Email Spamfilter log support for CEF
Following is an example of an email spamfilter log on the FortiGate disk:
date=2016-02-12 time=14:01:12 logid=0509020482 type=utm subtype=emailfilter eventtype=pop3 level=notice vd="vdom1" sessionid=64465 user="" srcip=192.168.1.183 srcport=33244 srcintf="port15" dstip=192.168.70.184 dstport=110 dstintf="port19" proto=6 service=POP3 profile="default" action=tagged from="jj@fortinet.com" to="mm@fortinet.com" recipient="testpc3" sentbyte=27 rcvdbyte=1592 direction=incoming msg="email is reported as spam by ASE" subject="[SMTP]: MyTest" attachment=no
Following is an example of an email spamfilter log sent in CEF format to a syslog server:
Feb 12 14:01:12 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|20482|utm:emailfilter pop3 tagged|3|FTNTFGTlogid=0509020482 cat=utm:emailfilter FTNTFGTsubtype=emailfilter FTNTFGTeventtype=pop3 FTNTFGTlevel=notice FTNTFGTvd=vdom1 externalId=64465 duser= src=192.168.1.183 spt=33244 deviceInboundInterface=port15 dst=192.168.70.184 dpt=110 deviceOutboundInterface=port19 proto=6 app=POP3 FTNTFGTprofile=default act=tagged suser=jj@fortinet.com duser=mm@fortinet.com FTNTFGTrecipient=testpc3 out=27 in=1592 deviceDirection=0 msg=email is reported as spam by ASE FTNTFGTsubject=[SMTP]: MyTest FTNTFGTattachment=no
The following table maps FortiOS log field names to CEF field names.
FortiOS Log Field Name |
CEF Field Name |
---|---|
from |
suser |
to |
duser |