Traffic Events - Deprecated

Vendor Documentation

https://docs.fortinet.com/document/fortigate/5.6.13/fortios-handbook

Classification

Rule Name	Rule Type	Common Event	Classification
Traffic Events - Deprecated	Base Rule	Network Traffic	Network Traffic
Local Traffic Timeout	Sub Rule	Session Disconnected	Other Audit Success
Local Traffic Accept	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Forwarded Traffic Timed Out	Sub Rule	Session Disconnected	Other Audit Success
Forwarded Traffic Accept	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Forwarded Traffic Session Closed	Sub Rule	Connection Closed	Network Traffic
Forwarded Traffic	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Local Traffic Accepted	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Forwarded Traffic Start	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Forwarded Traffic Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Malware Activity Blocked	Sub Rule	Failed Botnet Activity	Failed Malware
Invalid Traffic	Sub Rule	Connection Failed	Network Traffic
ICMP Traffic Allow	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Forward Traffic Deny	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Forwarded Traffic Deny	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Local Traffic Deny	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Forwarded Traffic Denied	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Local Traffic Denied	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Forwarded Traffic Accept - Reset	Sub Rule	Connection Reset	Network Traffic
Forwarded Traffic Close	Sub Rule	Connection Closed	Network Traffic
Forwarded Traffic Timeout	Sub Rule	User Session Timeout	Information
Local Traffic Accepted	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Local Traffic Denied	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Local Traffic Accept	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Forwarded Traffic Blocked	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Sniffer Traffic Accept	Sub Rule	Traffic Allowed by Network Firewall	Network Allow

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
logid	<vmid>	Number	The ID (logid) is a 10-digit field. It is a unique identifier for that specific log.
level	<severity>	Text\String	Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry.
srcip	<sip>	IP Address	IP address of the traffic’s origin.
srcname	<sname>	Text\String	N/A
dstip	<dip>	IP Address	Destination IP address for the web.
dstname	<dname>	Text\String	N/A
srcport	<sport>	Number	Port number of the traffic's origin
dstport	<dport>	Number	Port number of the traffic's destination.
transip	<snatip>	IP Address	N/A
srcintf	<sinterface>	Text\String	Interface name of the traffic's origin.
dstintf	<dinterface>	Text\String	Interface of the traffic's destination.
proto	<protnum>	Number	The protocol used by web traffic (tcp by default).
service	<protname>	Text\String	Name of the service.
user	<login>	Text\String	N/A
vd	<domainorigin>	Text\String	Name of the virtual domain in which the log message was recorded.
sessionid	<session>	Number	ID for the session.
app	<object>	Text\String	N/A
policyid	<policy>	Number	N/A
group	<group>	Text\String	N/A
action	<action> <tag1>	Text\String	N/A
rcvdbyte	<bytesin>	Number	N/A
sentbyte	<bytesout>	Number	N/A
rcvdpkt	<itemsin>	Number	N/A
sentpkt	<itemsout>	Number	N/A
duration	<duration>	Number	N/A
status	<tag1>	Text\String	N/A
subtype	<tag2>	Text\String	N/A
utmaction	<tag3>	Text\String	N/A