Fortinet black logo

FortiOS Log Message Reference

Home FortiGate / FortiOS 5.6.14 FortiOS Log Message Reference

Traffic log support for CEF

5.6.14
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
Copy Link
Copy Doc ID 54f857d3-f55f-11eb-97f7-00505692583a:419655
Download PDF

Traffic log support for CEF

Following is an example of a traffic log on the FortiGate disk:

date=2016-02-12 time=11:11:29 logid=0000000013 type=traffic subtype=forward level=notice vd=vdom1 srcip=192.168.1.183 srcname="192.168.1.183" srcport=45719 srcintf="port15" dstip=192.168.70.184 dstname="192.168.70.184" dstport=80 dstintf="port19" poluuid=61c4243a-34ba-51e5-c32a-3859389a5162 sessionid=56633 proto=6 action=close policyid=10 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=192.168.70.214 transport=45719 service="HTTP" appid=38783 app="Wget.Like" appcat="General.Interest" apprisk=low applist="default" appact=detected duration=7 sentbyte=398 rcvdbyte=1605 sentpkt=5 rcvdpkt=5 utmaction=block countav=1 countapp=1 crscore=50 craction=2 utmref=65502-0

Following is an example of an event log sent in CEF format to a syslog server:

Feb 12 11:11:30 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|00013|traffic:forward close|3|FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 src=192.168.1.183 shost=192.168.1.183 spt=45719 deviceInboundInterface=port15 dst=192.168.70.184 dhost=192.168.70.184 dpt=80 deviceOutboundInterface=port19 FTNTFGTpoluuid=61c4243a-34ba-51e5-c32a-3859389a5162 externalId=56633 proto=6 act=close cs5=10 cs5Label=Policy Id FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=192.168.70.214 sourceTranslatedPort=45719 app=HTTP FTNTFGTappid=38783 FTNTFGTapp=Wget.Like FTNTFGTappcat=General.Interest FTNTFGTapprisk=low FTNTFGTapplist=default FTNTFGTappact=detected cn1=7 cn1Label=Duration out=398 in=1605 cn2=5 cn2Label=Packets Sent cn3=5 cn3Label=Packets Received FTNTFGTutmaction=block FTNTFGTcountav=1 FTNTFGTcountapp=1 FTNTFGTcrscore=50 FTNTFGTcraction=2

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

type: subtype

cat

srcip

src

srcport

spt

srcintf

deviceInboundInterface

dstip

dst

dstname

dhost

dstport

dpt

dstintf

deviceOutboundInterface

sessionid

externalID

proto

proto

action

act

policyid

cs5=xx cs5Label=Policy Id

transip

sourceTranslatedAddress

transport

sourceTranslatedPort

service

app

duration

cn1=xx cn1Label=Duration

sentbyte

out

rcvdbyte

in

sentpkt

cn2=xx cn2Label=Packets Sent

rcvdpkt

cn3=xx cn3Label=Packets Received
Previous
Next

Traffic log support for CEF

Following is an example of a traffic log on the FortiGate disk:

date=2016-02-12 time=11:11:29 logid=0000000013 type=traffic subtype=forward level=notice vd=vdom1 srcip=192.168.1.183 srcname="192.168.1.183" srcport=45719 srcintf="port15" dstip=192.168.70.184 dstname="192.168.70.184" dstport=80 dstintf="port19" poluuid=61c4243a-34ba-51e5-c32a-3859389a5162 sessionid=56633 proto=6 action=close policyid=10 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=192.168.70.214 transport=45719 service="HTTP" appid=38783 app="Wget.Like" appcat="General.Interest" apprisk=low applist="default" appact=detected duration=7 sentbyte=398 rcvdbyte=1605 sentpkt=5 rcvdpkt=5 utmaction=block countav=1 countapp=1 crscore=50 craction=2 utmref=65502-0

Following is an example of an event log sent in CEF format to a syslog server:

Feb 12 11:11:30 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|00013|traffic:forward close|3|FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 src=192.168.1.183 shost=192.168.1.183 spt=45719 deviceInboundInterface=port15 dst=192.168.70.184 dhost=192.168.70.184 dpt=80 deviceOutboundInterface=port19 FTNTFGTpoluuid=61c4243a-34ba-51e5-c32a-3859389a5162 externalId=56633 proto=6 act=close cs5=10 cs5Label=Policy Id FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=192.168.70.214 sourceTranslatedPort=45719 app=HTTP FTNTFGTappid=38783 FTNTFGTapp=Wget.Like FTNTFGTappcat=General.Interest FTNTFGTapprisk=low FTNTFGTapplist=default FTNTFGTappact=detected cn1=7 cn1Label=Duration out=398 in=1605 cn2=5 cn2Label=Packets Sent cn3=5 cn3Label=Packets Received FTNTFGTutmaction=block FTNTFGTcountav=1 FTNTFGTcountapp=1 FTNTFGTcrscore=50 FTNTFGTcraction=2

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

type: subtype

cat

srcip

src

srcport

spt

srcintf

deviceInboundInterface

dstip

dst

dstname

dhost

dstport

dpt

dstintf

deviceOutboundInterface

sessionid

externalID

proto

proto

action

act

policyid

cs5=xx cs5Label=Policy Id

transip

sourceTranslatedAddress

transport

sourceTranslatedPort

service

app

duration

cn1=xx cn1Label=Duration

sentbyte

out

rcvdbyte

in

sentpkt

cn2=xx cn2Label=Packets Sent

rcvdpkt

cn3=xx cn3Label=Packets Received
Previous
Next