Device Details

Vendor

Fortinet

Device Type

Firewall

Supported Model Name/Number

FortiGate Firewall

Supported Software Version(s)

FortiOS 5.4, FortiOS 5.6

Collection Method

Syslog

Configurable Log Output?

Yes

Log Source Type

Syslog - Fortinet FortiGate v5.4/v5.6

Log Processing Policy

LogRhythm Default

Exceptions

N/A

Additional Information

Logging output is configurable to “default,” “CEF,” or “CSV.”

The “default” configuration is the format accepted by this policy. This format is space-delimited and double-quote encapsulated.

https://www.fortinet.com/products.html

https://docs.fortinet.com/product/fortigate/5.4

https://docs.fortinet.com/product/fortigate/5.6

https://docs.fortinet.com/document/fortigate/5.6.13/fortios-log-message-reference

Prerequisites

Fortinet FortiGate appliance update to FortiOS version 5.4 or 5.6 required.

Device Configuration Checklist

FortiOS logging output must be set to default. Your FortiGate device should already be set to this mode, but if the logging output contains commas (,) or pipe (|) characters, then you are running in either CSV or CEF mode and need to perform the following configuration:

  1. Enter CLI mode.
  2. Set logging output to default with the following commands:
    • config log syslogd setting

      In this example, “syslogd” is the first log output of the FortiGate device. 

    • set format default
    • end

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

Catch All : Level 4N\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <domainorigin>, <objectname>, <object>

Application Control

N\A

<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <url>, <group>, <command>, <action>

Attack AnomalyN\A<vmid>, <domainorigin>, <severity>, <sip>, <dip>, <sinterface>, <session>, <command>, <protnum>, <quantity>, <object>, <sport>, <dport>, <processid>, <url>, <subject>
Authentication Status MessagesN\A<vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <command>
Compliance Check MessagesN\A<vmid>, <severity>, <domainorigin>, <process>, <object>, <subject>
DNS MessagesN\A<vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy>
DNS Messages - D SeriesN\A<vmid>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <login>, <domainorigin>, <session>, <subject>, <policy>
Event : EndpointN\A<vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <sessiontype>, <objecttype>, <objectname>, <subject>, <url>, <policy>, <action>, <result>, <status>, <quantity>
Event : RouterN\A<vmid>, <severity>, <vendorinfo>, <domainorigin>, <subject>, <policy>, <result>, <tag1>
Fortimanager Log MessagesN\A<vmid>, <severity>, <sip>, <sport>, <login>, <subject>
IPS EventsN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <domainimpacted>, <session>, <process>, <object>, <subject>, <threatname>, <threatid>, <url>, <group>, <command>, <tag1>, <tag2>
IPSec MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <dinterface>, <login>, <domainorigin> ,<process>, <object>, <subject>, <group>, <command>, <bytesin>, <bytesout>, <duration>
Port Scan MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <process>, <object>, <subject>, <threatname>, <url>, <group>, <command>
SMTP Status MessagesN\A<vmid>, <protname>, <login>, <session>, <subject>, <command>
Spam and Statistical MessagesN\A<vmid>, <dip>, <domainorigin>, <session>, <object>, <subject>, <threatname>, <status>, <sender>, <recipient>
SSL Alert MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <session>, <process>, <object>, <subject>, <command>
SSL VPN EventsN\A<vmid>, <severity>, <sip>, <snatip>, <protname>, <login>, <domainorigin>, <process>, <object>, <objectname>, <subject>, <url>, <group>, <bytesin>, <bytesout>, <duration>
System/HA Statistical MessagesN\A<vmid>, <severity>, <sip>, <sname>, <dip>, <sport>, <dport>, <sinterface>, <protnum>, <login>, <session>, <object>, <subject>, <threatname>, <command>, <action>, <tag1>
Traffic : ForwardN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <protnum>, <login>, <session>, <processid>, <object>, <objectname>, <subject>, <url>, <policy>, <group>, <action>, <result>, <status>, <bytesin>, <bytesout>, <duration>, <tag1>, <tag2>, <tag3>
Traffic : LocalN\A<vmid>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2>
Traffic : MulticastN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <policy>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <tag1>, <tag2>
Traffic : SnifferN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <object>, <objectname>, <subject>, <policy>, <action>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <tag1>, <tag2>, <tag3>
Traffic/UTM MessagesN\A<vmid>, <vendorinfo>, <severity>, <sip>, <dname>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <session>, <subject>, <threatname>, <object>, <url>, <group>, <command>, <action>, <bytesin>, <bytesout>, <tag5>
Traffic/UTM Messages - D SeriesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <domainorigin>, <object>, <subject>, <url>, <command>, <result>, <status>
Traffic Events - DeprecatedN\A<vmid>, <severity>, <sip>, <sname>, <dip>, <dname>, <sport>, <dport>, <snatip>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <policy>, <group>, <action>, <tag1>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <duration>, <tag2>, <tag3>
Traffic Multicast MessageN\A<severity>, <sip>, <dip>, <sname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <session>, <action>, <bytesin>, <bytesout>, <packetsin>, <packetsout>, <duration>
URL Filter MessagesN\A<vmid>, <severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <session>, <subject>, <url>, <command>, <status>, <bytesin>, <bytesout>
User Subtype MessagesN\A<vmid>, <severity>, <sip>, <login>, <domainorigin>, <object>, <subject>, <vendorinfo>, <group>, <command>, <status>, <tag1>
UTM VOIP MessagesN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <domainorigin>, <subject>, <command>
v6.x Events - Security-RatingN\A<vmid>, <vendorinfo>, <severity>, <domainorigin>, <policy>
v6.x Events - SystemN\A<vmid>, <vendorinfo>, <severity>, <sip>, <domainorigin>, <subject>, <policy>
v6.x Events - UserN\A<vmid>, <vendorinfo>, <severity> ,<sip>, <dip>, <login>, <domainorigin>, <subject>, <policy>, <status>
Virus InfectionN\A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <objectname>, <threatname>, <subject>, <version>, <url>, <command>, <tag2>
WebFilter TrafficN\A<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protnum>, <protname>, <login>, <domainorigin>, <session>, <object>, <subject>, <url>, <group>, <action>, <result>, <reason>, <bytesin>, <bytesout>
Wireless Event Log MessagesN\A<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <smac>, <login>, <domainorigin>, <subject>, <action>, <reason>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.598.0N/ADocumentationInitial documentation in new DCG format.