DNS log support for CEF
The following is an example of an DNS log on the FortiGate disk:
date=2018-12-27 time=14:45:26 logid="1501054802" type="dns" subtype="dns-response" level="notice" vd="vdom1" eventtime=1545950726 policyid=1 sessionid=13355 user="bob" srcip=10.1.100.11 srcport=54621 srcintf="port12" srcintfrole="lan" dstip=172.16.200.55 dstport=53 dstintf="port11" dstintfrole="wan" proto=17 profile="default" srcmac="a2:e9:00:ec:40:01" xid=5137 qname="detectportal.firefox.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="104.80.89.26, 104.80.89.24" msg="Domain is monitored" action="pass" cat=52 catdesc="Information Technology"
The following is an example of an DNS sent in CEF format to a syslog server:
Dec 27 14:45:26 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|54802|dns:dns-response pass|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1501054802 cat=dns:dns-response FTNTFGTsubtype=dns-response FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545950726 FTNTFGTpolicyid=1 externalId=13355 duser=bob src=10.1.100.11 spt=54621 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan dst=172.16.200.55 dpt=53 deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=17 FTNTFGTprofile=default FTNTFGTsrcmac=a2:e9:00:ec:40:01 FTNTFGTxid=5137 FTNTFGTqname=detectportal.firefox.com FTNTFGTqtype=A FTNTFGTqtypeval=1 FTNTFGTqclass=IN FTNTFGTipaddr=104.80.89.26, 104.80.89.24 msg=Domain is monitored act=pass FTNTFGTcat=52 FTNTFGTcatdesc=Information Technology