Syslog Fortinet FortiGate - V 2.0 : UTM : SSL
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0: UTM: SSL | Base Rule | General SSL/VPN Session Information | Information |
V 2.0: LOG_ID_SSL_CERT_BLACKLISTED | Sub Rule | Blocked Message | Failed Activity |
V 2.0: LOG_ID_SSL_CERT_PASS | Sub Rule | SSL Certificate Verified | Information |
V 2.0: LOG_ID_SSL_CERT_BLOCK | Sub Rule | Blocked Message | Failed Activity |
V 2.0: LOG_ID_SSL_EXEMPT | Sub Rule | Certificate Valid | Information |
V 2.0: LOG_ID_SSL_HS_CERT_REQ_EXEMPT | Sub Rule | Certificate Valid | Information |
V 2.0: LOG_ID_SSL_HS_CERT_REQ_BLOCK | Sub Rule | Blocked Message | Failed Activity |
V 2.0: LOG_ID_SSL_HS_UNSUPPROTED_EXEMPT | Sub Rule | Traffic Redirected | Network Traffic |
V 2.0: LOG_ID_SSL_HS_UNSUPPORTED_BLOCK | Sub Rule | Blocked Message | Failed Activity |
V 2.0: LOG_ID_SSL_EXEMPT_ADDR | Sub Rule | Connection Information | Information |
V 2.0: LOG_ID_SSL_EXEMPT_FTGD_CAT | Sub Rule | Connection Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the event. |
time | N/A | N/A | The time of the event. |
logid | <vmid> | Number | The log ID. |
type | <vendorinfo> | Text/String | The type of event. |
subtype | N/A | N/A | The subtype of the event. |
eventtype | N/A | N/A | The specific type of SSL event. |
level | <severity> | Text/String | The level of the event. |
vd | <sessiontype> | Text/String | The virtual domain. |
eventtime | N/A | N/A | The event time in epoch format. |
policyid | <policy> | Number | The ID of the policy associated with the log event. |
sessionid | <session> | Number | The ID of the session associated with the log event. |
service | <parentprocessname> | Text/String | The service. |
srcip | <sip> | IP Address | The source IP address. |
srcport | <sport> | Number | The source port. |
dstip | <dip> | IP Address | The destination IP address. |
dstport | <dport> | Number | The destination port. |
srcintf | <sinterface> | Text/String | The source interface. |
srcintfrole | N/A | N/A | The role of the source interface. |
dstintf | <dinterface> | Text/String | The destination interface. |
dstintfrole | N/A | N/A | The role of the destination interface. |
proto | <protnum> | Number | The protocol. |
action | <action> | Text/String | The action taken by the firewall. |
msg | <subject> | Text/String | The message associated with the log event. |
reason | <reason> | Text/String | The reason for the log event. |
tz | N/A | N/A | The time zone of the log event. |
profile | N/A | N/A | The SSL profile. |
eventsubtype | N/A | N/A | N/A |
srcuuid | N/A | N/A | The source UUID. |
dstuuid | N/A | N/A | The destination UUID. |
sni | N/A | N/A | N/A |
hostname | <dname> | Text/String | The hostname associated with the communication. |
notbefore | N/A | N/A | N/A |
notafter | N/A | N/A | N/A |
issuer | N/A | N/A | N/A |
cn | N/A | N/A | N/A |
san | N/A | N/A | N/A |
sn | <serialnumber> | Text/String | The serial number of the log event. |
ski | N/A | N/A | N/A |
certhash | <hash> | Text/String | N/A |
keyalgo | N/A | N/A | N/A |
keysize | <size> | Number | N/A |
tlsver | N/A | N/A | N/A |
cipher | N/A | N/A | N/A |
authalgo | N/A | N/A | N/A |
kxproto | N/A | N/A | N/A |
kxcurve | N/A | N/A | N/A |
handshake | N/A | N/A | N/A |
mitm | N/A | N/A | N/A |