Syslog Fortinet FortiGate - V 2.0 : Event : User
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 : Event : User | Base Rule | General User Information | Information |
V 2.0 : User FSSO SVR Status | Sub Rule | General Active Directory Information | Information |
V 2.0 : User Event Auth Time Out | Sub Rule | Authentication Timeout | Other Audit |
V 2.0 : User Event Auth FSAE Logon | Sub Rule | User Logon | Authentication Success |
V 2.0 : User Event Auth FSAE Logoff | Sub Rule | User Logoff | Authentication Success |
V 2.0 : User Event Auth Logon | Sub Rule | User Logon | Authentication Success |
V 2.0 : User Event Auth Logout | Sub Rule | User Logoff | Authentication Success |
V 2.0 : User Event Auth FGOVRD Success | Sub Rule | Successful Activity | Other Audit Success |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log event. |
time | N/A | N/A | The time of the log event. |
logid | <vmid> | Number | A unique identifier for the log event. |
type | <vendorinfo> | Text/String | The type of log event. In this case, it is an event. |
subtype | N/A | N/A | The subtype of the log event. In this case, it is a user event. |
level | <severity> | Text/String | The severity level of the log event. In this case, it is a notice. |
vd | <sessiontype> | Text/String | The vdom in which the log event occurred. |
eventtime | N/A | N/A | The time at which the log event occurred. |
logdesc | N/A | N/A | The description of the log event. |
srcip | <sip> | IP Address | The source IP address of the log event. |
dstip | <dip> | IP Address | The destination IP address of the log event. |
policyid | N/A | N/A | The policy ID that was used for the authentication. |
interface | <sinterface> | Text/String | The interface that was used for the authentication. |
user | <login> | Text/String | The user who was authenticated. |
group | <group> | Text/String | The group that the user belongs to. |
authproto | N/A | N/A | The authentication protocol that was used. |
action | <action> | Text/String | The action that was taken. In this case, it was an authentication. |
status | <status> | Text/String | The status of the authentication. |
reason | <reason> | Text/String | The reason for the authentication. |
msg | <subject> | Text/String | The message associated with the log event. |