smac>, <login>, <domainorigin>, <account>

V 2.0: Traffic Forward VMID13

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <sname>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <session>, <protnum>, <action>, <tag1>, <policy>, <parentprocessname>, <snatip>, <snatport>, <object>, <objectname>, <objecttype>, <threatname>, <seconds>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <status>, <tag2>, <quantity>, <smac>, <dmac>, <login>, <domainorigin>, <account>

V 2.0: Traffic HTTPS

N/A

<version>, <vmid>, <vendorinfo>, <severity>, <sessiontype>, <protname>, <parentprocessname>, <status>, <reason>, <policy>, <sip>, <sport>, <dip>, <dport>, <bytesout>, <bytesin>, <objecttype>, <url>, <useragent>, <responsecode>, <subject>, <group>, <sname>, <login>

V 2.0: Traffic Local

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <sport>, <dip>, <dport>, <protnum>, <action>, <tag1>, <policy>, <parentprocessname>, <seconds>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <object>, <objecttype>

V 2.0: Traffic Multicast

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <sport>, <dip>, <dport>, <protnum>, <action>, <tag1>, <policy>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <object>, <parentprocessname>

V 2.0: Traffic Sniffer

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <sport>, <dip>, <dport>, <session>, <action>, <tag1>, <policy>, <snatip>, <snatport>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <object>, <parentprocessname>, <status>, <tag2>, <amount>

V 2.0: Traffic System

N/A

<version>, <vendorinfo>, <severity>, <sessiontype>, <sname>, <domainorigin>, <smac>, <policy>, <objecttype>, <login>, <subject>, <session>, <process>, <sip>, <sport>, <dip>, <dname>, <dport>, <protnum>, <bytesin>, <bytesout>, <action>, <threatname>, <parentprocessname>, <url>

V 2.0: UTM Anamoly

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <dip>, <sinterface>, <session>, <action>, <protnum>, <parentprocessname>, <quantity>, <threatname>, <threatid>, <policy>, <url>, <subject>

V 2.0: UTM Antivirus

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <subject>, <action>, <parentprocessname>, <session>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <policy>, <protnum>, <object>, <result>, <status>, <threatname>, <threatid>, <url>, <useragent>, <sender>, <recipient>

V 2.0: UTM App-Ctrl

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <object>, <login>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <parentprocessname>, <policy>, <session>, <objecttype>, <objectname>, <action>, <dname>, <serialnumber>, <url>, <subject>, <snatip>

V 2.0: UTM DLP

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <policy>, <session>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <parentprocessname>, <objecttype>, <action>, <sname>, <url>, <useragent>, <object>

V 2.0: UTM DNS

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <policy>, <session>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <domainimpacted>, <smac>, <subject>, <action>, <object>, <objectname>

V 2.0: UTM Emailfilter

N/A

<version>, <vmid>, <vendorinfo>, <severity>, <sessiontype>, <policy>, <session>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <parentprocessname>, <action>, <sender>, <recipient>, <subject>, <size>

V 2.0: UTM File-Filter

N/A

<vmid>, <vendorinfo>, <severity>, <sessiontype>, <policy>, <session>, <group>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <parentprocessname>, <action>, <url>, <dname>, <useragent>, <object>, <size>, <objecttype>, <subject>

V 2.0: UTM IPS

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <sip>, <dip>, <sinterface>, <dinterface>, <session>, <action>, <protnum>, <parentprocessname>, <policy>, <threatname>, <sport>, <dport>, <dname>, <url>, <threatid>, <subject>

V 2.0: UTM SSH

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <policy>, <session>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <dinterface>, <protnum>, <action>, <login>, <object>

V 2.0: UTM SSL

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <action>, <policy>, <session>, <parentprocessname>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <dinterface>, <protnum>, <subject>, <reason>, <dname>, <serialnumber>, <hash>, <size>, <tag1>

V 2.0: UTM VOIP

N/A

<version>, <sname>, <vmid>, <vendorinfo>, <severity>, <sessiontype>, <session>, <sip>, <sport>, <dip>, <dport>, <protnum>, <policy>, <protname>, <action>, <status>, <seconds>, <sender>, <recipient>

V 2.0: UTM WAF

N/A

<sname>, <vmid>, <vendorinfo>, <sessiontype>, <policy>, <session>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <dinterface>, <protnum>, <parentprocessname>, <url>, <severity>, <action>, <useragent>, <subject>

V 2.0: UTM Web-Filter

N/A

<vendorinfo>, <vmid>, <severity>, <sessiontype>, <policy>, <session>, <login>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <parentprocessname>, <dname>, <account>, <action>, <objecttype>, <url>, <bytesout>, <bytesin>, <subject>, <command>, <threatname>, <threatid>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.674.0

Syslog - Fortinet FortiGate

New Log Source Optimization (LSO) policy: LogRhythm Default v2.0

Optimized new log processing policy for Syslog - Fortinet FortiGate.