Fortinet black logo

FortiOS Log Message Reference

Event log support for CEF

Event log support for CEF

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

msg

msg

cookies

requestCookies

user

duser

status

outcome

role

sourceServiceName

ui

sproc

reason

reason

action

act

system subtype

The following is an example of a system subtype event log on the FortiGate disk:

date=2018-12-27 time=11:15:40 logid="0100032002" type="event" subtype="system" level="alert" vd="vdom1" eventtime=1545938140 logdesc="Admin login failed" sn="0" user="admin1" ui="https(172.16.200.254)" method="https" srcip=172.16.200.254 dstip=172.16.200.1 action="login" status="failed" reason="name_invalid" msg="Administrator admin1 login failed from https(172.16.200.254) because of invalid user name"

The following is an example of a system subtype event log sent in CEF format to a syslog server:

Dec 27 11:15:40 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|32002|event:system login failed|7|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0100032002 cat=event:system FTNTFGTsubtype=system FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938140 FTNTFGTlogdesc=Admin login failed FTNTFGTsn=0 duser=admin1 sproc=https(172.16.200.254) FTNTFGTmethod=https src=172.16.200.254 dst=172.16.200.1 act=login outcome=failed reason=name_invalid msg=Administrator admin1 login failed from https(172.16.200.254) because of invalid user name

user subtype

The following is an example of a user subtype log on the FortiGate disk:

date=2018-12-27 time=11:17:35 logid="0102043008" type="event" subtype="user" level="notice" vd="vdom1" eventtime=1545938255 logdesc="Authentication success" srcip=10.1.100.11 dstip=172.16.200.55 policyid=1 interface="port12" user="bob" group="N/A" authproto="TELNET(10.1.100.11)" action="authentication" status="success" reason="N/A" msg="User bob succeeded in authentication"

The following is an example of a user subtype log sent in CEF format to a syslog server:

Dec 27 11:17:35 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|43008|event:user authentication success|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0102043008 cat=event:user FTNTFGTsubtype=user FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938255 FTNTFGTlogdesc=Authentication success src=10.1.100.11 dst=172.16.200.55 FTNTFGTpolicyid=1 deviceInboundInterface=port12 duser=bob FTNTFGTgroup=N/A FTNTFGTauthproto=TELNET(10.1.100.11) act=authentication outcome=success reason=N/A msg=User bob succeeded in authentication

Event log support for CEF

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

msg

msg

cookies

requestCookies

user

duser

status

outcome

role

sourceServiceName

ui

sproc

reason

reason

action

act

system subtype

The following is an example of a system subtype event log on the FortiGate disk:

date=2018-12-27 time=11:15:40 logid="0100032002" type="event" subtype="system" level="alert" vd="vdom1" eventtime=1545938140 logdesc="Admin login failed" sn="0" user="admin1" ui="https(172.16.200.254)" method="https" srcip=172.16.200.254 dstip=172.16.200.1 action="login" status="failed" reason="name_invalid" msg="Administrator admin1 login failed from https(172.16.200.254) because of invalid user name"

The following is an example of a system subtype event log sent in CEF format to a syslog server:

Dec 27 11:15:40 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|32002|event:system login failed|7|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0100032002 cat=event:system FTNTFGTsubtype=system FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938140 FTNTFGTlogdesc=Admin login failed FTNTFGTsn=0 duser=admin1 sproc=https(172.16.200.254) FTNTFGTmethod=https src=172.16.200.254 dst=172.16.200.1 act=login outcome=failed reason=name_invalid msg=Administrator admin1 login failed from https(172.16.200.254) because of invalid user name

user subtype

The following is an example of a user subtype log on the FortiGate disk:

date=2018-12-27 time=11:17:35 logid="0102043008" type="event" subtype="user" level="notice" vd="vdom1" eventtime=1545938255 logdesc="Authentication success" srcip=10.1.100.11 dstip=172.16.200.55 policyid=1 interface="port12" user="bob" group="N/A" authproto="TELNET(10.1.100.11)" action="authentication" status="success" reason="N/A" msg="User bob succeeded in authentication"

The following is an example of a user subtype log sent in CEF format to a syslog server:

Dec 27 11:17:35 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|43008|event:user authentication success|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0102043008 cat=event:user FTNTFGTsubtype=user FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938255 FTNTFGTlogdesc=Authentication success src=10.1.100.11 dst=172.16.200.55 FTNTFGTpolicyid=1 deviceInboundInterface=port12 duser=bob FTNTFGTgroup=N/A FTNTFGTauthproto=TELNET(10.1.100.11) act=authentication outcome=success reason=N/A msg=User bob succeeded in authentication