HTTP transaction log fields

HTTP transaction related logs are updated to improve log analysis coverage.

• An httpmethod field is added.

• The URL rating method field is renamed from method to ratemethod.

• The agent field includes the entire User-Agent header.

• The referer field is removed from the rawdata field and added to the referralurl field.

Log samples

Proxy web filter logs

1: date=2022-02-09 time=16:39:40 eventtime=1644453580728994264 tz="-0800" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=803 srcip=10.1.100.110 srcport=61913 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=45.33.7.16 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 httpmethod="GET" service="HTTPS" hostname="www.httpvshttps.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36" profile="webfilter" action="passthrough" reqtype="referral" url="https://www.httpvshttps.com/" referralurl="http://www.httpvshttps.com/" sentbyte=1433 rcvdbyte=5143 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"

With rawdata field:

1: date=2022-02-09 time=16:56:13 eventtime=1644454573193935755 tz="-0800" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=309 srcip=10.1.100.18 srcport=54884 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=52.21.106.99 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 httpmethod="GET" service="HTTPS" hostname="www.postman-echo.com" forwardedfor="192.168.0.99" agent="curl/7.56.0" profile="webfilter" action="passthrough" reqtype="referral" url="https://www.postman-echo.com/" referralurl="https://example.com/referer.html" sentbyte=886 rcvdbyte=5531 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=52 catdesc="Information Technology" rawdata="x-forwarded-for=192.168.0.99|Request-Content-Type=application/json"

Proxy antivirus log

1: date=2022-02-03 time=17:37:51 eventtime=1643938671287113448 tz="-0800" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=156474 srcip=10.1.100.18 dstip=89.238.73.97 srcport=36154 dstport=443 srccountry="Reserved" dstcountry="Germany" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="https://secure.eicar.org/eicar.com" forwardedfor="192.168.0.99" profile="proxy-av" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" rawdata="X-Forwarded-For=192.168.0.99|Response-Content-Type=application/x-msdownload"

Proxy DLP log

1: date=2022-02-03 time=17:36:12 eventtime=1643938572487964255 tz="-0800" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" filteridx=1 dlpextra="pdf" filtertype="file-type" filtercat="file" severity="critical" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=156237 epoch=300501327 eventid=0 srcip=10.1.100.18 srcport=33392 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=172.16.200.88 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 service="HTTPS" filetype="pdf" direction="incoming" action="block" hostname="172.16.200.88" url="https://172.16.200.88/dlp/files/fortiauto.pdf" forwardedfor="192.168.0.99" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" filename="fortiauto.pdf" filesize=285442 profile="proxy-dlp" rawdata="x-forwarded-for=192.168.0.99|Response-Content-Type=application/pdf"

Proxy file filter log

1: date=2022-02-03 time=17:31:57 eventtime=1643938317607666534 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=155704 srcip=10.1.100.18 srcport=33388 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=172.16.200.88 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 service="HTTPS" profile="proxy-ff" direction="incoming" action="blocked" url="https://172.16.200.88/dlp/files/fortiauto.pdf" hostname="172.16.200.88" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" forwardedfor="192.168.0.99" filtername="pdf" filename="fortiauto.pdf" filesize=285442 filetype="pdf" msg="File was blocked by file filter."

Proxy video filter log

1: date=2022-02-10 time=14:25:20 eventtime=1644531920649244437 tz="-0800" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=1535 srcip=10.1.100.11 dstip=142.251.33.78 srcport=47348 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" action="passthrough" videoinfosource="Cache" profile="channel_filter" videoid="BAayV5xQ1TE" videochannelid="UCjzrDTsJKtMQI33Vii_jEeA" hostname="www.youtube.com" agent="('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36',)" url="https://www.youtube.com/watch?v=BAayV5xQ1TE"

WAF log

1: date=2022-02-03 time=17:44:29 eventtime=1643939069074906029 tz="-0800" logid="1203030257" type="utm" subtype="waf" eventtype="waf-http-constraint" level="warning" vd="vdom1" policyid=1 policytype="policy" sessionid=157514 profile="waf-profile" srcip=10.1.100.18 srcport=36206 srccountry="Reserved" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=89.238.73.97 dstport=443 dstcountry="Germany" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" url="https://secure.eicar.org/eicar.com" direction="https://example.com/referer.html" severity="medium" action="blocked" direction="request" agent="curl/7.56.0" constraint="header-number"

