Windows Event logs

Windows Event logs

FortiAnalyzer supports normalizing Windows Event logs as Fabric logs.

The following field mapping applies:

Windows Event Log Field	Normalized Fabric Log Field
data_sourcename	data_sourcename
data_sourcetype	data_sourcetype
data_timestamp	data_timestamp
channel	app_cat
provider_guid	app_id
provider_name	app_name
execution_pid	app_proc
cor_activity_id	app_ref
event_data_subj_user_name	app_service
version	app_ver
event_data_subj_domain_name	event_action
event_id	event_id
event_log	event_message
event_data_return_code	event_outcome
sys_keywords	event_profile
event_record_id	event_ref
level	event_severity
event_data_subj_user_name	event_subtype
channel	event_type
host_classification	host_classification
host_hwvendor	host_hwvendor
host_hwver	host_hwver
host_ip	host_ip
host_mac	host_mac
host_name	host_name
os_family	host_osfamily
host_osname	host_osname
host_osver	host_osver
host_type	host_type
host_uid	host_uid
security_user_id,event_data_target_name	user_id

Windows Event logs

FortiAnalyzer supports normalizing Windows Event logs as Fabric logs.

The following field mapping applies:

Windows Event Log Field

Normalized Fabric Log Field

data_sourcename

data_sourcetype

data_timestamp

channel

app_cat

provider_guid

app_id

provider_name

app_name

execution_pid

app_proc

cor_activity_id

app_ref

event_data_subj_user_name

app_service

version

app_ver

event_data_subj_domain_name

event_action

event_id

event_log

event_message

event_data_return_code

event_outcome

sys_keywords

event_profile

event_record_id

event_ref

level

event_severity

event_data_subj_user_name

event_subtype

channel

event_type

host_classification

host_hwvendor

host_hwver

host_ip

host_mac

host_name

os_family

host_osfamily

host_osname

host_osver

host_type

host_uid

security_user_id,event_data_target_name

user_id

Fabric Normalization Reference

Windows Event logs

Windows Event logs