Fortinet black logo

Handbook

Appendix B: Remote Syslog Reference

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:797529
Download PDF

Appendix B: Remote Syslog Reference

FortiDDoS Syslog

FortiDDoS supports Syslog features for the following:

  • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
  • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
Configuration

FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

Remote attack log syslog limiting

Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

Format of the Syslog messages

FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server: FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

Syslog for attack log

devid=FI200B3914000081 date=2017-10-18 time=11:10:00 tz=PDT.type=attack spp=1 evecode=2 evesubcode=18 description="UDP.port.flood" dir=1 protocol=17 sip=0.0.0.0 dip=61.255.0.253 dport=19160 dropcount=188 subnetid=61 facility=Local0 level=Notice

Syslog for event log

Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

Field Names and their Interpretations
Name Interpretation
devid Device serial number
date Event date
time Event time
tz Event time zone
type This field describes type of event.
Possible values: a string
subtype This field describes sub type of event.
Possible values: a string
spp Service Protection Profile on which the attack was observed.
Possible values: 0-7.
evecode Event code.
Possible values: 0-4
For description, refer to the Event code and description table.
evesubcode Event sub-code.
Possible values: 0-85.
For description, refer to the Event code and description table.
dir Direction of the event.
Possible values are: 1 – Inbound, 0 – Outbound
protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
Possible values: 0-255
sip Source IP of the packet if it was identified.
Possible values: IP address in string format
dip Destination IP of the packet if it was identified.
Possible values: IP address in string format
dport Destination Port (for TCP or UDP protocols) of the packet if it was identified.
Possible values: 0-65535
dropCount The number of packets dropped due to this event.
Possible values are: a number
log_id Log id of the event.
Possible values: a string
msg_id Message id of the event.
Possible values: 0-255
user User name associated with the event.
Possible values: a string
ui This describes from where user logged in or changed settings.
Possible values: a string
action This describes user action like login, logout or so on.
Possible values: a string
status Status message of the event like success, failed or so on.
Possible values: a string
reason Reason message of the event.
Possible values: a string
msg Detailed message of the event.
Possible values: a string
description This field further describes the event.
Possible values: a string
facility For attack logs, FortiDDoS sends an attack log message with facility value 'local0'.
For event logs, you can configure the Facility from FortiDDoS GUI under Log & Report > Event Log Remote.
level For attack logs, FortiDDoS sends an attack log message with log level value 'notice'.
For event logs, you can configure the Log Level from FortiDDoS GUI under Log & Report > Event Log Remote.
Event code (evecode) description
Event code Description
0 Layer 2
1 Layer 3
2 Layer 4
3 Device events
4 Layer 7

Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

Appendix B: Remote Syslog Reference

FortiDDoS Syslog

FortiDDoS supports Syslog features for the following:

  • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
  • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
Configuration

FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

Remote attack log syslog limiting

Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

Format of the Syslog messages

FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server: FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

Syslog for attack log

devid=FI200B3914000081 date=2017-10-18 time=11:10:00 tz=PDT.type=attack spp=1 evecode=2 evesubcode=18 description="UDP.port.flood" dir=1 protocol=17 sip=0.0.0.0 dip=61.255.0.253 dport=19160 dropcount=188 subnetid=61 facility=Local0 level=Notice

Syslog for event log

Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

Field Names and their Interpretations
Name Interpretation
devid Device serial number
date Event date
time Event time
tz Event time zone
type This field describes type of event.
Possible values: a string
subtype This field describes sub type of event.
Possible values: a string
spp Service Protection Profile on which the attack was observed.
Possible values: 0-7.
evecode Event code.
Possible values: 0-4
For description, refer to the Event code and description table.
evesubcode Event sub-code.
Possible values: 0-85.
For description, refer to the Event code and description table.
dir Direction of the event.
Possible values are: 1 – Inbound, 0 – Outbound
protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
Possible values: 0-255
sip Source IP of the packet if it was identified.
Possible values: IP address in string format
dip Destination IP of the packet if it was identified.
Possible values: IP address in string format
dport Destination Port (for TCP or UDP protocols) of the packet if it was identified.
Possible values: 0-65535
dropCount The number of packets dropped due to this event.
Possible values are: a number
log_id Log id of the event.
Possible values: a string
msg_id Message id of the event.
Possible values: 0-255
user User name associated with the event.
Possible values: a string
ui This describes from where user logged in or changed settings.
Possible values: a string
action This describes user action like login, logout or so on.
Possible values: a string
status Status message of the event like success, failed or so on.
Possible values: a string
reason Reason message of the event.
Possible values: a string
msg Detailed message of the event.
Possible values: a string
description This field further describes the event.
Possible values: a string
facility For attack logs, FortiDDoS sends an attack log message with facility value 'local0'.
For event logs, you can configure the Facility from FortiDDoS GUI under Log & Report > Event Log Remote.
level For attack logs, FortiDDoS sends an attack log message with log level value 'notice'.
For event logs, you can configure the Log Level from FortiDDoS GUI under Log & Report > Event Log Remote.
Event code (evecode) description
Event code Description
0 Layer 2
1 Layer 3
2 Layer 4
3 Device events
4 Layer 7

Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.