Syslog Fortinet FortiGate - V 2.0 : Event : VPN

Vendor Documentation

https://docs.fortinet.com/document/fortigate/7.0.12/administration-guide/986892/sample-logs-by-log-type

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Event : VPN	Base Rule	VPN Session Information	Information
V 2.0 : VPN Neg I P1 Error	Sub Rule	General IPSec Error	Error
V 2.0 : VPN Neg Progress P1 Error	Sub Rule	IPSec Progress Error	Error
V 2.0 : VPN Neg Progress P2 Error	Sub Rule	IPSec Progress Error	Error
V 2.0 : VPN Conn Stats	Sub Rule	General IPSec Information	Information
V 2.0 : VPN Neg Generic P2 Notif IKEV2	Sub Rule	Notification Of An IPSec Negotiation	Information
V 2.0 : VPN Neg I P1 Error IKEV2	Sub Rule	IPSec Negotiation Error	Error
V 2.0 : VPN Neg Progress P1 Notif IKEV2	Sub Rule	IPSec Information Message	Information
V 2.0 : VPN Neg Progress P1 Error IKEV2	Sub Rule	IPSec Progress Error	Error
V 2.0 : VPN Neg Progress P2 Notif IKEV2	Sub Rule	IPSec Information Message	Information
V 2.0 : VPN Install SA IKEV2	Sub Rule	Installed IPSec Security Association	Information
V 2.0 : VPN Conn Stats IKEV2	Sub Rule	IPSec Information Message	Information
V 2.0 : VPN Event SSL VPN User Tunnel UP	Sub Rule	General TUNNEL Message	Information
V 2.0 : VPN Event SSL VPN User Tunnel DOWN	Sub Rule	VPN Tunnel Failure	Warning
V 2.0 : VPN Event SSL VPN User SSL Login Fail	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 : VPN Event SSL VPN Session Cert Ok	Sub Rule	Certificate Valid	Information
V 2.0 : VPN Event SSL VPN Session New Con	Sub Rule	VPN Session Started	Network Traffic
V 2.0 : VPN Event SSL VPN Session Tunnel Up	Sub Rule	VPN Session Started	Network Traffic
V 2.0 : VPN Event SSL VPN Session Tunnel Down	Sub Rule	VPN Tunnel Failure	Warning
V 2.0 : VPN Event SSL VPN Session Tunnel Stats	Sub Rule	VPN Session Information	Information
V 2.0 : VPN Event VPN Cert Regen	Sub Rule	Certificate Renewal Request	Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
date	N/A	N/A	The date of the log event.
time	N/A	N/A	The time of the log event.
logid	<vmid>	Number	A unique identifier for the log event.
type	<vendorinfo>	Text/String	The type of log event. In this case, it is an event.
subtype	N/A	N/A	The subtype of the log event. In this case, it is a vpn event.
level	<severity>	Text/String	The severity level of the log event. In this case, it is a notice.
vd	N/A	N/A	The vdom in which the log event occurred.
eventtime	N/A	N/A	The time at which the log event occurred.
logdesc	N/A	N/A	The description of the log event.
msg	<subject>	Text/String	The message associated with the log event.
action	<action>	Text/String	The action that was taken. In this case, it was a negotiate.
remip	<dip>	IP Address	The remote IP address of the VPN tunnel.
locip	<sip>	IP Address	The local IP address of the VPN tunnel.
remport	<dport>	Number	The remote port of the VPN tunnel.
locport	<sport>	Number	The local port of the VPN tunnel.
outintf	N/A	N/A	The outbound interface of the VPN tunnel.
cookies	N/A	N/A	The cookies used for the VPN tunnel.
user	<login>	Text/String	The user associated with the VPN tunnel.
group	<group>	Text/String	The group associated with the VPN tunnel.
xauthuser	N/A	N/A	The xauth user associated with the VPN tunnel.
xauthgroup	N/A	N/A	The xauth group associated with the VPN tunnel.
assignip	N/A	N/A	The assigned IP address for the VPN tunnel.
vpntunnel	N/A	N/A	The name of the VPN tunnel.
status	<status>	Text/String	The status of the VPN tunnel.
init	N/A	N/A	The initiator of the VPN tunnel.
mode	N/A	N/A	The mode of the VPN tunnel.
dir	N/A	N/A	The direction of the VPN tunnel.
stage	N/A	N/A	The stage of the VPN tunnel.
role	N/A	N/A	The role of the VPN tunnel.
result	<result>	Text/String	The result of the VPN tunnel.