Syslog Fortinet FortiGate - V 2.0 : Event : System

Vendor Documentation

https://docs.fortinet.com/document/fortigate/7.0.12/administration-guide/986892/sample-logs-by-log-type

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0: Event: System	Base Rule	General System Message	Information
V 2.0: Event Mail Sent Fail	Sub Rule	General Failed Activity	Failed Activity
V 2.0: Event Reportd Report Success	Sub Rule	Report Generation	Information
V 2.0: Event Reportd Report Failure	Sub Rule	Report Deleted	Information
V 2.0: Event Session Clash	Sub Rule	Session Information	Information
V 2.0: Event VWL Volume Status	Sub Rule	WAN Module Info Msg	Information
V 2.0: Event DHCP Ack	Sub Rule	DHCP ACK	Network Traffic
V 2.0: Event DHCP Stat	Sub Rule	General DHCPServer Information	Information
V 2.0: Event DHCP Client Lease	Sub Rule	DHCP Lease Obtained	Information
V 2.0: Event Auth Snmp Query Failed	Sub Rule	General Failed Activity	Failed Activity
V 2.0: Event Admin Login Succ	Sub Rule	User Logon	Authentication Success
V 2.0: Event Admin Login Fail	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0: Event Admin Login Logout	Sub Rule	Logout Request	Information
V 2.0: Event Log Roll	Sub Rule	General Disk Information	Information
V 2.0: Event Admin Login Disable	Sub Rule	Account Disabled	Access Revoked
V 2.0: Event Log Del Dir	Sub Rule	Object Deleted/Removed	Access Success
V 2.0: Event Log Del File	Sub Rule	Object Deleted/Removed	Access Success
V 2.0: Event Log Roll Forticron	Sub Rule	Rotation Information	Information
V 2.0: Event Report Deleted	Sub Rule	Object Deleted/Removed	Access Success
V 2.0: Event Report Deleted GUI	Sub Rule	Object Deleted/Removed	Access Success
V 2.0: Event Backup Conf By Scp	Sub Rule	Backup Completed	Information
V 2.0: Event Conf Chg	Sub Rule	Configuration Modified: System	Configuration
V 2.0: Event Sys Perf	Sub Rule	General Performance Statistics	Information
V 2.0: Event Upd Fgt Succ	Sub Rule	Update Successful	Information
V 2.0: Event Upd Fsa Virdb	Sub Rule	Database Update Event	Information
V 2.0: Event Nac Quarantine	Sub Rule	Quarantine	Activity
V 2.0: Event Delete Object	Sub Rule	Object Deleted/Removed	Access Success
V 2.0: Event Config Attr	Sub Rule	Object Added	Access Success
V 2.0: Event Add Object Attribute	Sub Rule	Object Modified	Access Success
V 2.0: Event DSSCC Exec	Sub Rule	General Policy Compliance Information	Other Audit
V 2.0: Event Ext Remote	Sub Rule	General Error	Error

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
date	N/A	N/A	The date of the log event.
time	N/A	N/A	The time of the log event.
logid	<vmid>	Number	A unique identifier for the log event.
type	<vendorinfo>	Text/String	The type of log event. In this case, it is an event.
subtype	N/A	N/A	The subtype of the log event. In this case, it is a system event.
level	<severity>	Text/String	The severity level of the log event. In this case, it is an information.
vd	<sessiontype>	Text/String	The vdom in which the log event occurred.
eventtime	N/A	N/A	The time at which the log event occurred.
logdesc	N/A	N/A	The description of the log event.
sn	<serialnumber>	Number	The serial number of the log event.
user	<login>	Text/String	The user who logged in.
ui	N/A	N/A	The user interface that was used to log in. In this case, it was SSH from the IP address 172.16.200.254.
method	N/A	N/A	The method that was used to log in. In this case, it was SSH.
srcip	<sip>	IP Address	The source IP address of the log event.
dstip	<dip>	IP Address	The destination IP address of the log event.
action	<action>	Text/String	The action that was taken. In this case, it was a login.
status	<status>	Text/String	The status of the log event. In this case, it was a success.
reason	<reason>	Text/String	The reason for the log event. In this case, there was no reason.
profile	N/A	N/A	The profile of the user who logged in. In this case, it was the super_admin profile.
cfgattr	<result>	Text/String	N/A
msg	<subject>	Text/String	The message associated with the log event.