Syslog Fortinet FortiGate - V 2.0 : UTM : DNS
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 : UTM : DNS | Base Rule | General DNS Information | Information |
V 2.0 : Log_Id_Dns_Url_Filter_Allow | Sub Rule | General DNS Information | Information |
V 2.0 : Log_Id_Dns_Botnet_Ip | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : Log_Id_Dns_Botnet_Domain | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : Log_Id_Dns_Ftgd_Warning | Sub Rule | Rating Error | Error |
V 2.0 : Log_Id_Dns_Ftgd_Error | Sub Rule | Rating Error | Error |
V 2.0 : Log_Id_Dns_Ftgd_Cat_Allow | Sub Rule | General DNS Information | Information |
V 2.0 : Log_Id_Dns_Ftgd_Cat_Block | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : LOG_ID_DNS_QUERY | Sub Rule | DNS Query | Information |
V 2.0 : LOG_ID_DNS_RESOLV_ERROR | Sub Rule | General DNS Error | Error |
V 2.0 : LOG_ID_DNS_URL_FILTER_BLOCK | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : LOG_ID_DNS_SAFE_SEARCH | Sub Rule | Redirected For Safe Search | Information |
V 2.0 : LOG_ID_DNS_LOCAL | Sub Rule | DNS Query | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log entry. |
time | N/A | N/A | The time of the log entry. |
logid | <vmid> | Number | The unique identifier for the log entry. |
type | <vendorinfo> | Text/String | The type of log event. |
subtype | N/A | N/A | The subtype of the log event. |
eventtype | N/A | N/A | The type of DNS event (DNS response in this case). |
level | <severity> | Text/String | The severity level of the log event. |
vd | <sessiontype> | Text/String | The virtual domain associated with the log event. |
eventtime | N/A | N/A | The timestamp of the event. |
policyid | <policy> | Number | The ID of the policy associated with the log event. |
sessionid | <session> | Number | The ID of the session associated with the log event. |
srcip | <sip> | IP Address | The source IP address of the communication. |
srcport | <sport> | Number | The source port number. |
srcintf | <sinterface> | Text/String | The source interface. |
srcintfrole | N/A | N/A | The role of the source interface. |
dstip | <dip> | IP Address | The destination IP address of the communication. |
dstport | <dport> | Number | The destination port number. |
dstintf | <dinterface> | Text/String | The destination interface. |
dstintfrole | N/A | N/A | The role of the destination interface. |
proto | <protnum> | Number | The protocol number (UDP in this case). |
profile | N/A | N/A | The profile applied to the log event. |
srcmac | <smac> | Text/String | The source MAC address. |
xid | N/A | N/A | The transaction ID of the DNS query. |
qname | N/A | N/A | The queried domain name. |
qtype | N/A | N/A | The queried record type (AAAA in this case). |
qtypeval | N/A | N/A | The numerical value of the queried record type. |
qclass | N/A | N/A | The queried record class. |
ipaddr | N/A | N/A | The resolved IP address for the queried domain. |
msg | <subject> | Text/String | Additional message or description of the log event. |
action | <action> | Text/String | The action taken by the system (pass in this case). |
cat | <object> | Number | The ID of the category associated with the log event. |
catdesc | <objectname> | Text/String | The description of the category. |