Syslog - Fortinet FortiGate (Log Source Optimization)
Device Details
Device Name | Syslog - Fortinet FortiGate |
Vendor | Fortinet |
Device Type | FortiGate Firewall |
Supported Model Name/Number | N/A |
Supported Software Version | N/A |
Collection Method | Syslog |
Configurable Log Output | N/A |
Log Source Type | Syslog - Fortinet FortiGate |
Log Processing Policy | LogRhythm Default V 2.0 |
Exceptions | N/A |
Valid Log Format For Parser | The Syslog - Fortinet FortiGate Log Source Type supports log samples where key-value pairs are formatted with the values enclosed inside double quotation marks ("). For an example of the supported format, see the Traffic Logs > Forward Traffic sample log in the link below. If there is any other format for the values appearing in logs, users should contact the Fortinet support team for assistance. |
Additional Information | N/A |
Supported Log Messages
(List of LR tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
---|---|---|
V 2.0 : Catch All | N/A | <severity>, <tag1> |
V 2.0 : Event : Connector | N/A | <vendorinfo>, <vmid>, <severity>, <object>, <action>, <tag1>, <sip>, <subject> |
V 2.0 : Event : Endpoint | N/A | <vendorinfo>, <vmid>, <severity>, <action>, <tag1>, <status>, <objecttype>, <quantity>, <login>, <sip>, <objectname>, <object>, <subject> |
V 2.0 : Event : FortiExtender | N/A | <vendorinfo>, <vmid>, <severity>, <serialnumber>, <sip>, <action>, <reason>, <protname>, <bytesin>, <bytesout>, <subject> |
V 2.0 : Event : HA | N/A | <vendorinfo>, <vmid>, <severity>, <subject>, <group>, <serialnumber> |
V 2.0 : Event : Rest-Api | N/A | <vendorinfo>, <vmid>, <severity>, <login>, <sinterface>, <command>, <status>, <url> |
V 2.0 : Event : Router | N/A | <vendorinfo>, <vmid>, <severity>, <subject>, <objecttype>, <sip>, <status> |
V 2.0 : Event : SDWAN | N/A | <vendorinfo>, <vmid>, <severity>, <objecttype>, <object>, <dinterface>, <status>, <subject> |
V 2.0 : Event : Security Rating | N/A | <vendorinfo>, <vmid>, <severity>, <subject>, <result> |
V 2.0 : Event : Switch-Controller | N/A | <vendorinfo>, <vmid>, <severity>, <login>, <sinterface>, <serialnumber>, <subject> |
V 2.0 : Event : System | N/A | <vendorinfo>, <vmid>, <severity>, <serialnumber>, <login>, <sip>, <dip>, <action>, <status>, <reason>, <result>, <subject> |
V 2.0 : Event : User | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <dip>, <sinterface>, <login>, <group>, <action>, <status>, <reason>, <subject> |
V 2.0 : Event : VPN | N/A | <vendorinfo>, <vmid>, <severity>, <subject>, <action>, <dip>, <sip>, <dport>, <sport>, <login>, <group>, <status>, <result>, <objecttype>, <dname>, <seconds>, <bytesin>, <reason> |
V 2.0 : Event : WAD | N/A | <vendorinfo>, <vmid>, <severity>, <session>, <policy>, <sip>, <sport>, <dip>, <dport>, <action>, <threatid>, <threatname>, <subject> |
V 2.0 : Event : Wireless | N/A | <vendorinfo>, <vmid>, <severity>, <action>, <object>, <objectname>, <objecttype>, <smac>, <quantity>, <status>, <login>, <domainorigin>, <sip>, <reason>, <subject> |
V 2.0 : Systemevent : Endpoint | N/A | <version>, <vendorinfo>, <severity>, <sname>, <domainorigin>, <sip>, <smac>, <policy>, <objecttype>, <login>, <action>, <status> |
V 2.0 : Systemevent : System | N/A | <version>, <vendorinfo>, <severity>, <sname>, <domainorigin>, <sip>, <smac>, <policy>, <objecttype>, <login>, <action> |
V 2.0 : Traffic : Forward | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <session>, <protnum>, <action>, <tag1>, <policy>, <protname>, <snatip>, <snatport>, <object>, <objectname>, <objecttype>, <threatname>, <seconds>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <status>, <tag2>, <quantity>, <smac>, <login>, <domainorigin> |
V 2.0 : Traffic : HTTPS | N/A | <version>, <vmid>, <vendorinfo>, <severity>, <protname>, <process>, <status>, <reason>, <policy>, <sip>, <sport>, <dip>, <dport>, <bytesout>, <bytesin>, <objecttype>, <url>, <useragent>, <responsecode>, <subject>, <group>, <sname>, <login> |
