Skip to main content
Skip table of contents

Syslog Fortinet FortiGate - V 2.0 : UTM : Antivirus

Vendor Documentation

Classification

RuleName

RuleType

Common Event

Classification

V 2.0 : UTM : Antivirus

Base Rule

General Antivirus Information

Information

V 2.0 : Infected File Blocked

Sub Rule

Threat Blocked

Failed Activity

V 2.0 : Infected File Detected

Sub Rule

General Virus Infected Notice

Information

V 2.0 : MIME Header Detected To Have A Virus&Block

Sub Rule

Detected Malware Activity

Malware

V 2.0 : MIME Header Infected And Passed

Sub Rule

MIME Intercepted

Activity

V 2.0 : File Is An Executable

Sub Rule

HTTP Executable Transfer

Activity

V 2.0 : File Is An Executable

Sub Rule

HTTP Executable Transfer

Activity

V 2.0 : FortiGate Unit Blocked A File

Sub Rule

Blocked Message

Failed Activity

V 2.0 : FortiGate Unit Blocked A File

Sub Rule

Blocked Message

Failed Activity

V 2.0 : FortiGate Unit Blocked A File

Sub Rule

Blocked Message

Failed Activity

V 2.0 : FortiGate Unit Blocked A File

Sub Rule

Blocked Message

Failed Activity

V 2.0 : FortiGate Unit Blocked A Virus Command

Sub Rule

Unknown Command

Other Security

V 2.0 : FortiGate Intercepted File Contain Virus

Sub Rule

File Intercepted

Activity

V 2.0 : FortiGate Unit Intercepted A File (MIME)

