IPS log support for CEF
The following is an example of an IPS log on the FortiGate disk:
date=2018-12-27 time=11:28:07 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1545938887 severity="info" srcip=172.16.200.55 srccountry="Reserved" dstip=10.1.100.11 srcintf="port11" srcintfrole="undefined" dstintf="port12" dstintfrole="undefined" sessionid=901 action="reset" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=80 dstport=44362 hostname="172.16.200.55" url="/virus/eicar.com" direction="incoming" attackid=29844 profile="test-ips" ref="http://www.fortinet.com/ids/VID29844" user="bob" incidentserialno=877326946 msg="file_transfer: Eicar.Virus.Test.File,"
The following is an example of an IPS sent in CEF format to a syslog server:
Dec 27 11:28:07 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|16384|utm:ips signature reset|7|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0419016384 cat=utm:ips FTNTFGTsubtype=ips FTNTFGTeventtype=signature FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938887 FTNTFGTseverity=info src=172.16.200.55 FTNTFGTsrccountry=Reserved dst=10.1.100.11 deviceInboundInterface=port11 FTNTFGTsrcintfrole=undefined deviceOutboundInterface=port12 FTNTFGTdstintfrole=undefined externalId=901 act=reset proto=6 app=HTTP FTNTFGTpolicyid=1 FTNTFGTattack=Eicar.Virus.Test.File spt=80 dpt=44362 dhost=172.16.200.55 request=/virus/eicar.com deviceDirection=0 FTNTFGTattackid=29844 FTNTFGTprofile=test-ips FTNTFGTref=http://www.fortinet.com/ids/VID29844 duser=bob FTNTFGTincidentserialno=877326946 msg=file_transfer: Eicar.Virus.Test.File,