Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Appendix B: Remote Syslog Reference

    Appendix B: Remote Syslog Reference

    FortiDDoS Syslog.

    FortiDDoS supports Syslog features for the following:

    • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
    • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
    Configuration

    FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

    Remote attack log syslog limiting

    Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

    Format of the Syslog messages

    FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server — FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

    Syslog for attack log

    devid=FI-1KB3914000025 date=2023-02-21 time=21:05:03 tz=PST type=attack spp=0 evecode=1 evesubcode=60 description="Denied: IP address" dir=0 sip=0.0.0.0 dip=1.1.1.146 dropcount=944605 facility=Local0 level=Notice direction=outbound spp_name="SPP-1" subnet_name="default" sppoperatingmode=detection

    Please note that the above is an example of the attack log. The table below contains all possible name/value pairs that may be contained in the attack log, but only the fields that are relevant to an attack will be sent. For example, in the above, we have a Denied: IP address ACL attack where the protocol field is not sent.

    Syslog Key-Value Information
    Key Value Description
    devid System Serial Number — 16 characters
    date Date format yyyy-mm-dd
    time time format hh:mm:ss (24 hr)
    tz Time zone — 3 text characters
    type Always "attack"
    spp Numeric SPP #1-16 depending on model
    evecode

    Event Code.

    Possible values: 1-4 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.
    evesubcode Event sub-code.
    Possible values: 0-285 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.

    description

    Text description of attack event
    dir Direction of the event.
    Possible values are: 1 – Inbound, 0 – Outbound (see textual key below)
    protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
    Possible values: 0-255
    sip Source IP of the packet if it was identified.
    Possible values: IP address in string format
    dip Destination IP of the packet if it was identified.
    Possible values: IP address in string format
    dport Protected port: Destination Port for inbound log, source port for outbound log, and inbound source port for possible UDP Reflection Flood log.
    Possible values: 0-65535

    icmptype

    ICMP Type value (0-255)

    icmpcode

    ICMP Code value (0-255)
    dropCount The number of packets dropped due to this event.
    Numeric count can be larger than 10 trillion

    subnetID

    Numeric value of the subnet-ID

    detail

    Detail value or description — valid only in some cases such as HTTP attacks
    facility Always "Local0"
    level Always "Notice"
    direction Inbound or outbound

    spp_name

    Text name of SPP
    subnet_name Text name of Protection Subnet

    sppoperatingmode

    SPP Detection/ Prevention Mode when log was generated
    Syslog for event log

    Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

    Key/Value pair descriptions
    Name Interpretation
    Facility Facility level — default = local0

    Severity

    Severity of event — default = info (6)
    date Event date - yyyy-mm-dd
    time Event time - 24h, hh:mm:ss
    tz System time zone - 3 text characters

    devid

    Device serial number - 16 alphanumeric characters

    log_id

    Internal process identifier - can be ignored
    type Always "event"
    subtype

    Describes the source of the message.

    Variable-length text string - "system", "health-check", "config" for example

    msg_id Message id of the event - 10 digit numeric string
    user User name associated with the event.
    Variable length text string - "admin", "user", "system", etc.
    ui This describes from where user logged in or changed settings.
    Variable-length field with details. Example: ssh(172.30.153.16). User was logged-in via SSH from IP 172.30.153.16
    action This describes user action like “login”, “logout”, “reboot”, etc.
    status Status message of the event like “success”, “failure” or “none”.
    reason

    Reason information related to the action and status information above.

    Variable-length text string. Examples: "none", "name_invalid", "radius_auth_failed"

    msg

    Detailed message of the event.

    Possible values: a variable length string contained in double quotes like: "changed settings 'network-76' for 'ddos global spp-policy spp'"

    Event code (evecode) description
    Event code Description
    0 Layer 2
    1 Layer 3
    2 Layer 4
    3 Device events
    4 Layer 7

    Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

    Previous
    Next

    Appendix B: Remote Syslog Reference

    Appendix B: Remote Syslog Reference

    FortiDDoS Syslog.

    FortiDDoS supports Syslog features for the following:

    • Event Logs: Refer to Configuring remote log server settings for event logs for more details about configuration.
    • Attack Logs: Whenever a FortiDDoS appliance records an attack event in its own internal database for reporting, it also sends a Syslog event to an external Syslog server. The purpose of this logging is to have a persistent storage for or further analysis or future access. This feature can also be used for integrating with log analysis tools. The following sections describe about the Data path Syslog.
    Configuration

    FortiDDoS allows each SPP to send Attack Logs to 1 or 2 separate Syslog Servers. All DDoS attack events are sent to these individual Syslog servers. For each SPP, you can configure the IPv4 address of the Syslog server, the Syslog port on which the Syslog server listens, default being (UDP) 514. All SPPs can send to the same Syslog Servers but these must be configured per-SPP. See Log & Report > Attack Log Remote.

