Fortinet black logo

FortiOS Log Message Reference

List of log types and subtypes

List of log types and subtypes

FortiGate devices can record the following types and subtypes of log entry information:

Type

Description

Subtype

traffic

Records traffic flow information, such as an HTTP/HTTPS request and its response, if any.

  • forward

  • local

  • multicast

  • sniffer

  • ztna

event

Records system and administrative events, such as downloading a backup copy of the configuration, or daemon activities.

  • cifs-auth-fail

  • connector

  • endpoint

  • fortiextender

  • ha

  • rest-api

  • router

  • sdwan

  • security-rating

  • switch-controller

  • system

  • user

  • vpn

  • wad

  • wireless

UTM

Records UTM events.

See list of UTM log subtypes below

UTM log subtypes

UTM Log Subtypes

Description

Event Type

virus

Records virus attacks.

  • analytics

  • command-blocked

  • content-disarm

  • ems-threat-feed

  • filename

  • filetype-executable

  • fortiai

  • infected

  • malware-list

  • mimefragmented

  • outbreak-prevention

  • oversize

  • scanerror

  • switchproto

webfilter

Records web filter events.

  • activexfilter

  • antiphishing

  • appletfilter

  • content

  • cookiefilter

  • ftgd_allow

  • ftgd_blk

  • ftgd_err

  • ftgd_quota

  • ftgd_quota_counting

  • ftgd_quota_expired

  • http_header_change

  • scriptfilter

  • ssl-exempt

  • urlfilter

  • urlmonitor

  • videofilter-category

  • videofilter-channel

  • webfilter_command_block

ips

Records intrusion prevention events.

  • botnet

  • malicious-url

  • signature

emailfilter

Records email filter events.

  • bannedword

  • email

  • ftgd_err

  • spam

  • webmail

anomaly

Records intrusion attempts.

  • anomaly

voip

Records voice over IP events.

  • voip

dlp

Records data loss prevention events.

  • dlp

  • dlp-docsource

app-ctrl

Records intrusion attempts. Application control log is output when a signature matches an application pattern.

  • port-violation

  • protocol-violation

  • signature

waf

Records web application firewall information for FortiWeb appliances and virtual appliances.

  • waf-address-list

  • waf-custom-signature

  • waf-http-constraint

  • waf-http-method

  • waf-signature

  • waf-url-access

gtp

Records GTP events.

  • gtp-all

  • pfcp-all

dns

Records domain name server events.

  • dns-query

  • dns-response

ssh

Records Secure Socket Shell events.

  • ssh-channel

  • ssh-command

  • ssh-hostkey

ssl

Records detected/blocked malicious SSL connections.

  • ssl-anomaly

  • ssl-exempt

  • ssl-handshake

  • ssl-negotiation

  • ssl-server-cert-info

file-filter

Records file filter events.

  • file-filter

icap

Records ICAP events.

  • icap

List of log types and subtypes

FortiGate devices can record the following types and subtypes of log entry information:

Type

Description

Subtype

traffic

Records traffic flow information, such as an HTTP/HTTPS request and its response, if any.

  • forward

  • local

  • multicast

  • sniffer

  • ztna

event

Records system and administrative events, such as downloading a backup copy of the configuration, or daemon activities.

  • cifs-auth-fail

  • connector

  • endpoint

  • fortiextender

  • ha

  • rest-api

  • router

  • sdwan

  • security-rating

  • switch-controller

  • system

  • user

  • vpn

  • wad

  • wireless

UTM

Records UTM events.

See list of UTM log subtypes below

UTM log subtypes

UTM Log Subtypes

Description

Event Type

virus

Records virus attacks.

  • analytics

  • command-blocked

  • content-disarm

  • ems-threat-feed

  • filename

  • filetype-executable

  • fortiai

  • infected

  • malware-list

  • mimefragmented

  • outbreak-prevention

  • oversize

  • scanerror

  • switchproto

webfilter

Records web filter events.

  • activexfilter

  • antiphishing

  • appletfilter

  • content

  • cookiefilter

  • ftgd_allow

  • ftgd_blk

  • ftgd_err

  • ftgd_quota

  • ftgd_quota_counting

  • ftgd_quota_expired

  • http_header_change

  • scriptfilter

  • ssl-exempt

  • urlfilter

  • urlmonitor

  • videofilter-category

  • videofilter-channel

  • webfilter_command_block

ips

Records intrusion prevention events.

  • botnet

  • malicious-url

  • signature

emailfilter

Records email filter events.

  • bannedword

  • email

  • ftgd_err

  • spam

  • webmail

anomaly

Records intrusion attempts.

  • anomaly

voip

Records voice over IP events.

  • voip

dlp

Records data loss prevention events.

  • dlp

  • dlp-docsource

app-ctrl

Records intrusion attempts. Application control log is output when a signature matches an application pattern.

  • port-violation

  • protocol-violation

  • signature

waf

Records web application firewall information for FortiWeb appliances and virtual appliances.

  • waf-address-list

  • waf-custom-signature

  • waf-http-constraint

  • waf-http-method

  • waf-signature

  • waf-url-access

gtp

Records GTP events.

  • gtp-all

  • pfcp-all

dns

Records domain name server events.

  • dns-query

  • dns-response

ssh

Records Secure Socket Shell events.

  • ssh-channel

  • ssh-command

  • ssh-hostkey

ssl

Records detected/blocked malicious SSL connections.

  • ssl-anomaly

  • ssl-exempt

  • ssl-handshake

  • ssl-negotiation

  • ssl-server-cert-info

file-filter

Records file filter events.

  • file-filter

icap

Records ICAP events.

  • icap