Anomaly log support for CEF
Following is an example of an anomaly log on the FortiGate disk:
date=2016-02-12 time=14:10:42 logid=0720018433 type=anomaly subtype=anomaly level=alert vd="vdom1" severity=critical srcip=192.168.1.183 dstip=192.168.70.184 srcintf="port15" sessionid=0 action=clear_session proto=1 service="icmp/146/81" count=306 attack="icmp_flood" dstport=20882 icmptype=0x92 icmpcode=0x51 attackid=16777316 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID16777316"
msg="anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" crscore=50 crlevel=critical
Following is an example of an anomaly log sent in CEF format to a syslog server:
Feb 12 14:10:42 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|18433|anomaly:anomaly clear_session|7|FTNTFGTlogid=0720018433 cat=anomaly:anomaly FTNTFGTsubtype=anomaly FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTseverity=critical src=192 168 1 183 dst=192 168 70 184 deviceInboundInterface=port15 externalId=0 act=clear_session proto=1 app=icmp/146/81 cnt=306 FTNTFGTattack=icmp_flood dpt=20882 FTNTFGTicmptype=0x92
FTNTFGTicmpcode=0x51 FTNTFGTattackid=16777316 FTNTFGTprofile=DoS-policy1 cs2=http://www.fortinet.com/ids/VID16777316 cs2Label=Reference msg=anomaly: icmp_flood, 34 > threshold 25, repeats 306 times FTNTFGTcrscore=50 FTNTFGTcrlevel=critical
The following table maps FortiOS log field names to CEF field names.
FortiOS Log Field Name |
CEF Field Name |
---|---|
count |
cnt |