Syslog Fortinet FortiGate - V 2.0 : UTM : Web-Filter
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0: UTM: Web-Filter | Base Rule | General Web Filter Message | Information |
V 2.0: Webfilter Url Filter Block | Sub Rule | Web Activity Blocked | Failed Activity |
V 2.0: Webfilter Url Filter Exempt | Sub Rule | URL Exempted | Activity |
V 2.0: Webfilter Url Filter Allow | Sub Rule | General WebFilter URLFilter | Information |
V 2.0: Webfilter Url Filter Srv Cert Err Blk | Sub Rule | Session Information | Information |
V 2.0: Webfilter Url Filter Srv Cert Err Pass | Sub Rule | Session Information | Information |
V 2.0: Webfilter Web Ftgd Warning | Sub Rule | Rating Error | Error |
V 2.0: Webfilter Web Ftgd Cat Blk | Sub Rule | Blocked Message | Failed Activity |
V 2.0: Webfilter Web Ftgd Cat Warn | Sub Rule | General Warning | Warning |
V 2.0: Webfilter Web Ftgd Cat Allow | Sub Rule | URL Information | Information |
V 2.0: Webfilter Web Url | Sub Rule | URL Information | Information |
V 2.0: Webfilter Web Scriptfilter ActiveX | Sub Rule | ActiveX Script Removed | Information |
V 2.0: Web Content Banned Word Found | Sub Rule | Banned Word Notice | Information |
V 2.0: Web Content MMS Banned Word Found | Sub Rule | Blocked Message Banned Attachment | Failed Activity |
V 2.0: Web Content Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity |
V 2.0: Web Content MMS Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity |
V 2.0: Message Contain A KeyWord In Profile List | Sub Rule | General WEB Information | Information |
V 2.0: Search Phrase Detected | Sub Rule | Search | Information |
V 2.0: Web Content MMS Banned Word | Sub Rule | Banned Word Notice | Information |
V 2.0: Request Contained An Invalid Domain Name | Sub Rule | Invalid Domain Name | Information |
V 2.0: HTTP Cert Request Contain Invalid Domain | Sub Rule | Invalid Domain Name | Information |
V 2.0: HTTP Certi Req Contained An Invalid Name | Sub Rule | Invalid Name | Warning |
V 2.0: HTTP Certi Req Contained An Invalid Name | Sub Rule | Invalid Name | Warning |
V 2.0: Insufficient Resources | Sub Rule | Insufficient Resources | Critical |
V 2.0: Getting The Host Name Failed | Sub Rule | Hostname Not Found | Warning |
V 2.0: Server Certificate Validation Failed | Sub Rule | Certificate Verification Failure | Error |
V 2.0: SSL Session Blocked | Sub Rule | Session Invalidated | Warning |
V 2.0: Service Not Active | Sub Rule | FortiGuard Service Not Enabled | Critical |
V 2.0: Rating Error Occurred | Sub Rule | Rating Error | Error |
V 2.0: URL Passed | Sub Rule | URL Information | Information |
V 2.0: URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity |
V 2.0: URL Blocked With Redirect Msg By Websense | Sub Rule | Web Site Blocked - Category | Failed Activity |
V 2.0: URL Allowed By Websense Service | Sub Rule | URL Information | Information |
V 2.0: URL Address Exempted | Sub Rule | URL Exempted | Activity |
V 2.0: Rating Error Occurred | Sub Rule | Rating Error | Error |
V 2.0: Daily FortiGuard Quota Status | Sub Rule | URL Access Statistics | Information |
V 2.0: URL Belongs To An Override Rule | Sub Rule | URL Information | Information |
V 2.0: URL Belongs To An Override Rule | Sub Rule | URL Information | Information |
V 2.0: FortiGuard Web Filter Category Quota Expir | Sub Rule | URL Access Statistics | Information |
V 2.0: Cookie Removed | Sub Rule | Cookie Removed | Information |
V 2.0: Java Applet Removed | Sub Rule | Java Applet Removed | Information |
V 2.0: Script Entity Removed | Sub Rule | ActiveX Script Removed | Information |
V 2.0: Cookie Removed Entirely | Sub Rule | Cookie Removed | Information |
V 2.0: Referrer Removed From Request | Sub Rule | Object Modified | Access Success |
V 2.0: Command Blocked | Sub Rule | Process Blocked | Failed Activity |
V 2.0: Blocked By HTTP Header Content Type | Sub Rule | Blocked Message | Failed Activity |
V 2.0: Depends On Info In Msg Field | Sub Rule | General WEB Information | Information |
V 2.0: Depends On Info In Msg Field | Sub Rule | General WEB Information | Information |
V 2.0: FortiGuard WebFilter Cate Quota Count Log | Sub Rule | URL Access Statistics | Information |
V 2.0: CONTENT_TYPE_EXEMPT | Sub Rule | URL Exempted | Activity |