Sub Rule

File Intercepted

Activity

V 2.0 : File Exempted

Sub Rule

File Exempted

Information

V 2.0 : File Exempted

Sub Rule

File Exempted

Information

V 2.0 : MMS Content Checksum Blocked Infected File

Sub Rule

Checksum Warning

Warning

V 2.0 : MMS Content Checksum Was Matched

Sub Rule

General Checksum Information

Information

V 2.0 : Defined File Size Limit Was Exceeded

Sub Rule

Limit Exceeded

Warning

V 2.0 : File Size Limit Was Exceeded

Sub Rule

Limit Exceeded

Warning

V 2.0 : File (MIME) Size Exceed Defined Size Limit

Sub Rule

Limit Exceeded

Warning

V 2.0 : File (MIME) Size Exceed Defined Size Limit

Sub Rule

Limit Exceeded

Warning

V 2.0 : Switching Protocols Request

Sub Rule

Protocol Change Requested

Information

V 2.0 : Switching Protocols Request

Sub Rule

Protocol Change Requested

Information

V 2.0 : File Reached The Uncompressed Nested Limit

Sub Rule

Limit Exceeded

Warning

V 2.0 : File Reached The Uncompressed Nested Limit

Sub Rule

Limit Exceeded

Warning

V 2.0 : Archived File Is Corrupted

Sub Rule

Data Corrupt

Warning

V 2.0 : Archived File Is Encrypted

Sub Rule

Encrypted Files Detected

Activity

V 2.0 : Corrupted Archive

Sub Rule

Data Corrupt

Warning

V 2.0 : Corrupted Archive

Sub Rule

Data Corrupt

Warning

V 2.0 : File Is A Multipart Archive

Sub Rule

Archive Message

Information

V 2.0 : File Is A Multipart Archive

Sub Rule

Archive Message

Information

V 2.0 : File Is A Nested Archived File

Sub Rule

Archive Message

Information

V 2.0 : Archived File Is Oversized

Sub Rule

Limit Exceeded

Warning

V 2.0 : Archived File Is Oversized

Sub Rule

Limit Exceeded

Warning

V 2.0 : Unhandled Archive

Sub Rule

Object Not Archived

Warning

V 2.0 : Unhandled Archive

Sub Rule

Archive Message

Information

V 2.0 : Partially Corrupted Archive

Sub Rule

Data Corrupt

Warning

V 2.0 : Partially Corrupted Archive

Sub Rule

Data Corrupt

Warning

V 2.0 : Exceeded Archive Files Limit

Sub Rule

Limit Exceeded

Warning

V 2.0 : Exceeded Archive Files Limit

Sub Rule

File Size Exceeds Limit

Activity

V 2.0 : Archive Scan Timeout

Sub Rule

Timeout

Warning

V 2.0 : Archive Scan Timeout

Sub Rule

Timeout

Warning

V 2.0 : File Submitted To Sandbox

Sub Rule

Job Submitted

Other Audit Success

V 2.0 : File Reported Infected

Sub Rule

General Virus Infected Warning

Warning

V 2.0 : File Reported Infected

Sub Rule

General Virus Infected

Information

V 2.0 : File Reported Infected

Sub Rule

General Virus Infected Warning

Warning

V 2.0 : File Reported Infected

Sub Rule

General Virus Infected

Information

V 2.0 : File Verdict Returned

Sub Rule

Results Returned

Information

V 2.0 : Active Content Detected By Content Disarm

Sub Rule

General Threat Message

Activity

V 2.0 : File Was Disarmed By Content Disarm Engine

Sub Rule

File Unavailable

Warning

V 2.0 : Botnet C&C Communication

Sub Rule

Detected Botnet Activity

Malware

V 2.0 : Botnet C&C Communication

Sub Rule

Detected Botnet Activity

Malware

V 2.0 : File Is An Archived Type Unhandled

Sub Rule

Archive Message

Information

V 2.0 : AV Engine Load Failed

Sub Rule

Onload Failure

Error

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

date

N/A

N/A

The date of the log entry.

time

N/A

N/A

The time of the log entry.

logid

<vmid>

Number

The unique identifier for the log entry.

type

<vendorinfo>

Text/String

The type of log event.

subtype

N/A

N/A

The subtype of the log event.

eventtype

N/A

N/A

The type of event (infected in this case).

level

<severity>

Text/String

The severity level of the log event.

vd

<sessiontype>

Text/String

The virtual domain associated with the log event.

eventtime

N/A

N/A

The timestamp of the event.

msg

<subject>

Text/String

Additional message or details of the log event.

action

<action>

Text/String

The action taken by the system (blocked in this case).

service

<protname>

Text/String

The service or protocol associated with the log event.

sessionid

<session>

Number

The ID of the session associated with the log event.

srcip

<sip>

IP Address

The source IP address of the communication.

dstip

<dip>

IP Address

The destination IP address of the communication.

srcport

<sport>

Number

The source port number.

dstport

<dport>

Number

The destination port number.

srcintf

<sinterface>

Text/String

The source interface.

srcintfrole

N/A

N/A

The role of the source interface.

dstintf

<dinterface>

Text/String

The destination interface.

dstintfrole

N/A

N/A

The role of the destination interface.

policyid

<policy>

Number

The ID of the policy associated with the log event.

proto

<protnum>

Number

The protocol number.

direction

N/A

N/A

The direction of the traffic (incoming in this case).

filename

<object>

Text/String

The name of the infected file.

fsaverdict

<result>

Text/String

Verdict returned to FortiGate after analysis (clean, low risk, med risk, high risk, malicious)

quarskip

<status>

Text/String

Information about quarantine status (not quarantined in this case).

virus

<threatname>

Text/String

The name of the virus detected.

dtype

N/A

N/A

The type of detection (virus in this case).

ref

N/A

N/A

Reference link for more information about the virus.

virusid

<threatid>

Number

The ID of the detected virus.

url

<url>

Text/String

The URL associated with the infected file.

profile

N/A

N/A

The profile applied to the log event.

agent

<useragent>

Text/String

The user agent or client software associated with the event.

analyticscksum

N/A

N/A

Checksum for analytics.

analyticssubmit

N/A

N/A

Indicates whether analytics were submitted (false in this case).

crscore

N/A

N/A

The score assigned by the content reputation feature.

craction

N/A

N/A

The action taken based on the content reputation score.

crlevel

N/A

N/A

The level of content reputation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.