Syslog Fortinet FortiGate - V 2.0 : Traffic : Local
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 : Traffic : Local | Base Rule | General Traffic Log | Network Traffic |
V 2.0 : 14_Forward Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 : 14_Traffic Session Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 : 14_Local Traffic Session Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 : 14_Traffic Session Timeout | Sub Rule | Session Timeout | Warning |
V 2.0 : LOG_ID_TRAFFIC_END_LOCAL | Sub Rule | Disconnect Session | Network Traffic |
V 2.0 : 14_Traffic Session Started | Sub Rule | Network Session Created | Network Traffic |
V 2.0 : LOG_ID_TRAFFIC_START_LOCAL | Sub Rule | Network Session Created | Network Traffic |
V 2.0 : 16_Traffic Session Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 : 16_Traffic Session Timeout | Sub Rule | Session Timeout | Warning |
V 2.0 : 16_Forward Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 : 16_Traffic Session Started | Sub Rule | Network Session Created | Network Traffic |
V 2.0 : 16_Local Traffic Session Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the event. |
time | N/A | N/A | The time of the event. |
logid | <vmid> | Number | A unique identifier for the log event. |
type | <vendorinfo> | Text/String | The type of traffic event. In this case, it is a local traffic event. |
subtype | N/A | N/A | The subtype of the traffic event. In this case, it is a local traffic event. |
level | <severity> | Text/String | The severity level of the log event. In this case, it is a notice. |
vd | <sessiontype> | Text/String | The vdom in which the log event occurred. |
eventtime | N/A | N/A | The time at which the log event occurred. |
srcip | <sip> | IP Address | The source IP address of the traffic event. |
srcport | <sport> | Number | The source port of the traffic event. |
dstip | <dip> | IP Address | The destination IP address of the traffic event. |
dstport | <dport> | Number | The destination port of the traffic event. |
dstcountry | N/A | N/A | The country code of the destination IP address. |
srccountry | N/A | N/A | The country code of the source IP address. |
trandisp | N/A | N/A | The traffic disposition. In this case, it is a noop, which means that the traffic was not intercepted. |
proto | <protnum> | Number | The transport protocol of the traffic event. In this case, it is TCP. |
action | <action> | Text/String | N/A |
policyid | <policy> | Number | N/A |
duration | <seconds> | Number | The duration of the traffic event in seconds. |
sentbyte | <bytesin> | Number | The number of bytes sent during the traffic event. |
rcvdbyte | <bytesout> | Number | The number of bytes received during the traffic event. |
sentpkt | <packetsin> | Number | The number of packets sent during the traffic event. |
rcvdpkt | <packetsout> | Number | The number of packets received during the traffic event. |
app | <object> | Text/String | The application associated with the traffic event. |
appcat | <objecttype> | Text/String | The application category of the traffic event. In this case, the application has not been scanned by FortiGate. |