    Remote attack log syslog limiting

    Remote Attack Logs can be suppressed when the number of drops associated with the log is below a specific threshold. This threshold can be set via Log & Report > Log Configuration > Remote Log Settings. Please see here.

    Format of the Syslog messages

    FortiDDoS Syslog messages have a name/value based format. The following example shows the log messages received on a server — FortiDDoS uses the FortiAnalyzer syslog format which may not be completely compatible with RFCs.

    Syslog for attack log

    devid=FI-1KB3914000025 date=2023-02-21 time=21:05:03 tz=PST type=attack spp=0 evecode=1 evesubcode=60 description="Denied: IP address" dir=0 sip=0.0.0.0 dip=1.1.1.146 dropcount=944605 facility=Local0 level=Notice direction=outbound spp_name="SPP-1" subnet_name="default" sppoperatingmode=detection

    Please note that the above is an example of the attack log. The table below contains all possible name/value pairs that may be contained in the attack log, but only the fields that are relevant to an attack will be sent. For example, in the above, we have a Denied: IP address ACL attack where the protocol field is not sent.

    Syslog Key-Value Information
    Key Value Description
    devid System Serial Number — 16 characters
    date Date format yyyy-mm-dd
    time time format hh:mm:ss (24 hr)
    tz Time zone — 3 text characters
    type Always "attack"
    spp Numeric SPP #1-16 depending on model
    evecode

    Event Code.

    Possible values: 1-4 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.
    evesubcode Event sub-code.
    Possible values: 0-285 — See Appendix A: DDoS Attack Log Reference, but full description available in the Event code and description table below.

    description

    Text description of attack event
    dir Direction of the event.
    Possible values are: 1 – Inbound, 0 – Outbound (see textual key below)
    protocol This is the protocol field of the attack event. If the protocol of the attack was distinct in all the attack packets under this event, this field will have a numeric value.
    Possible values: 0-255
    sip Source IP of the packet if it was identified.
    Possible values: IP address in string format
    dip Destination IP of the packet if it was identified.
    Possible values: IP address in string format
    dport Protected port: Destination Port for inbound log, source port for outbound log, and inbound source port for possible UDP Reflection Flood log.
    Possible values: 0-65535

    icmptype

    ICMP Type value (0-255)

    icmpcode

    ICMP Code value (0-255)
    dropCount The number of packets dropped due to this event.
    Numeric count can be larger than 10 trillion

    subnetID

    Numeric value of the subnet-ID

    detail

    Detail value or description — valid only in some cases such as HTTP attacks
    facility Always "Local0"
    level Always "Notice"
    direction Inbound or outbound

    spp_name

    Text name of SPP
    subnet_name Text name of Protection Subnet

    sppoperatingmode

    SPP Detection/ Prevention Mode when log was generated
    Syslog for event log

    Facility kernel (0), Severity info (6) Msg: date=2017-10-18 time=14:27:36 tz=PDT devid=FI200B3914000081 log_id=0000001065 type=event subtype=config level=information msg_id=76823 user=admin ui=ssh(172.30.153.16) action=none status=success reason=none msg="changed settings 'network-76' for 'ddos global spp-policy spp'"

    Key/Value pair descriptions
    Name Interpretation
    Facility Facility level — default = local0

    Severity

    Severity of event — default = info (6)
    date Event date - yyyy-mm-dd
    time Event time - 24h, hh:mm:ss
    tz System time zone - 3 text characters

    devid

    Device serial number - 16 alphanumeric characters

    log_id

    Internal process identifier - can be ignored
    type Always "event"
    subtype

    Describes the source of the message.

    Variable-length text string - "system", "health-check", "config" for example

    msg_id Message id of the event - 10 digit numeric string
    user User name associated with the event.
    Variable length text string - "admin", "user", "system", etc.
    ui This describes from where user logged in or changed settings.
    Variable-length field with details. Example: ssh(172.30.153.16). User was logged-in via SSH from IP 172.30.153.16
    action This describes user action like “login”, “logout”, “reboot”, etc.
    status Status message of the event like “success”, “failure” or “none”.
    reason

    Reason information related to the action and status information above.

    Variable-length text string. Examples: "none", "name_invalid", "radius_auth_failed"

    msg

    Detailed message of the event.

    Possible values: a variable length string contained in double quotes like: "changed settings 'network-76' for 'ddos global spp-policy spp'"

    Event code (evecode) description
    Event code Description
    0 Layer 2
    1 Layer 3
    2 Layer 4
    3 Device events
    4 Layer 7

    Refer to the Event code and Subcode columns in the 'Log Reference' table under Appendix A for all attack events sent by Syslog.

    Previous
    Next