Skip to main content
Skip table of contents

Syslog Fortinet FortiGate - V 2.0 : UTM : IPS

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 : UTM : IPS

Base Rule

General IPS Message

Information

V 2.0 : IPS Signature ICMP

Sub Rule

General IPS/IDS Message

Other Operations

V 2.0 : IPS Signature TCP UDP

Sub Rule

General Attack Activity

Attack

V 2.0 : Attack Detected By Other Signature

Sub Rule

General Attack Activity

Attack

V 2.0 : Attack Detected By A Malicious URL

Sub Rule

General Attack Activity

Attack

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

date

N/A

N/A

The date of the log entry.

time

N/A

N/A

The time of the log entry.

logid

<vmid>

Number

The unique identifier for the log entry.

type

<vendorinfo>

Text/String

The type of log event.

subtype

N/A

N/A

The subtype of the log event (intrusion prevention system).

eventtype

N/A

N/A

The type of IPS event (signature-based in this case).

level

N/A

N/A

The severity level of the log event.

vd

N/A

N/A

The virtual domain associated with the log event.

eventtime

N/A

N/A

The timestamp of the event.

severity

<severity>

Text/String

The severity level of the IPS event.

srcip

<sip>

IP Address

The source IP address of the communication.

srccountry

N/A

N/A

The country associated with the source IP address.

dstip

<dip>

IP Address

The destination IP address of the communication.

srcintf

<sinterface>

Text/String

The source interface.

srcintfrole

N/A

N/A

The role of the source interface.

dstintf

<dinterface>

Text/String

The destination interface.

dstintfrole

N/A

N/A

The role of the destination interface.

sessionid

<session>

Number

The ID of the session associated with the log event.

action

<action>

Text/String

The action taken by the system (dropped in this case).

proto

<protnum>

Number

The protocol number (TCP in this case).

service

<protname>

Text/String

The service or protocol being used.

policyid

<policy>

Number

The ID of the policy associated with the log event.

attack

<threatname>

Text/String

The name of the detected attack.

srcport

<sport>

Number

The source port number.

dstport

<dport>

Number

The destination port number.

hostname

<sname>

IP Address

The hostname of the communication.

url

N/A

N/A

The URL of the communication.

direction

N/A

N/A

The direction of the communication (incoming in this case).

attackid

<threatid>

Number

The ID of the detected attack.

profile

N/A

N/A

The IPS profile associated with the log event.

ref

<url>

Text/String

Reference link for more information about the attack.

incidentserialno

N/A

N/A

The serial number of the incident.

msg

<subject>

Text/String

Additional message or description of the log event.

crscore

N/A

N/A

The risk score associated with the event.

craction

N/A

N/A

The action taken based on the risk score (4096 in this case).

crlevel

N/A

N/A

The risk level associated with the event.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.