V 2.0 : Traffic : Local | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <sport>, <dip>, <dport>, <protnum>, <action>, <tag1>, <policy>, <seconds>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <object>, <objecttype> |
V 2.0 : Traffic : Multicast | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <sport>, <dip>, <dport>, <protnum>, <action>, <tag1>, <policy>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <object>, <protname> |
V 2.0 : Traffic : Sniffer | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <sport>, <dip>, <dport>, <session>, <action>, <tag1>, <policy>, <snatip>, <snatport>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <object>, <protname>, <status>, <tag2>, <amount> |
V 2.0 : Traffic : System | N/A | <version>, <vendorinfo>, <severity>, <sname>, <domainorigin>, <smac>, <policy>, <objecttype>, <login>, <subject>, <session>, <process>, <sip>, <sport>, <dip>, <dname>, <dport>, <protnum>, <bytesin>, <bytesout>, <action>, <threatname>, <protname>, <url> |
V 2.0 : UTM : Anomaly | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <dip>, <sinterface>, <session>, <action>, <protnum>, <protname>, <quantity>, <threatname>, <threatid>, <policy>, <url>, <subject> |
V 2.0 : UTM : Antivirus | N/A | <vendorinfo>, <vmid>, <severity>, <subject>, <action>, <protname>, <session>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <policy>, <protnum>, <object>, <status>, <threatname>, <threatid>, <url>, <useragent> |
V 2.0 : UTM : App-Ctrl | N/A | <vendorinfo>, <vmid>, <severity>, <object>, <login>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <policy>, <session>, <objecttype>, <objectname>, <action>, <dname>, <serialnumber>, <url>, <subject> |
V 2.0 : UTM : DLP | N/A | <vendorinfo>, <vmid>, <severity>, <policy>, <session>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <protname>, <objecttype>, <action>, <sname>, <url>, <useragent>, <object> |
V 2.0 : UTM : DNS | N/A | <vendorinfo>, <vmid>, <severity>, <policy>, <session>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <smac>, <subject>, <action>, <object>, <objectname> |
V 2.0 : UTM : File-Filter | N/A | <vmid>, <vendorinfo>, <severity>, <policy>, <session>, <group>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <protname>, <action>, <url>, <dname>, <useragent>, <object>, <size>, <objecttype>, <subject> |
V 2.0 : UTM : IPS | N/A | <vendorinfo>, <vmid>, <severity>, <sip>, <dip>, <sinterface>, <dinterface>, <session>, <action>, <protnum>, <protname>, <policy>, <threatname>, <sport>, <dport>, <sname>, <url>, <threatid>, <subject> |
V 2.0 : UTM : SSH | N/A | <vendorinfo>, <vmid>, <severity>, <policy>, <session>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <dinterface>, <protnum>, <action>, <login>, <object> |
V 2.0 : UTM : SSL | N/A | <vendorinfo>, <vmid>, <severity>, <action>, <policy>, <session>, <protname>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <dinterface>, <protnum>, <subject>, <reason>, <dname>, <serialnumber>, <hash>, <size>, <tag1> |
V 2.0 : UTM : Web-Filter | N/A | <vendorinfo>, <vmid>, <severity>, <policy>, <session>, <login>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <protname>, <dname>, <account>, <action>, <objecttype>, <url>, <bytesout>, <bytesin>, <subject>, <command>, <threatname>, <threatid> |
V 2.0 : UTM : VOIP | N/A | <version>, <sname>, <vmid>, <vendorinfo>, <severity>, <session>, <sip>, <sport>, <dip>, <dport>, <protnum>, <policy>, <protname>, <action>, <status>, <seconds>, <sender>, <recipient> |
V 2.0 : UTM : Emailfilter | N/A | <version>, <vmid>, <vendorinfo>, <severity>, <policy>, <session>, <sip>, <sport>, <sinterface>, <dip>, <dport>, <dinterface>, <protnum>, <protname>, <action>, <sender>, <recipient>, <subject>, <size> |
V 2.0 : UTM : WAF | N/A | <sname>, <vmid>, <vendorinfo>, <policy>, <session>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <url>, <severity>, <action>, <useragent>, <subject> |
Revision History
KB Version | Log Type | Change Type | Details |
---|---|---|---|
KB 7.1.674.0 | Syslog - Fortinet FortiGate | New Log Source Optimization (LSO) policy: LogRhythm Default v2.0 | Optimized new log processing policy for Syslog - Fortinet FortiGate. |