FortiFirewall logs
FortiAnalyzer supports normalizing FortiFirewall logs as Fabric logs.
The following field mapping applies:
FortiFirewall Log Field |
Normalized Fabric Log Field |
---|---|
loguid,id | loguid |
epid | epid |
euid | euid |
devid,device_id | data_sourceid |
data_source_name | data_sourcename |
data_sourcetype | data_sourcetype |
data_timestamp | data_timestamp |
appcat,app_cat,app-type | app_cat |
appid | app_id |
app | app_name |
service | app_service |
appact,app_action | app_state |
dns_name | dns_querytype |
dstname | dst_domain |
dstcountry,dst_country | dst_geo |
dstintf,dst_int | dst_intf |
dstip,dst | dst_ip |
dstmac | dst_mac |
dstport,dst_port | dst_port |
action,status | event_action |
msg | event_message |
policyid | event_policy |
alert,error | event_profile |
level | event_severity |
subtype | event_subtype |
type | event_type |
processtime | file_accessetime |
hash | file_hash |
file | file_name |
filesize | file_size |
srchwvendor | host_hwvendor |
srchwversion | host_hwver |
mac | host_mac |
hostname | host_name |
srcfamily | host_osfamily |
osname | host_osname |
osversion | host_osver |
devtype | host_type |
vpntype | http_method |
vpn | http_referer |
url | http_url |
agent | http_useragent |
from | mail_from |
to | mail_to |
direction | net_direction |
rcvdpkt,rcvd_pkt | net_rcvdpkts |
rcvdbyte,rcvd | net_recvbytes |
sentbyte,sent | net_sentbytes |
sentpkt,sent_pkt | net_sentpkts |
duration | net_sessionduration |
sessionid,SN | net_sessionid |
srcssid,ssid | net_ssid |
srcname,srcdomain | src_domain |
srccountry,src_country | src_geo |
srcintf,src_int | src_intf |
srcip,src | src_ip |
srcmac | src_mac |
srcport,src_port | src_port |
utmaction | threat_action |
virus,attack,attackname,attack_name,vulnname | threat_name |
securitymode | threat_pattern |
security | threat_severity |
group | user_group |
user,carrier_ep | user_id |
unauthuser,dstunauthuser | user_name |