WAF log support for CEF
The following is an example of an WAF log on the FortiGate disk:
date=2018-12-27 time=14:55:20 logid="1203030258" type="utm" subtype="waf" eventtype="waf-http-constraint" level="warning" vd="vdom1" eventtime=1545951320 policyid=1 sessionid=13614 user="bob" profile="waf_test" srcip=10.1.100.11 srcport=57304 dstip=172.16.200.55 dstport=80 srcintf="port12" srcintfrole="lan" dstintf="port11" dstintfrole="wan" proto=6 service="HTTP" url="http://172.16.200.55/index.html?a=0123456789&b=0123456789&c=0123456789" severity="medium" action="passthrough" direction="request" agent="curl/7.47.0" constraint="url-param-num" rawdata="Method=GET|User-Agent=curl/7.47.0"
The following is an example of an WAF sent in CEF format to a syslog server:
Dec 27 14:55:20 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|30258|utm:waf waf-http-constraint passthrough|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1203030258 cat=utm:waf FTNTFGTsubtype=waf FTNTFGTeventtype=waf-http-constraint FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545951320 FTNTFGTpolicyid=1 externalId=13614 duser=bob FTNTFGTprofile=waf_test src=10.1.100.11 spt=57304 dst=172.16.200.55 dpt=80 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=6 app=HTTP request=http://172.16.200.55/index.html?a\=0123456789&b\=0123456789&c\=0123456789 FTNTFGTseverity=medium act=passthrough deviceDirection=0 requestClientApplication=curl/7.47.0 FTNTFGTconstraint=url-param-num FTNTFGTrawdata=Method\=GET|User-Agent\=curl/7.47.0