Fortinet black logo

FortiOS Log Message Reference

Email Spamfilter log support for CEF

Email Spamfilter log support for CEF

The following is an example of an email spamfilter log on the FortiGate disk:

date=2018-12-27 time=11:36:58 logid="0508020503" type="utm" subtype="emailfilter" eventtype="smtp" level="information" vd="vdom1" eventtime=1545939418 policyid=1 sessionid=1135 user="bob" srcip=10.1.100.11 srcport=35969 srcintf="port12" srcintfrole="undefined" dstip=172.18.62.158 dstport=25 dstintf="port11" dstintfrole="undefined" proto=6 service="SMTP" profile="test-spam" action="log-only" from="testpc1@qa.fortinet.com" to="test1@server88.qa.fortinet.com" sender="testpc1@qa.fortinet.com" recipient="test1@server88.qa.fortinet.com" direction="outgoing" msg="general email log" subject="hello_world2" size="216" attachment="no"

The following is an example of an email spamfilter log sent in CEF format to a syslog server:

Dec 27 11:36:58 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|20503|utm:emailfilter smtp log-only|2|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0508020503 cat=utm:emailfilter FTNTFGTsubtype=emailfilter FTNTFGTeventtype=smtp FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTeventtime=1545939418 FTNTFGTpolicyid=1 externalId=1135 duser=bob src=10.1.100.11 spt=35969 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=172.18.62.158 dpt=25 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=SMTP FTNTFGTprofile=test-spam act=log-only suser=testpc1@qa.fortinet.com duser=test1@server88.qa.fortinet.com FTNTFGTsender=testpc1@qa.fortinet.com FTNTFGTrecipient=test1@server88.qa.fortinet.com deviceDirection=1 msg=general email log FTNTFGTsubject=hello_world2 FTNTFGTsize=216 FTNTFGTattachment=no

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

from

suser

to

duser

Email Spamfilter log support for CEF

The following is an example of an email spamfilter log on the FortiGate disk:

date=2018-12-27 time=11:36:58 logid="0508020503" type="utm" subtype="emailfilter" eventtype="smtp" level="information" vd="vdom1" eventtime=1545939418 policyid=1 sessionid=1135 user="bob" srcip=10.1.100.11 srcport=35969 srcintf="port12" srcintfrole="undefined" dstip=172.18.62.158 dstport=25 dstintf="port11" dstintfrole="undefined" proto=6 service="SMTP" profile="test-spam" action="log-only" from="testpc1@qa.fortinet.com" to="test1@server88.qa.fortinet.com" sender="testpc1@qa.fortinet.com" recipient="test1@server88.qa.fortinet.com" direction="outgoing" msg="general email log" subject="hello_world2" size="216" attachment="no"

The following is an example of an email spamfilter log sent in CEF format to a syslog server:

Dec 27 11:36:58 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|20503|utm:emailfilter smtp log-only|2|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0508020503 cat=utm:emailfilter FTNTFGTsubtype=emailfilter FTNTFGTeventtype=smtp FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTeventtime=1545939418 FTNTFGTpolicyid=1 externalId=1135 duser=bob src=10.1.100.11 spt=35969 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=172.18.62.158 dpt=25 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=SMTP FTNTFGTprofile=test-spam act=log-only suser=testpc1@qa.fortinet.com duser=test1@server88.qa.fortinet.com FTNTFGTsender=testpc1@qa.fortinet.com FTNTFGTrecipient=test1@server88.qa.fortinet.com deviceDirection=1 msg=general email log FTNTFGTsubject=hello_world2 FTNTFGTsize=216 FTNTFGTattachment=no

The following table maps FortiOS log field names to CEF field names.

FortiOS Log Field Name

CEF Field Name

from

suser

to

duser