Event log system subtype support for CEF
Following is an example of a system subtype log on the FortiGate disk:
date=2016-02-12 time=10:48:12 logid=0100032001 type=event subtype=system level=information vd="vdom1" logdesc="Admin login successful" sn=1455302892 user="admin" ui=console action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from console"
Following is an example of a system subtype log sent in CEF format to a syslog server:
Feb 12 10:48:12 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|32001|event:system login success|2|FTNTFGTlogid=0100032001 cat=event:system FTNTFGTsubtype=system FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTlogdesc=Admin login successful FTNTFGTsn=1455302892 duser=admin sproc=console act=login outcome=success reason=none FTNTFGTprofile=super_admin msg=Administrator admin logged in successfully from console
The following table maps FortiOS log field names to CEF field names.
FortiOS Log Field Name |
CEF Field Name |
---|---|
msg |
msg |
cookies |
requestCookies |
user |
duser |
group |
cs6 |
status |
outcome |
role |
sourceServiceName |
ui |
sproc |
reason |
reason |