Syslog Fortinet FortiGate - V 2.0 : Traffic : Sniffer
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0: Traffic: Sniffer | Base Rule | General Firewall Event | Information |
V 2.0: 17_Forward Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: 21_Forward Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: LOG_ID_TRAFFIC_SNIFFER_STAT | Sub Rule | General Traffic Log | Network Traffic |
V 2.0: LOG_ID_TRAFFIC_SNIFFER | Sub Rule | General Traffic Log | Network Traffic |
V 2.0: 17_Traffic Session Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: 17_Traffic Session Timeout | Sub Rule | Session Timeout | Warning |
V 2.0: 17_Traffic Session Started | Sub Rule | Network Session Created | Network Traffic |
V 2.0: 17_Local Traffic Session Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: 17_Traffic Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: 17_Traffic Reset | Sub Rule | Connection Reset | Network Traffic |
V 2.0: 17_Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: 21_Traffic Session Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: 21_Traffic Session Timeout | Sub Rule | Session Timeout | Warning |
V 2.0: 21_Traffic Session Started | Sub Rule | Network Session Created | Network Traffic |
V 2.0: 21_Local Traffic Session Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: 21_Traffic Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: 21_Traffic Reset | Sub Rule | Connection Reset | Network Traffic |
V 2.0: 21_Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the event. |
time | N/A | N/A | The time of the event. |
logid | <vmid> | Number | A unique identifier for the log event. |
type | <vendorinfo> | Text/String | The type of traffic event. In this case, it is a sniffer traffic event. |
subtype | N/A | N/A | The subtype of the traffic event. In this case, it is a sniffer traffic event. |
level | <severity> | Text/String | The severity level of the log event. In this case, it is a notice. |
vd | <sessiontype> | Text/String | The vdom in which the log event occurred. |
eventtime | N/A | N/A | The time at which the log event occurred. |
srcip | <sip> | IP Address | The source IP address of the traffic event. |
srcport | <sport> | Number | The source port of the traffic event. |
dstip | <dip> | IP Address | The destination IP address of the traffic event. |
dstport | <dport> | Number | The destination port of the traffic event. |
dstcountry | N/A | N/A | The country code of the destination IP address. |
srccountry | N/A | N/A | The country code of the source IP address. |
sessionid | <session> | Number | N/A |
action | <action> | Text/String | N/A |
policyid | <policy> | Number | N/A |
trandisp | N/A | N/A | The traffic disposition. In this case, it is a snat, which means that the traffic was redirected to a different IP address. |
transip | <snatip> | IP Address | The IP address that the traffic was redirected to. |
transport | <snatport> | Number | The transport protocol of the traffic event. In this case, it is not applicable since this is a sniffer traffic event. |
duration | N/A | N/A | The duration of the traffic event in seconds. |
sentbyte | <bytesout> | Number | The number of bytes sent during the traffic event. |
rcvdbyte | <bytesin> | Number | The number of bytes received during the traffic event. |
sentpkt | <packetsout> | Number | The number of packets sent during the traffic event. |
rcvdpkt | <packetsin> | Number | The number of packets received during the traffic event. |
appcat | <object> | Text/String | The application associated with the traffic event. In this case, the application has not been scanned by FortiGate. |
service | <protname> | Text/String | The service associated with the traffic event. |
utmaction | <status> | Text/String | The action taken by UTM for this traffic event. |
countips | <amount> | Number | The number of IP addresses associated with this traffic event. |
crscore | N/A | N/A | The confidence score of the traffic event. |
craction | N/A | N/A | The action taken by FortiGuard for this traffic event. |
sentdelta | N/A | N/A | The difference between the number of bytes sent in the first packet and the last packet. |
rcvddelta | N/A | N/A | The difference between the number of bytes received in the first packet and the last packet. |
utmref | N/A | N/A | The UTM reference number for this traffic event. |