Skip to main content
Skip table of contents

Syslog - Fortinet FortiGate v5.4/v5.6

Device Details



Device Type


Supported Model Name/Number

FortiGate Firewall

Supported Software Version(s)

FortiOS 5.4, FortiOS 5.6

Collection Method


Configurable Log Output?


Log Source Type

Syslog - Fortinet FortiGate v5.4/v5.6

Log Processing Policy

LogRhythm Default



Additional Information

Logging output is configurable to “default,” “CEF,” or “CSV.”

The “default” configuration is the format accepted by this policy. This format is space-delimited and double-quote encapsulated.


Fortinet FortiGate appliance update to FortiOS version 5.4 or 5.6 required.

Device Configuration Checklist

FortiOS logging output must be set to default. Your FortiGate device should already be set to this mode, but if the logging output contains commas (,) or pipe (|) characters, then you are running in either CSV or CEF mode and need to perform the following configuration:

  1. Enter CLI mode.
  2. Set logging output to default with the following commands:
    • config log syslogd setting

      In this example, “syslogd” is the first log output of the FortiGate device. 

    • set format default
    • end

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)


Product Version

Supported Schema Fields

Catch All : Level 4N\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <domainorigin>, <objectname>, <object>

Application Control


<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <url>, <group>, <command>, <action>

Attack AnomalyN\A<vmid>, <domainorigin>, <severity>, <sip>, <dip>, <sinterface>, <session>, <command>, <protnum>, <quantity>, <object>, <sport>, <dport>, <processid>, <url>, <subject>
Authentication Status MessagesN\A<vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <command>
Compliance Check MessagesN\A<vmid>, <severity>, <domainorigin>, <process>, <object>, <subject>
DNS MessagesN\A<vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy>
DNS Messages - D SeriesN\A<vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy>
Event : EndpointN\A<vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <sessiontype>, <objecttype>, <objectname>, <subject>, <url>, <policy>, <action>, <result>, <status>, <quantity>
Event : RouterN\A<vmid>, <severity>, <vendorinfo>, <domainorigin>, <subject>, <policy>, <result>, <tag1>
Fortimanager Log MessagesN\A<vmid>, <severity>, <sip>, <sport>, <login>, <subject>
IPS EventsN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <domainimpacted>, <session>, <process>, <object>, <subject>, <threatname>, <threatid>, <url>, <group>, <command>, <tag1>, <tag2>
IPSec MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <dinterface>, <login>, <domainorigin> ,<process>, <object>, <subject>, <group>, <command>, <bytesin>, <bytesout>, <duration>
Port Scan MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <process>, <object>, <subject>, <threatname>, <url>, <group>, <command>
SMTP Status MessagesN\A<vmid>, <protname>, <login>, <session>, <subject>, <command>
Spam and Statistical MessagesN\A<vmid>, <dip>, <domainorigin>, <session>, <object>, <subject>, <threatname>, <status>, <sender>, <recipient>
SSL Alert MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <session>, <process>, <object>, <subject>, <command>
SSL VPN EventsN\A<vmid>, <severity>, <sip>, <snatip>, <protname>, <login>, <domainorigin>, <process>, <object>, <objectname>, <subject>, <url>, <group>, <bytesin>, <bytesout>, <duration>
System/HA Statistical MessagesN\A<vmid>, <severity>, <sip>, <sname>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <login>, <session>, <object>, <subject>, <threatname>, <command>, <action>, <tag1>
Traffic : ForwardN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <protnum>, <login>, <session>, <processid>, <object>, <objectname>, <subject>, <url>, <policy>, <group>, <action>, <result>, <status>, <bytesin>, <bytesout>, <duration>, <tag1>, <tag2>, <tag3>
Traffic : LocalN\A<vmid>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2>
Traffic : MulticastN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2>
Traffic : SnifferN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <object>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <tag1>, <tag2>, <tag3>
Traffic/UTM MessagesN\A<vmid>, <vendorinfo>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <subject>, <threatname>, <object>, <url>, <group>, <command>, <action>, <bytesin>, <bytesout>, <tag5>
Traffic/UTM Messages - D SeriesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <object>, <subject>, <url>, <command>, <result>, <status>
Traffic Events - DeprecatedN\A<vmid>, <severity>, <sip>, <sname>, <dip>, <dname>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <policy>, <group>, <action>, <tag1>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <duration>, <tag2>, <tag3>
Traffic Multicast MessageN\A<severity>, <sip>, <dip>, <sname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <duration>
URL Filter MessagesN\A<vmid>, <severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <session>, <subject>, <url>, <command>, <status>, <bytesin>, <bytesout>
User Subtype MessagesN\A<vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <vendorinfo>, <group>, <command>, <status>, <tag1>
UTM VOIP MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <domainorigin>, <subject>, <command>
v6.x Events - Security-RatingN\A<vmid>, <vendorinfo>, <severity>, <domainorigin>, <policy>
v6.x Events - SystemN\A<vmid>, <vendorinfo>, <severity>, <sip>, <domainorigin>, <subject>, <policy>
v6.x Events - UserN\A<vmid>, <vendorinfo>, <severity> ,<sip>, <dip>, <login>, <domainorigin>, <subject>, <policy>, <status>
Virus InfectionN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <objectname>, <threatname>, <subject>, <version>, <url>, <command>, <tag2>
WebFilter TrafficN\A<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <subject>, <url>, <group>, <action>, <result>, <reason>, <bytesin>, <bytesout>
Wireless Event Log MessagesN\A<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <subject>, <action>, <reason>

Revision History

KB Version

Log Type

Change Type


KB 7.1.598.0N/ADocumentationInitial documentation in new DCG format.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.