Syslog - Fortinet FortiGate v5.4/v5.6 | LogRhythm Documentation

Device Details

Vendor	Fortinet
Device Type	Firewall
Supported Model Name/Number	FortiGate Firewall
Supported Software Version(s)	FortiOS 5.4, FortiOS 5.6
Collection Method	Syslog
Configurable Log Output?	Yes
Log Source Type	Syslog - Fortinet FortiGate v5.4/v5.6
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	Logging output is configurable to “default,” “CEF,” or “CSV.” The “default” configuration is the format accepted by this policy. This format is space-delimited and double-quote encapsulated. https://www.fortinet.com/products.html https://docs.fortinet.com/product/fortigate/5.4 https://docs.fortinet.com/product/fortigate/5.6 https://docs.fortinet.com/document/fortigate/5.6.13/fortios-log-message-reference

Prerequisites

Fortinet FortiGate appliance update to FortiOS version 5.4 or 5.6 required.

Device Configuration Checklist

FortiOS logging output must be set to default. Your FortiGate device should already be set to this mode, but if the logging output contains commas (,) or pipe (|) characters, then you are running in either CSV or CEF mode and need to perform the following configuration:

Enter CLI mode.
Set logging output to default with the following commands:config log syslogd settingIn this example, “syslogd” is the first log output of the FortiGate device. set format defaultend

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type	Product Version	Supported Schema Fields
Catch All : Level 4	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <domainorigin>, <objectname>, <object>
Application Control	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <url>, <group>, <command>, <action>
Attack Anomaly	N\A	<vmid>, <domainorigin>, <severity>, <sip>, <dip>, <sinterface>, <session>, <command>, <protnum>, <quantity>, <object>, <sport>, <dport>, <processid>, <url>, <subject>
Authentication Status Messages	N\A	<vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <command>
Compliance Check Messages	N\A	<vmid>, <severity>, <domainorigin>, <process>, <object>, <subject>
DNS Messages	N\A	<vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy>
DNS Messages - D Series	N\A	<vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy>
Event : Endpoint	N\A	<vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <sessiontype>, <objecttype>, <objectname>, <subject>, <url>, <policy>, <action>, <result>, <status>, <quantity>
Event : Router	N\A	<vmid>, <severity>, <vendorinfo>, <domainorigin>, <subject>, <policy>, <result>, <tag1>
Fortimanager Log Messages	N\A	<vmid>, <severity>, <sip>, <sport>, <login>, <subject>
IPS Events	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <domainimpacted>, <session>, <process>, <object>, <subject>, <threatname>, <threatid>, <url>, <group>, <command>, <tag1>, <tag2>
IPSec Messages	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <dinterface>, <login>, <domainorigin> ,<process>, <object>, <subject>, <group>, <command>, <bytesin>, <bytesout>, <duration>
Port Scan Messages	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <process>, <object>, <subject>, <threatname>, <url>, <group>, <command>
SMTP Status Messages	N\A	<vmid>, <protname>, <login>, <session>, <subject>, <command>
Spam and Statistical Messages	N\A	<vmid>, <dip>, <domainorigin>, <session>, <object>, <subject>, <threatname>, <status>, <sender>, <recipient>
SSL Alert Messages	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <session>, <process>, <object>, <subject>, <command>
SSL VPN Events	N\A	<vmid>, <severity>, <sip>, <snatip>, <protname>, <login>, <domainorigin>, <process>, <object>, <objectname>, <subject>, <url>, <group>, <bytesin>, <bytesout>, <duration>
System/HA Statistical Messages	N\A	<vmid>, <severity>, <sip>, <sname>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <login>, <session>, <object>, <subject>, <threatname>, <command>, <action>, <tag1>
Traffic : Forward	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <protnum>, <login>, <session>, <processid>, <object>, <objectname>, <subject>, <url>, <policy>, <group>, <action>, <result>, <status>, <bytesin>, <bytesout>, <duration>, <tag1>, <tag2>, <tag3>
Traffic : Local	N\A	<vmid>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2>
Traffic : Multicast	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2>
Traffic : Sniffer	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <object>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <tag1>, <tag2>, <tag3>
Traffic/UTM Messages	N\A	<vmid>, <vendorinfo>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <subject>, <threatname>, <object>, <url>, <group>, <command>, <action>, <bytesin>, <bytesout>, <tag5>
Traffic/UTM Messages - D Series	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <object>, <subject>, <url>, <command>, <result>, <status>
Traffic Events - Deprecated	N\A	<vmid>, <severity>, <sip>, <sname>, <dip>, <dname>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <policy>, <group>, <action>, <tag1>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <duration>, <tag2>, <tag3>
Traffic Multicast Message	N\A	<severity>, <sip>, <dip>, <sname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <duration>
URL Filter Messages	N\A	<vmid>, <severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <session>, <subject>, <url>, <command>, <status>, <bytesin>, <bytesout>
User Subtype Messages	N\A	<vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <vendorinfo>, <group>, <command>, <status>, <tag1>
UTM VOIP Messages	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <domainorigin>, <subject>, <command>
v6.x Events - Security-Rating	N\A	<vmid>, <vendorinfo>, <severity>, <domainorigin>, <policy>
v6.x Events - System	N\A	<vmid>, <vendorinfo>, <severity>, <sip>, <domainorigin>, <subject>, <policy>
v6.x Events - User	N\A	<vmid>, <vendorinfo>, <severity> ,<sip>, <dip>, <login>, <domainorigin>, <subject>, <policy>, <status>
Virus Infection	N\A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <objectname>, <threatname>, <subject>, <version>, <url>, <command>, <tag2>
WebFilter Traffic	N\A	<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <subject>, <url>, <group>, <action>, <result>, <reason>, <bytesin>, <bytesout>
Wireless Event Log Messages	N\A	<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <subject>, <action>, <reason>

Revision History

KB Version	Log Type	Change Type	Details
KB 7.1.598.0	N/A	Documentation	Initial documentation in new DCG format.