V 2.0: ANTIPHISH_MATCH_URL_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: ANTIPHISH_MATCH_FTGD_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: ANTIPHISH_MATCH_DEFAULT_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: ANTIPHISH_MATCH_URL_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: ANTIPHISH_MATCH_FTGD_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: ANTIPHISH_MATCH_DEFAULT_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: VIDEOFILTER_CATEGORY_BLOCK | Sub Rule | Blocked Message | Failed Activity |
V 2.0: VIDEOFILTER_CATEGORY_MONITOR | Sub Rule | General MONITOR Message | Information |
V 2.0: VIDEOFILTER_CATEGORY_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: VIDEOFILTER_CHANNEL_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: VIDEOFILTER_CHANNEL_MONITOR | Sub Rule | General MONITOR Message | Information |
V 2.0: VIDEOFILTER_CHANNEL_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: UNKNOWN_CE_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: UNKNOWN_CE_BYPASS | Sub Rule | Traffic Redirected | Network Traffic |
V 2.0: VIDEOFILTER_TITLE_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: VIDEOFILTER_TITLE_MONITOR | Sub Rule | General MONITOR Message | Information |
V 2.0: VIDEOFILTER_TITLE_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: VIDEOFILTER_DESCRIPTION_BLOCK | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0: VIDEOFILTER_DESCRIPTION_MONITOR | Sub Rule | General MONITOR Message | Information |
V 2.0: VIDEOFILTER_DESCRIPTION_ALLOW | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log event. |
time | N/A | N/A | The time of the log event. |
logid | <vmid> | Number | A unique identifier for the log event. |
type | <vendorinfo> | Text/String | The type of log event. In this case, it is an UTM event. |
subtype | N/A | N/A | The subtype of the log event. In this case, it is a webfilter event. |
eventtype | N/A | N/A | The event type of the log event. In this case, it is a ftgd_blk event. |
level | <severity> | Text/String | The severity level of the log event. In this case, it is a warning. |
vd | <sessiontype> | Text/String | The vdom in which the log event occurred. |
eventtime | N/A | N/A | The time at which the log event occurred. |
policyid | <policy> | Number | The policy ID that was used to block the URL. |
sessionid | <session> | Number | The session ID of the web browsing session. |
user | <login> | Text/String | The user who logged in. |
srcip | <sip> | IP Address | The source IP address of the web browsing session. |
srcport | <sport> | Number | The source port of the web browsing session. |
srcintf | <sinterface> | Text/String | The source interface of the web browsing session. |
srcintfrole | N/A | N/A | The role of the source interface of the web browsing session. |
dstip | <dip> | IP Address | The destination IP address of the web browsing session. |
dstport | <dport> | Number | The destination port of the web browsing session. |
dstintf | <dinterface> | Text/String | The destination interface of the web browsing session. |
dstintfrole | N/A | N/A | The role of the destination interface of the web browsing session. |
proto | <protnum> | Number | The protocol of the web browsing session. |
service | <parentprocessname> | Text/String | The service of the web browsing session. |
hostname | <dname> | Text/String | The hostname of the blocked URL. |
profile | <account> | Text/String | The profile that was used to block the URL. |
action | <action> | Text/String | The action that was taken. In this case, it was a blocked. |
reqtype | <objecttype> | Text/String | The request type. |
url | <url> | Text/String | The URL that was blocked. |
sentbyte | <bytesout> | Number | The number of bytes sent in the HTTP request. |
rcvdbyte | <bytesin> | Number | The number of bytes received in the HTTP response. |
direction | N/A | N/A | The direction of the web browsing session. |
msg | <subject> | Text/String | The message associated with the log event. |
method | <command> | Text/String | The method used to block the URL. |
cat | N/A | N/A | The category of the blocked URL. |
catdesc | <threatname> | Text/String | The description of the category of the blocked URL. |
crscore | <threatid> | Number | The risk score of the blocked URL. |
craction | N/A | N/A | The action to be taken if the URL is encountered again. |
crlevel | N/A | N/A | The severity level of the blocked URL. |