LSO FortiAnalyzer - UTM : WebFilter
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Header: Severity | <severity> | N/A |
logid | <vmid> | N/A |
policyid | <policy> | N/A |
sessionid | <session> | N/A |
user | <login> | N/A |
group | <group> | N/A |
srcip | <sip> | N/A |
srcport | <sport> | N/A |
srcintf | <sinterface> | N/A |
dstip | <dip> | N/A |
dstport | <dport> | N/A |
dstintf | <dinterface> | N/A |
proto | <protnum> | N/A |
action | <action> | N/A |
service | <sessiontype> | N/A |
hostname | <dname> | N/A |
reqtype | <reason> | N/A |
url | <url> | N/A |
sentbyte | <bytesout> | N/A |
rcvdbyte | <bytesin> | N/A |
keyword | <object> | N/A |
msg | <subject> | N/A |
cat | <size> | N/A |
catdesc | <group> | N/A |
User-Agent | <useragent> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1010170 | UTM : WebFilter | Base Rule | General WebFilter Event | Information |
Webfilter Url Filter Block | Sub Rule | General WebFilter URLFilter Warning | Warning | |
Webfilter Url Filter Exempt | Sub Rule | General WebFilter URLFilter Information | Information | |
Webfilter Url Filter Allow | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Url Filter Srv Cert Err Blk | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Url Filter Srv Cert Err Pass | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Warning | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Cat Blk | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Cat Warn | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Ftgd Cat Allow | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Url | Sub Rule | General WebFilter URLFilter | Information | |
Webfilter Web Scriptfilter ActiveX | Sub Rule | General WebFilter URLFilter | Information | |
Web Content Banned Word Found | Sub Rule | Banned Word Notice | Information | |
Web Content MMS Banned Word Found | Sub Rule | Blocked Message Banned Attachment | Failed Activity | |
Web Content Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity | |
Web Content MMS Exempt Word Found | Sub Rule | Web Content MMS Exempt Word | Activity | |
Message Contained A KeyWord In The Profile List | Sub Rule | General WEB Information | Information | |
Search Phrase Detected | Sub Rule | General WebFilter URLFilter | Information | |
Web Content MMS Banned Word | Sub Rule | Banned File Written | Warning | |
The Request Contained An Invalid Domain Name | Sub Rule | Connection Or Ports Invalid | Error | |
HTTP Cert Request Contained An Invalid Domain | Sub Rule | SSL Certificate Invalid | Information | |
HTTP Certificate Request Contained An Invalid Name | Sub Rule | SSL Certificate Signature Invalid | Information | |
HTTPS Certificate Request Contained An Invalid Nam | Sub Rule | SSL Certificate Signature Invalid | Information | |
Insufficient Resources | Sub Rule | Insufficient Resources | Critical | |
Getting The Host Name Failed | Sub Rule | Hostname Not Found | Warning | |
Server Certificate Validation Failed | Sub Rule | Certificate Verification Failure | Error | |
SSL Session Blocked | Sub Rule | Session Invalidated | Warning | |
Service Not Active | Sub Rule | User Session Timeout | Information | |
Rating Error Occurred | Sub Rule | Rating Error | Error | |
URL Passed | Sub Rule | Test Point Passed | Information | |
URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
URL Blocked By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
URL Allowed By Websense Service | Sub Rule | Web Site Blocked - Category | Failed Activity | |
URL Address Exempted | Sub Rule | General Traffic Allowed Information | Information | |
Rating Error Occurred | Sub Rule | Rating Error | Error | |
Daily FortiGuard Quota Status | Sub Rule | General DiskQuota Information | Information | |
URL Belongs To An Override Rule | Sub Rule | URL Exempted | Activity | |
URL Belongs To An Override Rule | Sub Rule | URL Exempted | Activity | |
FortiGuard Web Filter Category Quota Counting Log | Sub Rule | General DiskQuota Information | Information | |
FortiGuard Web Filter Category Quota ExpiredLogMsg | Sub Rule | General DiskQuota Information | Information | |
Cookie Removed | Sub Rule | Cookie Removed | Information | |
Java Applet Removed | Sub Rule | Java Applet Removed | Information | |
Script Entity Removed | Sub Rule | ActiveX Script Removed | Information | |
Cookie Removed Entirely | Sub Rule | Cookie Removed | Information | |
Referrer Removed From Request | Sub Rule | Object Modified | Access Success | |
Command Blocked | Sub Rule | Process Blocked | Failed Activity | |
Blocked By HTTP Header Content Type | Sub Rule | General WebFilter URLFilter | Information | |
Depends On Info In Msg Field | Sub Rule | General WebFilter URLFilter | Information | |
Depends On Info In Msg Field | Sub Rule | General WebFilter URLFilter | Information |
LogRhythm Default v2.0
N/A