Syslog Fortinet FortiGate - V 2.0 : Event : Endpoint

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Event : Endpoint	Base Rule	General Endpoint Message	Information
V 2.0 : Add Connection	Sub Rule	Network Connection Established	Network Traffic
V 2.0 : Close Connection	Sub Rule	Client Connection Closed	Other Audit Success

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
date	N/A	N/A	The date of the log event.
time	N/A	N/A	The time of the log event.
logid	<vmid>	Number	A unique identifier for the log event.
type	<vendorinfo>	Text/String	The type of log event. In this case, it is an event.
subtype	N/A	N/A	The subtype of the log event. In this case, it is an endpoint event.
level	<severity>	Text/String	The severity level of the log event. In this case, it is an information.
vd	<sessiontype>	Text/String	The vdom in which the log event occurred.
eventtime	N/A	N/A	The time at which the log event occurred.
logdesc	N/A	N/A	The description of the log event.
action	<action> <tag1>	Text/String	The action that was taken. In this case, it was an add.
status	<status>	Text/String	The status of the action. In this case, it was a success.
license_limit	N/A	N/A	The license limit for the FortiClient connection.
used_for_type	N/A	N/A	The type of FortiClient connection. In this case, it is a SSLVPN connection.
connection_type	<objecttype>	Text/String	The type of FortiClient connection.
count	<quantity>	Number	The number of FortiClient connections added.
user	<login>	Text/String	The user who added the FortiClient connection.
ip	<sip>	IP Address	The IP address of the FortiClient connection.
name	<objectname>	Text/String	The name of the FortiClient connection.
fctuid	<object>	Text/String	The FortiClient connection ID.
msg	<subject>	Text/String	The message associated with the log event.

Vendor Documentation