Syslog Fortinet FortiGate - V 2.0 : Event : Wireless

Vendor Documentation

https://docs.fortinet.com/document/fortigate/7.0.12/administration-guide/986892/sample-logs-by-log-type

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Event : Wireless	Base Rule	Wireless Activity	Other Operations
V 2.0 : Wireless STA Locate	Sub Rule	Interference Detected For Wireless Station	Warning
V 2.0 : Wireless Rogue Detect	Sub Rule	General Wireless Channel Warning	Warning
V 2.0 : Wireless Rogue Offair	Sub Rule	Wireless Disassociation	Other Audit Success
V 2.0 : Wireless Rogue Detect Chg	Sub Rule	General Wireless Channel Warning	Warning
V 2.0 : Wireless STA Auth	Sub Rule	Authentication Activity	Authentication Success
V 2.0 : Wireless STA Idle	Sub Rule	Idle Timeout	Information
V 2.0 : Wireless STA IP	Sub Rule	IP Address Assigned	Information
V 2.0 : Wireless STA Leave WTP	Sub Rule	Received Disconnect	Other Operations
V 2.0 : Wireless WTPR DARRP Chan	Sub Rule	Wireless Physical AP Activity	Information
V 2.0 : Wireless WTPR OPER Chan	Sub Rule	Wireless Physical AP Activity	Information
V 2.0 : Wireless WTPR Cfg Txpower	Sub Rule	Wireless Physical AP Activity	Information
V 2.0 : Wireless WTPR OPER Txpower	Sub Rule	Wireless Physical AP Activity	Information
V 2.0 : Wireless CLB Deny	Sub Rule	General Load Balancing Message	Information
V 2.0 : Wireless CLB Retry	Sub Rule	General Load Balancing Message	Information
V 2.0 : Wireless Sys AC DARRP Start	Sub Rule	Wireless Activity	Information
V 2.0 : Wireless Sys AC DARRP Stop	Sub Rule	Wireless Activity	Information
V 2.0 : Wireless Sys AC CFG Loaded	Sub Rule	Configuration Information	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
date	N/A	N/A	The date of the log event.
time	N/A	N/A	The time of the log event.
logid	<vmid>	Number	A unique identifier for the log event.
type	<vendorinfo>	Text/String	The type of log event. In this case, it is an event.
subtype	N/A	N/A	The subtype of the log event. In this case, it is a wireless event.
level	<severity>	Text/String	The severity level of the log event. In this case, it is a warning.
vd	<sessiontype>	Text/String	The vdom in which the log event occurred.
eventtime	N/A	N/A	The time at which the log event occurred.
logdesc	N/A	N/A	The description of the log event.
ssid	N/A	N/A	The SSID of the fake AP.
bssid	N/A	N/A	The BSSID of the fake AP.
aptype	N/A	N/A	The AP type of the fake AP.
rate	N/A	N/A	The data rate of the fake AP.
radioband	N/A	N/A	The radio band of the fake AP.
channel	N/A	N/A	The channel of the fake AP.
action	<action>	Text/String	The action that was taken. In this case, it was a fake-ap-on-air.
manuf	<object>	Text/String	The manufacturer of the fake AP.
security	<objectname>	Text/String	The security of the fake AP.
encryption	<objecttype>	Text/String	The encryption of the fake AP.
signal	N/A	N/A	The signal strength of the fake AP.
noise	N/A	N/A	The noise level of the fake AP.
live	N/A	N/A	The number of seconds that the fake AP has been alive.
age	N/A	N/A	The age of the fake AP in seconds.
onwire	N/A	N/A	Whether the fake AP is on the wire.
detectionmethod	N/A	N/A	The detection method used to detect the fake AP.
stamac	<smac>	Text/String	The MAC address of the station associated with the fake AP.
apscan	N/A	N/A	Whether the fake AP was detected by a scan.
sndetected	N/A	N/A	The serial number of the FortiGate that detected the fake AP.
radioiddetected	N/A	N/A	The radio ID of the FortiGate that detected the fake AP.
stacount	<quantity>	Number	The number of stations associated with the fake AP.
snclosest	N/A	N/A	The serial number of the FortiGate that is closest to the fake AP.
radioidclosest	N/A	N/A	The radio ID of the FortiGate that is closest to the fake AP.
apstatus	<status>	Number	The status of the fake AP.
user	<login> <domainorigin>	Text/String	N/A
srcip	<sip>	IP Address	N/A
reason	<reason>	Text/String	N/A
msg	<subject>	Text/String	The message associated with the log event.