Fortinet black logo

FortiOS Log Message Reference

Home FortiGate / FortiOS 6.0.3 FortiOS Log Message Reference

Anomaly log support for CEF

6.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
Copy Link
Copy Doc ID a4334546-1a1b-11e9-9685-f8bc1258b856:121361
Download PDF

Anomaly log support for CEF

Following is an example of an anomaly log on the FortiGate disk:

date=2016-02-12 time=14:10:42 logid=0720018433 type=anomaly subtype=anomaly level=alert vd="vdom1" severity=critical srcip=192.168.1.183 dstip=192.168.70.184 srcintf="port15" sessionid=0 action=clear_session proto=1 service="icmp/146/81" count=306 attack="icmp_flood" dstport=20882 icmptype=0x92 icmpcode=0x51 attackid=16777316 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID16777316"

msg="anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" crscore=50 crlevel=critical

Following is an example of an anomaly log sent in CEF format to a syslog server:

Feb 12 14:10:42 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|18433|anomaly:anomaly clear_session|7|FTNTFGTlogid=0720018433 cat=anomaly:anomaly FTNTFGTsubtype=anomaly FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTseverity=critical src=192 168 1 183 dst=192 168 70 184 deviceInboundInterface=port15 externalId=0 act=clear_session proto=1 app=icmp/146/81 cnt=306 FTNTFGTattack=icmp_flood dpt=20882 FTNTFGTicmptype=0x92

FTNTFGTicmpcode=0x51 FTNTFGTattackid=16777316 FTNTFGTprofile=DoS-policy1 cs2=http://www.fortinet.com/ids/VID16777316 cs2Label=Reference msg=anomaly: icmp_flood, 34 > threshold 25, repeats 306 times FTNTFGTcrscore=50 FTNTFGTcrlevel=critical

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

count

cnt
Previous
Next

Anomaly log support for CEF

Following is an example of an anomaly log on the FortiGate disk:

date=2016-02-12 time=14:10:42 logid=0720018433 type=anomaly subtype=anomaly level=alert vd="vdom1" severity=critical srcip=192.168.1.183 dstip=192.168.70.184 srcintf="port15" sessionid=0 action=clear_session proto=1 service="icmp/146/81" count=306 attack="icmp_flood" dstport=20882 icmptype=0x92 icmpcode=0x51 attackid=16777316 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID16777316"

msg="anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" crscore=50 crlevel=critical

Following is an example of an anomaly log sent in CEF format to a syslog server:

Feb 12 14:10:42 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|18433|anomaly:anomaly clear_session|7|FTNTFGTlogid=0720018433 cat=anomaly:anomaly FTNTFGTsubtype=anomaly FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTseverity=critical src=192 168 1 183 dst=192 168 70 184 deviceInboundInterface=port15 externalId=0 act=clear_session proto=1 app=icmp/146/81 cnt=306 FTNTFGTattack=icmp_flood dpt=20882 FTNTFGTicmptype=0x92

FTNTFGTicmpcode=0x51 FTNTFGTattackid=16777316 FTNTFGTprofile=DoS-policy1 cs2=http://www.fortinet.com/ids/VID16777316 cs2Label=Reference msg=anomaly: icmp_flood, 34 > threshold 25, repeats 306 times FTNTFGTcrscore=50 FTNTFGTcrlevel=critical

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

count

cnt
Previous
Next