Fortinet black logo

FortiOS Log Message Reference

Home FortiGate / FortiOS 5.6.14 FortiOS Log Message Reference
5.6.14
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1

Antivirus log support for CEF

Antivirus log support for CEF

Following is an example of an antivirus log on the FortiGate disk:

date=2016-02-12 time=11:11:25 logid=0211008192 type=utm subtype=virus eventtype=infected level=warning vd="vdom1" msg="File is infected." action=blocked service=HTTP sessionid=56633 srcip=192.168.1.183 dstip=192.168.70.184 srcport=45719 dstport=80 srcintf="port15" dstintf="port19" proto=6 direction=incoming filename="eicar.com" checksum="1dd02bdb" quarskip=No-skip virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://192.168.70.184/eicar.com" profile="default" user="" agent="Wget/1.10.2" analyticscksum="131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267" analyticssubmit=false crscore=50 crlevel=critical

Following is an example of an antivirus log sent in CEF format to a syslog server:

Feb 12 11:11:25 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|08192|utm:virus infected

blocked|4|FTNTFGTlogid=0211008192 cat=utm:virus FTNTFGTsubtype=virus FTNTFGTeventtype=infected FTNTFGTlevel=warning FTNTFGTvd=vdom1 msg=File is infected act=blocked app=HTTP externalId=56633 src=192.168.1.183 dst=192.168.70.184 spt=45719 dpt=80 deviceInboundInterface=port15 deviceOutboundInterface=port19 proto=6 deviceDirection=0 fname=eicar.com FTNTFGTchecksum=1dd02bdb FTNTFGTquarskip=No-skip cs1=EICAR_TEST_FILE cs1Label=Virus FTNTFGTdtype=Virus cs2=http://www.fortinet.com/ve?vn\=EICAR_TEST_FILE cs2Label=Reference FTNTFGTvirusid=2172 request=http://192.168.70.184/eicar.com FTNTFGTprofile=default duser= requestClientApplication=Wget/1 10 2 FTNTFGTanalyticscksum=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 FTNTFGTanalyticssubmit=false FTNTFGTcrscore=50 FTNTFGTcrlevel=critical

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

direction

deviceDirection (inbound/outbound mapping to 0/1)

filename

fname

virus

cs1=xxx cs1Label=Virus

ref

cs2=xxx cs2Label=Reference

url

request

agent

requestClientApplication
Previous
Next

Antivirus log support for CEF

Following is an example of an antivirus log on the FortiGate disk:

date=2016-02-12 time=11:11:25 logid=0211008192 type=utm subtype=virus eventtype=infected level=warning vd="vdom1" msg="File is infected." action=blocked service=HTTP sessionid=56633 srcip=192.168.1.183 dstip=192.168.70.184 srcport=45719 dstport=80 srcintf="port15" dstintf="port19" proto=6 direction=incoming filename="eicar.com" checksum="1dd02bdb" quarskip=No-skip virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://192.168.70.184/eicar.com" profile="default" user="" agent="Wget/1.10.2" analyticscksum="131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267" analyticssubmit=false crscore=50 crlevel=critical

Following is an example of an antivirus log sent in CEF format to a syslog server:

Feb 12 11:11:25 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|08192|utm:virus infected

blocked|4|FTNTFGTlogid=0211008192 cat=utm:virus FTNTFGTsubtype=virus FTNTFGTeventtype=infected FTNTFGTlevel=warning FTNTFGTvd=vdom1 msg=File is infected act=blocked app=HTTP externalId=56633 src=192.168.1.183 dst=192.168.70.184 spt=45719 dpt=80 deviceInboundInterface=port15 deviceOutboundInterface=port19 proto=6 deviceDirection=0 fname=eicar.com FTNTFGTchecksum=1dd02bdb FTNTFGTquarskip=No-skip cs1=EICAR_TEST_FILE cs1Label=Virus FTNTFGTdtype=Virus cs2=http://www.fortinet.com/ve?vn\=EICAR_TEST_FILE cs2Label=Reference FTNTFGTvirusid=2172 request=http://192.168.70.184/eicar.com FTNTFGTprofile=default duser= requestClientApplication=Wget/1 10 2 FTNTFGTanalyticscksum=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 FTNTFGTanalyticssubmit=false FTNTFGTcrscore=50 FTNTFGTcrlevel=critical

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

direction

deviceDirection (inbound/outbound mapping to 0/1)

filename

fname

virus

cs1=xxx cs1Label=Virus

ref

cs2=xxx cs2Label=Reference

url

request

agent

requestClientApplication
Previous
Next