Flow web filter log

1: date=2022-02-04 time=10:48:10 eventtime=1644000490629159450 tz="-0800" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=3198 srcip=10.1.100.18 srcport=38206 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=34.233.143.14 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 httpmethod="GET" service="HTTPS" hostname="www.postman-echo.com" forwardedfor="192.168.0.99" agent="curl/7.56.0" profile="webfilter_flowbase" action="passthrough" reqtype="referral" url="https://www.postman-echo.com/" referralurl="https://example.com/referer.html" sentbyte=165 rcvdbyte=40 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=52 catdesc="Information Technology" rawdata="Request-Content-Type=application/json|X-Forwarded-For=192.168.0.99"

Flow antivirus log

1: date=2022-02-03 time=17:01:06 eventtime=1643936466815721219 tz="-0800" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=151261 srcip=10.1.100.18 dstip=89.238.73.97 srcport=35976 dstport=443 srccountry="Reserved" dstcountry="Germany" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="https://secure.eicar.org/eicar.com" forwardedfor="192.168.0.99" profile="flow-av" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" rawdata="X-Forwarded-For=192.168.0.99"

Flow DLP log

1: date=2022-02-03 time=17:04:04 eventtime=1643936644326594838 tz="-0800" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" filteridx=3 filtertype="file-type" filtercat="file" severity="critical" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=151657 epoch=0 eventid=0 srcip=10.1.100.18 srcport=33236 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=172.16.200.88 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 service="HTTPS" filetype="unknown" direction="incoming" action="block" hostname="172.16.200.88" url="https://172.16.200.88/dlp/files/fortiauto.pdf" forwardedfor="192.168.0.99" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" filename="fortiauto.pdf" profile="dlp-flow" rawdata="X-Forwarded-For=192.168.0.99"

Flow file filter log

1: date=2022-02-03 time=17:11:49 eventtime=1643937109408719896 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=152777 srcip=10.1.100.18 srcport=33320 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" dstip=172.16.200.88 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="a27c19fc-8499-51ec-b63d-7ff51b02a295" proto=6 service="HTTPS" profile="flow-ff" direction="incoming" action="blocked" url="https://172.16.200.88/dlp/files/fortiauto.pdf" hostname="172.16.200.88" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" forwardedfor="192.168.0.99" filtername="pdf" filename="fortiauto.pdf" filesize=285442 filetype="pdf" msg="File was blocked by file filter."

IPS log

1: date=2022-02-03 time=23:02:37 eventtime=1643958157685566389 tz="-0800" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.18 srccountry="Reserved" dstip=89.238.73.97 dstcountry="Germany" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=201497 action="dropped" proto=6 service="HTTPS" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37042 dstport=443 hostname="secure.eicar.org" url="/eicar.com" agent="curl/7.56.0" httpmethod="GET" referralurl="https://example.com/referer.html" direction="incoming" attackid=29844 profile="eicar-test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=70256054 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="192.168.0.99" rawdata="Response-Content-Type=application/x-msdownload|X-Forwarded-For=192.168.0.99"

Application control log

1: date=2022-02-03 time=22:33:09 eventtime=1643956389997354519 tz="-0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vdom1" appid=15893 srcip=10.1.100.18 srccountry="Reserved" dstip=3.209.99.235 dstcountry="United States" srcport=59896 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="917edc76-84b1-51ec-bdb5-b8cb1b308a99" policytype="policy" sessionid=197164 applist="app-ctrl" action="pass" appcat="Web.Client" app="HTTP.BROWSER" hostname="www.httpbin.org" incidentserialno=70256051 url="/post" agent="curl/7.56.0" httpmethod="POST" referralurl="http://example.com" msg="Web.Client: HTTP.BROWSER" apprisk="medium" forwardedfor="192.168.0.99" rawdataid="1/1" rawdata="Request-Content-Type=application/x-www-form-urlencoded|X-Forwarded-For=192.168.0.99"