Skip to main content
Skip table of contents

Syslog Fortinet FortiGate - V 2.0 : Traffic : Sniffer

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0: Traffic: Sniffer

Base Rule

General Firewall Event

Information

V 2.0: 17_Forward Traffic Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

V 2.0: 21_Forward Traffic Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

V 2.0: LOG_ID_TRAFFIC_SNIFFER_STAT

Sub Rule

General Traffic Log

Network Traffic

V 2.0: LOG_ID_TRAFFIC_SNIFFER

Sub Rule

General Traffic Log

Network Traffic

V 2.0: 17_Traffic Session Denied

Sub Rule

Traffic Denied by Network Firewall

Network Deny

V 2.0: 17_Traffic Session Timeout

Sub Rule

Session Timeout

Warning

V 2.0: 17_Traffic Session Started

Sub Rule

Network Session Created

Network Traffic

V 2.0: 17_Local Traffic Session Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

V 2.0: 17_Traffic Blocked

Sub Rule

Traffic Denied by Network Firewall

Network Deny

V 2.0: 17_Traffic Reset

Sub Rule

Connection Reset

Network Traffic

V 2.0: 17_Traffic Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

V 2.0: 21_Traffic Session Denied

Sub Rule

Traffic Denied by Network Firewall

Network Deny

V 2.0: 21_Traffic Session Timeout

Sub Rule

Session Timeout

Warning

V 2.0: 21_Traffic Session Started

Sub Rule

Network Session Created

Network Traffic

V 2.0: 21_Local Traffic Session Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

V 2.0: 21_Traffic Blocked

Sub Rule

Traffic Denied by Network Firewall

Network Deny

V 2.0: 21_Traffic Reset

Sub Rule

Connection Reset

Network Traffic

V 2.0: 21_Traffic Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

date

N/A

N/A

The date of the event.

time

N/A

N/A

The time of the event.

logid

<vmid>

Number

A unique identifier for the log event.

type

<vendorinfo>

Text/String

The type of traffic event. In this case, it is a sniffer traffic event.

subtype

N/A

N/A

The subtype of the traffic event. In this case, it is a sniffer traffic event.

level

<severity>

Text/String

The severity level of the log event. In this case, it is a notice.

vd

<sessiontype>

Text/String

The vdom in which the log event occurred.

eventtime

N/A

N/A

The time at which the log event occurred.

srcip

<sip>

IP Address

The source IP address of the traffic event.

srcport

<sport>

Number

The source port of the traffic event.

dstip

<dip>

IP Address

The destination IP address of the traffic event.

dstport

<dport>

Number

The destination port of the traffic event.

dstcountry

N/A

N/A

The country code of the destination IP address.

srccountry

N/A

N/A

The country code of the source IP address.

sessionid

<session>

Number

N/A

action

<action>
<tag1>

Text/String

N/A

policyid

<policy>

Number

N/A

trandisp

N/A

N/A

The traffic disposition. In this case, it is a snat, which means that the traffic was redirected to a different IP address.

transip

<snatip>

IP Address

The IP address that the traffic was redirected to.

transport

<snatport>

Number

The transport protocol of the traffic event. In this case, it is not applicable since this is a sniffer traffic event.

duration

N/A

N/A

The duration of the traffic event in seconds.

sentbyte

<bytesin>

Number

The number of bytes sent during the traffic event.

rcvdbyte

<bytesout>

Number

The number of bytes received during the traffic event.

sentpkt

<packetsin>

Number

The number of packets sent during the traffic event.

rcvdpkt

<packetsout>

Number

The number of packets received during the traffic event.

appcat

<object>

Text/String

The application associated with the traffic event. In this case, the application has not been scanned by FortiGate.

service

<protname>

Text/String

The service associated with the traffic event.

utmaction

<status>
<tag2>

Text/String

The action taken by UTM for this traffic event.

countips

<amount>

Number

The number of IP addresses associated with this traffic event.

crscore

N/A

N/A

The confidence score of the traffic event.

craction

N/A

N/A

The action taken by FortiGuard for this traffic event.

sentdelta

N/A

N/A

The difference between the number of bytes sent in the first packet and the last packet.

rcvddelta

N/A

N/A

The difference between the number of bytes received in the first packet and the last packet.

utmref

N/A

N/A

The UTM reference number for this traffic event.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.