Fortinet white logo
Fortinet white logo

FortiOS Log Message Reference

Log message fields

Log message fields

Each log message consists of several sections of fields. In the FortiOS GUI, you can view the logs in the Log & Report pane, which displays the formatted view. If you want to view logs in raw format, you must download the log and view it in a text editor.

Following is an example of a traffic log message in raw format:

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

The following table provides an example of the log field information in the FortiOS GUI in the detailed view of the Log & Report pane and in the downloaded, raw log file.

GUI Field Name

(Raw Field Name)

Field Description

Example Field Value in Raw Format

General

Date (date)

Day, month, and year when the log message was recorded.

date=2017-11-15

Time (time)

Hour clock when the log message was recorded.

time=11:44:16

Duration (seconds)

Duration of the session, in seconds.

duration=2

Session ID (sessionid)

ID for the session.

sessionid=8058

Virtual Domain (vd)

Name of the virtual domain in which the log message was recorded.

vd="vdom1"

NAT Translation (transport)

NAT source port.

transport=40772

Source

IP (srcip)

IP address of the traffic’s origin. The source varies by the direction:

  • In HTTP requests, this is the web browser or other client.
  • In HTTP responses, this is the physical server.

srcip=10.1.100.155

NAT IP (transip)

NAT source IP.

transip=172.16.200.2

Source Port (srcport)

Port number of the traffic's origin.

srcport=40772

Country (srccountry)

Name of the source country.

srccountry="Reserved"

Source Interface(srcintf)

Interface name of the traffic's origin.

srcintf="port12"

Source Name (srcname)

Name of the source.

srcname="pc1"

Source Interface Name (srcintfrole)

Name of the source interface.

srcintfrole="undefined"

Device Type (devtype)

Device type of the source.

devtype="Linux PC"

OS Name (osname)

OS of the source.

osname="Linux"

Master Source MAC (mastersrcmac)

The master MAC address for a host that has multiple network interfaces.

mastersrcmac="a2:e9:00:ec:40:01"

Source MAC (srcmac)

MAC address associated with the source IP address.

srcmac="a2:e9:00:ec:40:01"

Source Server (srcserver)

Server of the source.

srcserver=0

Device ID (devid)

Serial number of the device for the traffic's origin.

devid="FGVM02Q105060010"

Destination

IP (dstip)

Destination IP address for the web.

dstip=35.197.51.42

Port (dstport)

Port number of the traffic's destination.

dstport=443

Country (dstcountry)

Name of the destination country.

dstcountry="United States"

Destination Interface (dstintf)

Interface of the traffic's destination.

dstintf="port11"

Destination Name (dstname)

Name of the destination.

dstname="fortiguard.com"

Destination Interface Name (dstinfrole)

Name of the destination interface.

dstintfrole="undefined"

Application

Application Name (app)

Name of the application.

app="HTTPS.BROWSER"

Category (appcat)

Category of the application.

appcat="Web.Client"

Service (service)

Name of the service.

service="HTTPS"

Application ID (appid)

ID of the application.

appid=40568

Application Risk (apprisk)

Risk level of the application.

apprisk="medium"

countapp

Number of App Ctrl logs associated with the session.

countapp=1

Data

Received bytes (rcvdbyte)

Number of bytes received.

rcvdbyte=39898

Received packets (rcvdpkt)

Number of packets received.

rcvdpkt=37

Sent bytes (sentbyte)

Number of bytes sent.

sentbyte=1850

Sent packets (sentpkt)

Number of packets sent.

sentpkt=25

Action

Action (action)

Status of the session. Uses following definitions:
  • Deny: blocked by firewall policy
  • Start: session start log (special option to enable logging at start of a session). This means firewall allowed.
  • All Others: allowed by Firewall Policy and the status indicates how it was closed.

action=close

Policy (policyid)

Name of the firewall policy governing the traffic which caused the log message.

policyid=1

Policy UUID (poluuid)

UUID for the firewall policy.

poluuid="707a0d88-c972-51e7-bbc7-4d421660557b"

Policy Type (policytype)

policytype="policy"

Policy Mode (policymode)

Firewall policy mode.

policymode="learn"

Security

Level (level)

Security level rating.

level="notice"

Other

Event Time (eventtime)

Epoch time the log was triggered by FortiGate. If you convert the epoch time to human readable time, it might not match the Date and Time in the header owing to a small delay between the time the log was triggered and recorded. The Log Time field is the same for the same log among all log devices, but the Date and Time might differ.

eventtime=1510775056

Protocol Number (proto)

tcp: The protocol used by web traffic (tcp by default)

proto=6

Type (type)

Log type. See Type

type="traffic"

Log ID (logid)

Log ID. See Log ID definitions

logid="0000000013"

Sub Type(subtype)

Subtype of the traffic. See Subtype.

subtype="forward"

trandisp

NAT translation type.

trandisp="snat"

UTM Action (utmaction)

Security action performed by UTM.

utmaction="allow"

UTM Reference (utmref)

UTM reference number.

utmref=0-220586

UTM Reference (utmref)

UTM reference number.

utmref=0-220586

Log message fields

Log message fields

Each log message consists of several sections of fields. In the FortiOS GUI, you can view the logs in the Log & Report pane, which displays the formatted view. If you want to view logs in raw format, you must download the log and view it in a text editor.

