Syslog Fortinet FortiGate - V 2.0 : UTM : Web-Filter
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 : UTM : Web-Filter | Base Rule | General Web Filter Message | Information |
V 2.0 : Webfilter Url Filter Block | Sub Rule | Web Activity Blocked | Failed Activity |
V 2.0 : Webfilter Url Filter Exempt | Sub Rule | URL Exempted | Activity |
V 2.0 : Webfilter Url Filter Allow | Sub Rule | General WebFilter URLFilter | Information |
V 2.0 : Webfilter Url Filter Srv Cert Err Blk | Sub Rule | Session Information | Information |
V 2.0 : Webfilter Url Filter Srv Cert Err Pass | Sub Rule | Session Information | Information |
V 2.0 : Webfilter Web Ftgd Warning | Sub Rule | Rating Error | Error |
V 2.0 : Webfilter Web Ftgd Cat Blk | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : Webfilter Web Ftgd Cat Warn | Sub Rule | General Warning | Warning |
V 2.0 : Webfilter Web Ftgd Cat Allow | Sub Rule | URL Information | Information |
V 2.0 : Webfilter Web Url | Sub Rule | URL Information | Information |
V 2.0 : Webfilter Web Scriptfilter ActiveX | Sub Rule | ActiveX Script Removed | Information |
V 2.0 : Web Content Banned Word Found | Sub Rule | Banned Word Notice | Information |
V 2.0 : Web Content MMS Banned Word Found | Sub Rule | Blocked Message Banned Attachment | Failed Activity |
V 2.0 : Web Content Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity |
V 2.0 : Web Content MMS Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity |
V 2.0 : Message Contain A KeyWord In Profile List | Sub Rule | General WEB Information | Information |
V 2.0 : Search Phrase Detected | Sub Rule | Search | Information |
V 2.0 : Web Content MMS Banned Word | Sub Rule | Banned Word Notice | Information |
V 2.0 : Request Contained An Invalid Domain Name | Sub Rule | Invalid Domain Name | Information |
V 2.0 : HTTP Cert Request Contain Invalid Domain | Sub Rule | Invalid Domain Name | Information |
V 2.0 : HTTP Certi Req Contained An Invalid Name | Sub Rule | Invalid Name | Warning |
V 2.0 : HTTP Certi Req Contained An Invalid Name | Sub Rule | Invalid Name | Warning |
V 2.0 : Insufficient Resources | Sub Rule | Insufficient Resources | Critical |
V 2.0 : Getting The Host Name Failed | Sub Rule | Hostname Not Found | Warning |
V 2.0 : Server Certificate Validation Failed | Sub Rule | Certificate Verification Failure | Error |
V 2.0 : SSL Session Blocked | Sub Rule | Session Invalidated | Warning |
V 2.0 : Service Not Active | Sub Rule | FortiGuard Service Not Enabled | Critical |
V 2.0 : Rating Error Occurred | Sub Rule | Rating Error | Error |
V 2.0 : URL Passed | Sub Rule | URL Information | Information |
V 2.0 : URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity |
V 2.0 : URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity |
V 2.0 : URL Allowed By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity |
V 2.0 : URL Address Exempted | Sub Rule | URL Exempted | Activity |
V 2.0 : Rating Error Occurred | Sub Rule | Rating Error | Error |
V 2.0 : Daily FortiGuard Quota Status | Sub Rule | URL Access Statistics | Information |
V 2.0 : URL Belongs To An Override Rule | Sub Rule | URL Information | Information |
V 2.0 : URL Belongs To An Override Rule | Sub Rule | URL Information | Information |
V 2.0 : FortiGuard Web Filter Category Quota Expir | Sub Rule | URL Access Statistics | Information |
V 2.0 : Cookie Removed | Sub Rule | Cookie Removed | Information |
V 2.0 : Java Applet Removed | Sub Rule | Java Applet Removed | Information |
V 2.0 : Script Entity Removed | Sub Rule | ActiveX Script Removed | Information |
V 2.0 : Cookie Removed Entirely | Sub Rule | Cookie Removed | Information |
V 2.0 : Referrer Removed From Request | Sub Rule | Object Modified | Access Success |
V 2.0 : Command Blocked | Sub Rule | Process Blocked | Failed Activity |
V 2.0 : Blocked By HTTP Header Content Type | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : Depends On Info In Msg Field | Sub Rule | General WEB Information | Information |
V 2.0 : Depends On Info In Msg Field | Sub Rule | General WEB Information | Information |
V 2.0 : FortiGuard WebFilter Cate Quota Count Log | Sub Rule | URL Access Statistics | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log event. |
time | N/A | N/A | The time of the log event. |
logid | <vmid> | Number | A unique identifier for the log event. |
type | <vendorinfo> | Text/String | The type of log event. In this case, it is an UTM event. |
subtype | N/A | N/A | The subtype of the log event. In this case, it is a webfilter event. |
eventtype | N/A | N/A | The event type of the log event. In this case, it is a ftgd_blk event. |
level | <severity> | Text/String | The severity level of the log event. In this case, it is a warning. |
vd | N/A | N/A | The vdom in which the log event occurred. |
eventtime | N/A | N/A | The time at which the log event occurred. |
policyid | <policy> | Number | The policy ID that was used to block the URL. |
sessionid | <session> | Number | The session ID of the web browsing session. |
srcip | <sip> | IP Address | The source IP address of the web browsing session. |
srcport | <sport> | Number | The source port of the web browsing session. |
srcintf | <sinterface> | Text/String | The source interface of the web browsing session. |
srcintfrole | N/A | N/A | The role of the source interface of the web browsing session. |
dstip | <dip> | IP Address | The destination IP address of the web browsing session. |
dstport | <dport> | Number | The destination port of the web browsing session. |
dstintf | <dinterface> | Text/String | The destination interface of the web browsing session. |
dstintfrole | N/A | N/A | The role of the destination interface of the web browsing session. |
proto | <protnum> | Number | The protocol of the web browsing session. |
service | <protname> | Text/String | The service of the web browsing session. |
hostname | <dname> | Text/String | The hostname of the blocked URL. |
profile | <account> | Text/String | The profile that was used to block the URL. |
action | <action> | Text/String | The action that was taken. In this case, it was a blocked. |
reqtype | <objecttype> | Text/String | The request type. |
url | <url> | Text/String | The URL that was blocked. |
sentbyte | <bytesout> | Number | The number of bytes sent in the HTTP request. |
rcvdbyte | <bytesin> | Number | The number of bytes received in the HTTP response. |
direction | N/A | N/A | The direction of the web browsing session. |
msg | <subject> | Text/String | The message associated with the log event. |
method | <command> | Text/String | The method used to block the URL. |
cat | N/A | N/A | The category of the blocked URL. |
catdesc | <threatname> | Text/String | The description of the category of the blocked URL. |
crscore | <threatid> | Number | The risk score of the blocked URL. |
craction | N/A | N/A | The action to be taken if the URL is encountered again. |
crlevel | N/A | N/A | The severity level of the blocked URL. |