Fortinet black logo

FortiOS Log Message Reference

Traffic log support for CEF

Traffic log support for CEF

The following is an example of a traffic log on the FortiGate disk:

date=2018-12-27 time=11:07:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1545937675 srcip=10.1.100.11 srcport=54190 srcintf="port12" srcintfrole="undefined" dstip=52.53.140.235 dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="c2d460aa-fe6f-51e8-9505-41b5117dfdd4" sessionid=402 proto=6 action="close" policyid=1 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.1 transport=54190 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" applist="g-default" duration=2 sentbyte=3652 rcvdbyte=146668 sentpkt=58 rcvdpkt=105 utmaction="allow" countapp=2 utmref=65532-56

The following is an example of a traffic log sent in CEF format to a syslog server:

Dec 27 11:07:55 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

type: subtype

cat

srcip

src

srcport

spt

srcintf

deviceInboundInterface

dstip

dst

dstport

dpt

dstintf

deviceOutboundInterface

sessionid

externalID

proto

proto

action

act

transip

sourceTranslatedAddress

transport

sourceTranslatedPort

service

app

sentbyte

out

rcvdbyte

in

Custom fields

To configure the traffic log with custom fields, enter the following CLI commands:

config log custom-field

edit 1

set name "custom_name1"

set value "HN123456"

next

edit 2

set name "custom_name2"

set value "accounting_dpt"

next

end

config firewall policy

edit 1

set name "A-v4-out"

set uuid c2d460aa-fe6f-51e8-9505-41b5117dfdd4

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set custom-log-fields "1" "2"

set application-list "g-default"

set ssl-ssh-profile "certificate-inspection"

set nat enable

next

end

The following is an example of a traffic log with custom fields on the FortiGate disk:

date=2018-12-27 time=11:12:30 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1545937950 srcip=10.1.100.11 srcport=58843 srcintf="port12" srcintfrole="undefined" dstip=172.16.200.55 dstport=53 dstintf="port11" dstintfrole="undefined" poluuid="c2d460aa-fe6f-51e8-9505-41b5117dfdd4" sessionid=440 proto=17 action="accept" policyid=1 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.1 transport=58843 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="g-default" duration=180 sentbyte=70 rcvdbyte=528 sentpkt=1 rcvdpkt=1 custom_name1="HN123456" custom_name2="accounting_dpt"

The following is an example of a traffic log with custom fields sent in CEF format to a syslog server:

Dec 27 11:12:30 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward accept|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937950 src=10.1.100.11 spt=58843 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=172.16.200.55 dpt=53 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=440 proto=17 act=accept FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=DNS FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=58843 FTNTFGTappid=16195 FTNTFGTapp=DNS FTNTFGTappcat=Network.Service FTNTFGTapprisk=elevated FTNTFGTapplist=g-default FTNTFGTduration=180 out=70 in=528 FTNTFGTsentpkt=1 FTNTFGTrcvdpkt=1 FTNTFGTcustom_name1=HN123456 FTNTFGTcustom_name2=accounting_dpt

The following table maps FortiOS custom log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

custom_name1

FTNTFGTcustom_name1

custom_name2

FTNTFGTcustom_name2

Traffic log support for CEF

The following is an example of a traffic log on the FortiGate disk:

date=2018-12-27 time=11:07:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1545937675 srcip=10.1.100.11 srcport=54190 srcintf="port12" srcintfrole="undefined" dstip=52.53.140.235 dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="c2d460aa-fe6f-51e8-9505-41b5117dfdd4" sessionid=402 proto=6 action="close" policyid=1 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.1 transport=54190 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" applist="g-default" duration=2 sentbyte=3652 rcvdbyte=146668 sentpkt=58 rcvdpkt=105 utmaction="allow" countapp=2 utmref=65532-56

The following is an example of a traffic log sent in CEF format to a syslog server:

Dec 27 11:07:55 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

type: subtype

cat

srcip

src

srcport

spt

srcintf

deviceInboundInterface

dstip

dst

dstport

dpt

dstintf

deviceOutboundInterface

sessionid

externalID

proto

proto

action

act

transip

sourceTranslatedAddress

transport

sourceTranslatedPort

service

app

sentbyte

out

rcvdbyte

in

Custom fields

To configure the traffic log with custom fields, enter the following CLI commands:

config log custom-field

edit 1

set name "custom_name1"

set value "HN123456"

next

edit 2

set name "custom_name2"

set value "accounting_dpt"

next

end

config firewall policy

edit 1

set name "A-v4-out"

set uuid c2d460aa-fe6f-51e8-9505-41b5117dfdd4

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set custom-log-fields "1" "2"

set application-list "g-default"

set ssl-ssh-profile "certificate-inspection"

set nat enable

next

end

The following is an example of a traffic log with custom fields on the FortiGate disk:

date=2018-12-27 time=11:12:30 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1545937950 srcip=10.1.100.11 srcport=58843 srcintf="port12" srcintfrole="undefined" dstip=172.16.200.55 dstport=53 dstintf="port11" dstintfrole="undefined" poluuid="c2d460aa-fe6f-51e8-9505-41b5117dfdd4" sessionid=440 proto=17 action="accept" policyid=1 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.1 transport=58843 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="g-default" duration=180 sentbyte=70 rcvdbyte=528 sentpkt=1 rcvdpkt=1 custom_name1="HN123456" custom_name2="accounting_dpt"

The following is an example of a traffic log with custom fields sent in CEF format to a syslog server:

Dec 27 11:12:30 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward accept|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937950 src=10.1.100.11 spt=58843 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=172.16.200.55 dpt=53 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=440 proto=17 act=accept FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=DNS FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=58843 FTNTFGTappid=16195 FTNTFGTapp=DNS FTNTFGTappcat=Network.Service FTNTFGTapprisk=elevated FTNTFGTapplist=g-default FTNTFGTduration=180 out=70 in=528 FTNTFGTsentpkt=1 FTNTFGTrcvdpkt=1 FTNTFGTcustom_name1=HN123456 FTNTFGTcustom_name2=accounting_dpt

The following table maps FortiOS custom log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

custom_name1

FTNTFGTcustom_name1

custom_name2

FTNTFGTcustom_name2