Syslog Fortinet FortiGate - V 2.0 : UTM : App-Ctrl
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0: UTM: App-Ctrl | Base Rule | General Application Control Message | Information |
V 2.0: UTM App Ctrl IPS Pass | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
V 2.0: UTM App Ctrl IPS Block | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
V 2.0: UTM App Ctrl IPS Reset | Sub Rule | General IPS Message | Information |
V 2.0: Logid_App_Ctrl_Im_Basic | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Im_Basic_With_Status | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Im_Basic_With_Count | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Im_File | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Im_Chat | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Im_Chat_Block | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Im_Block | Sub Rule | Application Control IM Message | Information |
V 2.0: Logid_App_Ctrl_Ssh_Pass | Sub Rule | SSH Session Opened | Network Traffic |
V 2.0: Logid_App_Ctrl_Ssh_Block | Sub Rule | Denied SSH Session | Warning |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log entry. |
time | N/A | N/A | The time of the log entry. |
logid | <vmid> | Number | The unique identifier for the log entry. |
type | <vendorinfo> | Text/String | The type of log event. |
subtype | N/A | N/A | The subtype of the log event. |
eventtype | N/A | N/A | The type of application control event (all applications in this case). |
level | <severity> | Text/String | The severity level of the log event. |
vd | <sessiontype> | Text/String | The virtual domain is associated with the log event. |
eventtime | N/A | N/A | The timestamp of the event. |
appid | <object> | Number | The application ID. |
user | <login> | Text/String | N/A |
srcip | <sip> | IP Address | The source IP address of the communication. |
dstip | <dip> | IP Address | The destination IP address of the communication. |
srcport | <sport> | Number | The source port number. |
dstport | <dport> | Number | The destination port number. |
srcintf | <sinterface> | Text/String | The source interface. |
srcintfrole | N/A | N/A | The role of the source interface. |
dstintf | <dinterface> | Text/String | The destination interface. |
dstintfrole | N/A | N/A | The role of the destination interface. |
proto | <protnum> | Number | The protocol number (TCP in this case). |
service | <parentprocessname> | Text/String | The service or protocol being used. |
direction | N/A | N/A | The direction of the communication (outgoing in this case). |
policyid | <policy> | Number | The ID of the policy associated with the log event. |
sessionid | <session> | Number | The ID of the session associated with the log event. |
applist | N/A | N/A | The application list. |
appcat | <objecttype> | Text/String | The category of the application. |
app | <objectname> | Text/String | The name of the application. |
action | <action> | Text/String | The action taken by the system (pass in this case). |
hostname | <dname> | Text/String | The hostname of the communication. |
incidentserialno | <serialnumber> | Number | The serial number of the incident. |
url | <url> | Text/String | The URL of the communication. |
msg | <subject> | Text/String | Additional message or description of the log event. |
apprisk | N/A | N/A | The risk level associated with the application. |
scertcname | N/A | N/A | The common name of the server certificate. |
scertissuer | N/A | N/A | The issuer of the server certificate. |
forwardedfor | <snatip> | IP Address | N/A |