Application log support for CEF
The following is an example of an application log on the FortiGate disk:
date=2018-12-27 time=14:28:08 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="vdom1" eventtime=1545949688 appid=34050 srcip=10.1.100.11 dstip=104.80.89.24 srcport=56826 dstport=80 srcintf="port12" srcintfrole="undefined" dstintf="port11" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 sessionid=12567 applist="g-default" appcat="Web.Client" app="HTTP.BROWSER_Firefox" action="pass" hostname="detectportal.firefox.com" incidentserialno=1702350499 url="/success.txt" msg="Web.Client: HTTP.BROWSER_Firefox," apprisk="elevated"
The following is an example of an application sent in CEF format to a syslog server:
Dec 27 14:28:08 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|28704|utm:app-ctrl app-ctrl-all pass|2|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1059028704 cat=utm:app-ctrl FTNTFGTsubtype=app-ctrl FTNTFGTeventtype=app-ctrl-all FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTeventtime=1545949688 FTNTFGTappid=34050 src=10.1.100.11 dst=104.80.89.24 spt=56826 dpt=80 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP deviceDirection=1 FTNTFGTpolicyid=1 externalId=12567 FTNTFGTapplist=g-default FTNTFGTappcat=Web.Client FTNTFGTapp=HTTP.BROWSER_Firefox act=pass dhost=detectportal.firefox.com FTNTFGTincidentserialno=1702350499 request=/success.txt msg=Web.Client: HTTP.BROWSER_Firefox, FTNTFGTapprisk=elevated