Fortinet black logo

Handbook

6.5.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Appendix B: Remote Syslog Reference

Appendix B: Remote Syslog Reference

FortiDDoS Syslog.

FortiDDoS supports Syslog features for the following:

  • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
  • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
Configuration

FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

Remote attack log syslog limiting

Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

Format of the Syslog messages

FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server — FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

Syslog for attack log

devid=FI-1KB3914000025 date=2023-02-21 time=21:05:03 tz=PST type=attack spp=0 evecode=1 evesubcode=60 description="Denied: IP address" dir=0 sip=0.0.0.0 dip=1.1.1.146 dropcount=944605 facility=Local0 level=Notice direction=outbound spp_name="SPP-1" subnet_name="default" sppoperatingmode=detection

Please note that the above is an example of the attack log. The table below contains all possible name/value pairs that may be contained in the attack log, but only the fields that are relevant to an attack will be sent. For example, in the above, we have a Denied: IP address ACL attack where the protocol field is not sent.

Syslog Key-Value Information
Key Value Description
devid System Serial Number — 16 characters
date Date format yyyy-mm-dd
time time format hh:mm:ss (24 hr)
tz Time zone — 3 text characters
type Always "attack"
spp Numeric SPP #1-16 depending on model
evecode

Event Code.

Possible values: 1-4 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.
evesubcode Event sub-code.
Possible values: 0-285 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.

description

Text description of attack event
dir Direction of the event.
Possible values are: 1 – Inbound, 0 – Outbound (see textual key below)
protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
Possible values: 0-255
sip Source IP of the packet if it was identified.
Possible values: IP address in string format
dip Destination IP of the packet if it was identified.
Possible values: IP address in string format
dport Protected port: Destination Port for inbound log, source port for outbound log, and inbound source port for possible UDP Reflection Flood log.
Possible values: 0-65535

icmptype

ICMP Type value (0-255)

icmpcode

ICMP Code value (0-255)
dropCount The number of packets dropped due to this event.
Numeric count can be larger than 10 trillion

subnetID

Numeric value of the subnet-ID

detail

Detail value or description — valid only in some cases such as HTTP attacks
facility Always "Local0"
level Always "Notice"
direction Inbound or outbound

spp_name

Text name of SPP
subnet_name Text name of Protection Subnet

sppoperatingmode

SPP Detection/ Prevention Mode when log was generated
Syslog for event log

Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

Key/Value pair descriptions
Name Interpretation
Facility Facility level — default = local0

Severity

Severity of event — default = info (6)
date Event date - yyyy-mm-dd
time Event time - 24h, hh:mm:ss
tz System time zone - 3 text characters

devid

Device serial number - 16 alphanumeric characters

log_id

Internal process identifier - can be ignored
type Always "event"
subtype

Describes the source of the message.

Variable-length text string - "system", "health-check", "config" for example

msg_id Message id of the event - 10 digit numeric string
user User name associated with the event.
Variable length text string - "admin", "user", "system", etc.
ui This describes from where user logged in or changed settings.
Variable-length field with details. Example: ssh(172.30.153.16). User was logged-in via SSH from IP 172.30.153.16
action This describes user action like “login”, “logout”, “reboot”, etc.
status Status message of the event like “success”, “failure” or “none”.
reason

Reason information related to the action and status information above.

Variable-length text string. Examples: "none", "name_invalid", "radius_auth_failed"

msg

Detailed message of the event.

Possible values: a variable length string contained in double quotes like: "changed settings 'network-76' for 'ddos global spp-policy spp'"

Event code (evecode) description
Event code Description
0 Layer 2
1 Layer 3
2 Layer 4
3 Device events
4 Layer 7

Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

Previous
Next

Appendix B: Remote Syslog Reference

FortiDDoS Syslog.

FortiDDoS supports Syslog features for the following:

  • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
  • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
Configuration

FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

Remote attack log syslog limiting

Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

Format of the Syslog messages

FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server — FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

Syslog for attack log

devid=FI-1KB3914000025 date=2023-02-21 time=21:05:03 tz=PST type=attack spp=0 evecode=1 evesubcode=60 description="Denied: IP address" dir=0 sip=0.0.0.0 dip=1.1.1.146 dropcount=944605 facility=Local0 level=Notice direction=outbound spp_name="SPP-1" subnet_name="default" sppoperatingmode=detection

Please note that the above is an example of the attack log. The table below contains all possible name/value pairs that may be contained in the attack log, but only the fields that are relevant to an attack will be sent. For example, in the above, we have a Denied: IP address ACL attack where the protocol field is not sent.

Syslog Key-Value Information
Key Value Description
devid System Serial Number — 16 characters
date Date format yyyy-mm-dd
time time format hh:mm:ss (24 hr)
tz Time zone — 3 text characters
type Always "attack"
spp Numeric SPP #1-16 depending on model
evecode

Event Code.

Possible values: 1-4 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.
evesubcode Event sub-code.
Possible values: 0-285 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.

description

Text description of attack event
dir Direction of the event.
Possible values are: 1 – Inbound, 0 – Outbound (see textual key below)
protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
Possible values: 0-255
sip Source IP of the packet if it was identified.
Possible values: IP address in string format
dip Destination IP of the packet if it was identified.
Possible values: IP address in string format
dport Protected port: Destination Port for inbound log, source port for outbound log, and inbound source port for possible UDP Reflection Flood log.
Possible values: 0-65535

icmptype

ICMP Type value (0-255)

icmpcode

ICMP Code value (0-255)
dropCount The number of packets dropped due to this event.
Numeric count can be larger than 10 trillion

subnetID

Numeric value of the subnet-ID

detail

Detail value or description — valid only in some cases such as HTTP attacks
facility Always "Local0"
level Always "Notice"
direction Inbound or outbound

spp_name

Text name of SPP
subnet_name Text name of Protection Subnet

sppoperatingmode

SPP Detection/ Prevention Mode when log was generated
Syslog for event log

Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

Key/Value pair descriptions
Name Interpretation
Facility Facility level — default = local0

Severity

Severity of event — default = info (6)
date Event date - yyyy-mm-dd
time Event time - 24h, hh:mm:ss
tz System time zone - 3 text characters

devid

Device serial number - 16 alphanumeric characters

log_id

Internal process identifier - can be ignored
type Always "event"
subtype

Describes the source of the message.

Variable-length text string - "system", "health-check", "config" for example

msg_id Message id of the event - 10 digit numeric string
user User name associated with the event.
Variable length text string - "admin", "user", "system", etc.
ui This describes from where user logged in or changed settings.
Variable-length field with details. Example: ssh(172.30.153.16). User was logged-in via SSH from IP 172.30.153.16
action This describes user action like “login”, “logout”, “reboot”, etc.
status Status message of the event like “success”, “failure” or “none”.
reason

Reason information related to the action and status information above.

Variable-length text string. Examples: "none", "name_invalid", "radius_auth_failed"

msg

Detailed message of the event.

Possible values: a variable length string contained in double quotes like: "changed settings 'network-76' for 'ddos global spp-policy spp'"

Event code (evecode) description
Event code Description
0 Layer 2
1 Layer 3
2 Layer 4
3 Device events
4 Layer 7

Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

Previous
Next