Following is an example of a traffic log message in raw format:

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

The following table provides an example of the log field information in the FortiOS GUI in the detailed view of the Log & Report pane and in the downloaded, raw log file.

GUI Field Name

(Raw Field Name)

Field Description

Example Field Value in Raw Format

General

Date (date)

Day, month, and year when the log message was recorded.

date=2017-11-15

Time (time)

Hour clock when the log message was recorded.

time=11:44:16

Duration (seconds)

Duration of the session, in seconds.

duration=2

Session ID (sessionid)

ID for the session.

sessionid=8058

Virtual Domain (vd)

Name of the virtual domain in which the log message was recorded.

vd="vdom1"

NAT Translation (transport)

NAT source port.

transport=40772

Source

IP (srcip)

IP address of the traffic’s origin. The source varies by the direction:

  • In HTTP requests, this is the web browser or other client.
  • In HTTP responses, this is the physical server.

srcip=10.1.100.155

NAT IP (transip)

NAT source IP.

transip=172.16.200.2

Source Port (srcport)

Port number of the traffic's origin.

srcport=40772

Country (srccountry)

Name of the source country.

srccountry="Reserved"

Source Interface(srcintf)

Interface name of the traffic's origin.

srcintf="port12"

Source Name (srcname)

Name of the source.

srcname="pc1"

Source Interface Name (srcintfrole)

Name of the source interface.

srcintfrole="undefined"

Device Type (devtype)

Device type of the source.

devtype="Linux PC"

OS Name (osname)

OS of the source.

osname="Linux"

Master Source MAC (mastersrcmac)

The master MAC address for a host that has multiple network interfaces.

mastersrcmac="a2:e9:00:ec:40:01"

Source MAC (srcmac)

MAC address associated with the source IP address.

srcmac="a2:e9:00:ec:40:01"

Source Server (srcserver)

Server of the source.

srcserver=0

Device ID (devid)

Serial number of the device for the traffic's origin.

devid="FGVM02Q105060010"

Destination

IP (dstip)

Destination IP address for the web.

dstip=35.197.51.42

Port (dstport)

Port number of the traffic's destination.

dstport=443

Country (dstcountry)

Name of the destination country.

dstcountry="United States"

Destination Interface (dstintf)

Interface of the traffic's destination.

dstintf="port11"

Destination Name (dstname)

Name of the destination.

dstname="fortiguard.com"

Destination Interface Name (dstinfrole)

Name of the destination interface.

dstintfrole="undefined"

Application

Application Name (app)

Name of the application.

app="HTTPS.BROWSER"

Category (appcat)

Category of the application.

appcat="Web.Client"

Service (service)

Name of the service.

service="HTTPS"

Application ID (appid)

ID of the application.

appid=40568

Application Risk (apprisk)

Risk level of the application.

apprisk="medium"

countapp

Number of App Ctrl logs associated with the session.

countapp=1

Data

Received bytes (rcvdbyte)

Number of bytes received.

rcvdbyte=39898

Received packets (rcvdpkt)

Number of packets received.

rcvdpkt=37

Sent bytes (sentbyte)

Number of bytes sent.

sentbyte=1850

Sent packets (sentpkt)

Number of packets sent.

sentpkt=25

Action

Action (action)

Status of the session. Uses following definitions:
  • Deny: blocked by firewall policy
  • Start: session start log (special option to enable logging at start of a session). This means firewall allowed.
  • All Others: allowed by Firewall Policy and the status indicates how it was closed.

action=close

Policy (policyid)

Name of the firewall policy governing the traffic which caused the log message.

policyid=1

Policy UUID (poluuid)

UUID for the firewall policy.

poluuid="707a0d88-c972-51e7-bbc7-4d421660557b"

Policy Type (policytype)

policytype="policy"

Policy Mode (policymode)

Firewall policy mode.

policymode="learn"

Security

Level (level)

Security level rating.

level="notice"

Other

Event Time (eventtime)

Epoch time the log was triggered by FortiGate. If you convert the epoch time to human readable time, it might not match the Date and Time in the header owing to a small delay between the time the log was triggered and recorded. The Log Time field is the same for the same log among all log devices, but the Date and Time might differ.

eventtime=1510775056

Protocol Number (proto)

tcp: The protocol used by web traffic (tcp by default)

proto=6

Type (type)

Log type. See Type

type="traffic"

Log ID (logid)

Log ID. See Log ID definitions

logid="0000000013"

Sub Type(subtype)

Subtype of the traffic. See Subtype.

subtype="forward"

trandisp

NAT translation type.

trandisp="snat"

UTM Action (utmaction)

Security action performed by UTM.

utmaction="allow"

UTM Reference (utmref)

UTM reference number.

utmref=0-220586

UTM Reference (utmref)

UTM reference number.

utmref=0-220586