Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.3.2
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Appendix B: Remote Syslog Reference

    Appendix B: Remote Syslog Reference

    FortiDDoS Syslog

    FortiDDoS supports Syslog features for the following:

    • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
    • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
    Configuration

    FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

    Remote attack log syslog limiting

    Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

    Format of the Syslog messages

    FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server: FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

    Syslog for attack log

    devid=FI200B3914000081 date=2017-10-18 time=11:10:00 tz=PDT.type=attack spp=1 evecode=2 evesubcode=18 description="UDP.port.flood" dir=1 protocol=17 sip=0.0.0.0 dip=61.255.0.253 dport=19160 dropcount=188 subnetid=61 facility=Local0 level=Notice

    Syslog for event log

    Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

    Field Names and their Interpretations
    Name Interpretation
    devid Device serial number
    date Event date
    time Event time
    tz Event time zone
    type This field describes type of event.
    Possible values: a string
    subtype This field describes sub type of event.
    Possible values: a string
    spp Service Protection Profile on which the attack was observed.
    Possible values: 0-7.
    evecode Event code.
    Possible values: 0-4
    For description, refer to the Event code and description table.
    evesubcode Event sub-code.
    Possible values: 0-85.
    For description, refer to the Event code and description table.
    dir Direction of the event.
    Possible values are: 1 – Inbound, 0 – Outbound
    protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
    Possible values: 0-255
    sip Source IP of the packet if it was identified.
    Possible values: IP address in string format
    dip Destination IP of the packet if it was identified.
    Possible values: IP address in string format
    dport Destination Port (for TCP or UDP protocols) of the packet if it was identified.
    Possible values: 0-65535
    dropCount The number of packets dropped due to this event.
    Possible values are: a number
    log_id Log id of the event.
    Possible values: a string
    msg_id Message id of the event.
    Possible values: 0-255
    user User name associated with the event.
    Possible values: a string
    ui This describes from where user logged in or changed settings.
    Possible values: a string
    action This describes user action like login, logout or so on.
    Possible values: a string
    status Status message of the event like success, failed or so on.
    Possible values: a string
    reason Reason message of the event.
    Possible values: a string
    msg Detailed message of the event.
    Possible values: a string
    description This field further describes the event.
    Possible values: a string
    facility For attack logs, FortiDDoS sends an attack log message with facility value 'local0'.
    For event logs, you can configure the Facility from FortiDDoS GUI under Log & Report > Event Log Remote.
    level For attack logs, FortiDDoS sends an attack log message with log level value 'notice'.
    For event logs, you can configure the Log Level from FortiDDoS GUI under Log & Report > Event Log Remote.
    Event code (evecode) description
    Event code Description
    0 Layer 2
    1 Layer 3
    2 Layer 4
    3 Device events
    4 Layer 7

    Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

    Previous
    Next

    Appendix B: Remote Syslog Reference

    Appendix B: Remote Syslog Reference

    FortiDDoS Syslog

    FortiDDoS supports Syslog features for the following:

    • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
    • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
    Configuration

    FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

    Remote attack log syslog limiting

    Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

    Format of the Syslog messages

    FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server: FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

    Syslog for attack log

    devid=FI200B3914000081 date=2017-10-18 time=11:10:00 tz=PDT.type=attack spp=1 evecode=2 evesubcode=18 description="UDP.port.flood" dir=1 protocol=17 sip=0.0.0.0 dip=61.255.0.253 dport=19160 dropcount=188 subnetid=61 facility=Local0 level=Notice

    Syslog for event log

    Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

    Field Names and their Interpretations
    Name Interpretation
    devid Device serial number
    date Event date
    time Event time
    tz Event time zone
    type This field describes type of event.
    Possible values: a string
    subtype This field describes sub type of event.
    Possible values: a string
    spp Service Protection Profile on which the attack was observed.
    Possible values: 0-7.
    evecode Event code.
    Possible values: 0-4
    For description, refer to the Event code and description table.
    evesubcode Event sub-code.
    Possible values: 0-85.
    For description, refer to the Event code and description table.
    dir Direction of the event.
    Possible values are: 1 – Inbound, 0 – Outbound
    protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
    Possible values: 0-255
    sip Source IP of the packet if it was identified.
    Possible values: IP address in string format
    dip Destination IP of the packet if it was identified.
    Possible values: IP address in string format
    dport Destination Port (for TCP or UDP protocols) of the packet if it was identified.
    Possible values: 0-65535
    dropCount The number of packets dropped due to this event.
    Possible values are: a number
    log_id Log id of the event.
    Possible values: a string
    msg_id Message id of the event.
    Possible values: 0-255
    user User name associated with the event.
    Possible values: a string
    ui This describes from where user logged in or changed settings.
    Possible values: a string
    action This describes user action like login, logout or so on.
    Possible values: a string
    status Status message of the event like success, failed or so on.
    Possible values: a string
    reason Reason message of the event.
    Possible values: a string
    msg Detailed message of the event.
    Possible values: a string
    description This field further describes the event.
    Possible values: a string
    facility For attack logs, FortiDDoS sends an attack log message with facility value 'local0'.
    For event logs, you can configure the Facility from FortiDDoS GUI under Log & Report > Event Log Remote.
    level For attack logs, FortiDDoS sends an attack log message with log level value 'notice'.
    For event logs, you can configure the Log Level from FortiDDoS GUI under Log & Report > Event Log Remote.
    Event code (evecode) description
    Event code Description
    0 Layer 2
    1 Layer 3
    2 Layer 4
    3 Device events
    4 Layer 7

    Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

    Previous
    Next