Syslog - Fortinet FortiGate v5.4/v5.6
Device Details
Vendor | Fortinet |
Device Type | Firewall |
Supported Model Name/Number | FortiGate Firewall |
Supported Software Version(s) | FortiOS 5.4, FortiOS 5.6 |
Collection Method | Syslog |
Configurable Log Output? | Yes |
Log Source Type | Syslog - Fortinet FortiGate v5.4/v5.6 |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | Logging output is configurable to “default,” “CEF,” or “CSV.” The “default” configuration is the format accepted by this policy. This format is space-delimited and double-quote encapsulated. https://www.fortinet.com/products.html https://docs.fortinet.com/product/fortigate/5.4 https://docs.fortinet.com/product/fortigate/5.6 https://docs.fortinet.com/document/fortigate/5.6.13/fortios-log-message-reference |
Prerequisites
Fortinet FortiGate appliance update to FortiOS version 5.4 or 5.6 required.
Device Configuration Checklist
FortiOS logging output must be set to default. Your FortiGate device should already be set to this mode, but if the logging output contains commas (,) or pipe (|) characters, then you are running in either CSV or CEF mode and need to perform the following configuration:
- Enter CLI mode.
- Set logging output to default with the following commands:
config log syslogd setting
In this example, “syslogd” is the first log output of the FortiGate device.
- set format default
- end
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
| Catch All : Level 4 | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <domainorigin>, <objectname>, <object> |
Application Control | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <url>, <group>, <command>, <action> |
| Attack Anomaly | N\A | <vmid>, <domainorigin>, <severity>, <sip>, <dip>, <sinterface>, <session>, <command>, <protnum>, <quantity>, <object>, <sport>, <dport>, <processid>, <url>, <subject> |
| Authentication Status Messages | N\A | <vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <command> |
| Compliance Check Messages | N\A | <vmid>, <severity>, <domainorigin>, <process>, <object>, <subject> |
| DNS Messages | N\A | <vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy> |
| DNS Messages - D Series | N\A | <vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy> |
| Event : Endpoint | N\A | <vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <sessiontype>, <objecttype>, <objectname>, <subject>, <url>, <policy>, <action>, <result>, <status>, <quantity> |
| Event : Router | N\A | <vmid>, <severity>, <vendorinfo>, <domainorigin>, <subject>, <policy>, <result>, <tag1> |
| Fortimanager Log Messages | N\A | <vmid>, <severity>, <sip>, <sport>, <login>, <subject> |
| IPS Events | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <domainimpacted>, <session>, <process>, <object>, <subject>, <threatname>, <threatid>, <url>, <group>, <command>, <tag1>, <tag2> |
| IPSec Messages | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <dinterface>, <login>, <domainorigin> ,<process>, <object>, <subject>, <group>, <command>, <bytesin>, <bytesout>, <duration> |
| Port Scan Messages | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <process>, <object>, <subject>, <threatname>, <url>, <group>, <command> |
| SMTP Status Messages | N\A | <vmid>, <protname>, <login>, <session>, <subject>, <command> |
| Spam and Statistical Messages | N\A | <vmid>, <dip>, <domainorigin>, <session>, <object>, <subject>, <threatname>, <status>, <sender>, <recipient> |
| SSL Alert Messages | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <session>, <process>, <object>, <subject>, <command> |
| SSL VPN Events | N\A | <vmid>, <severity>, <sip>, <snatip>, <protname>, <login>, <domainorigin>, <process>, <object>, <objectname>, <subject>, <url>, <group>, <bytesin>, <bytesout>, <duration> |
| System/HA Statistical Messages | N\A | <vmid>, <severity>, <sip>, <sname>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <login>, <session>, <object>, <subject>, <threatname>, <command>, <action>, <tag1> |
| Traffic : Forward | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <protnum>, <login>, <session>, <processid>, <object>, <objectname>, <subject>, <url>, <policy>, <group>, <action>, <result>, <status>, <bytesin>, <bytesout>, <duration>, <tag1>, <tag2>, <tag3> |
| Traffic : Local | N\A | <vmid>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2> |
| Traffic : Multicast | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2> |
| Traffic : Sniffer | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <object>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <tag1>, <tag2>, <tag3> |
| Traffic/UTM Messages | N\A | <vmid>, <vendorinfo>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <subject>, <threatname>, <object>, <url>, <group>, <command>, <action>, <bytesin>, <bytesout>, <tag5> |
| Traffic/UTM Messages - D Series | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <object>, <subject>, <url>, <command>, <result>, <status> |
| Traffic Events - Deprecated | N\A | <vmid>, <severity>, <sip>, <sname>, <dip>, <dname>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <policy>, <group>, <action>, <tag1>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <duration>, <tag2>, <tag3> |
| Traffic Multicast Message | N\A | <severity>, <sip>, <dip>, <sname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <duration> |
| URL Filter Messages | N\A | <vmid>, <severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <session>, <subject>, <url>, <command>, <status>, <bytesin>, <bytesout> |
| User Subtype Messages | N\A | <vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <vendorinfo>, <group>, <command>, <status>, <tag1> |
| UTM VOIP Messages | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <domainorigin>, <subject>, <command> |
| v6.x Events - Security-Rating | N\A | <vmid>, <vendorinfo>, <severity>, <domainorigin>, <policy> |
| v6.x Events - System | N\A | <vmid>, <vendorinfo>, <severity>, <sip>, <domainorigin>, <subject>, <policy> |
| v6.x Events - User | N\A | <vmid>, <vendorinfo>, <severity> ,<sip>, <dip>, <login>, <domainorigin>, <subject>, <policy>, <status> |
| Virus Infection | N\A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <objectname>, <threatname>, <subject>, <version>, <url>, <command>, <tag2> |
| WebFilter Traffic | N\A | <vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <subject>, <url>, <group>, <action>, <result>, <reason>, <bytesin>, <bytesout> |
| Wireless Event Log Messages | N\A | <vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <subject>, <action>, <reason> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.598.0 | N/A | Documentation | Initial documentation in new DCG format. |