Fortinet white logo
Fortinet white logo

Administration Guide

Message ID in UTM logs NEW

Message ID in UTM logs NEW

FortiOS logs the message ID (messageid) field in UTM logs under the email filter, file filter, and DLP subtypes. The message ID can be used with FortiMail to locate an undesired email. The message ID can also be used with FortiAnalyzer to trace the email and locate the device that sent the undesired traffic.

To view the message ID:
  1. Go to Log & Report > Security Events and select Logs.

  2. Set the filters to display the email filter, file filter, or DLP subtypes. In this example, the Anti-Spam and Disk filters are set to display an entry with the Message ID field.

  3. Select the log, and click Details. The Message ID field is displayed.

Following are examples of the message ID (messageid) field in email filter, file filter, and DLP logs:

  • Email filter logs:

    1: date=2024-05-27 time=15:20:30 eventtime=1716848430551966694 tz="-0700" logid="0512020481" type="utm" subtype="emailfilter" eventtype="email" level="information" vd="vdom1" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=162 srcip=10.1.100.22 srcport=41344 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6 service="SMTP" profile="730866" action="log-only" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" messageid="<20240527222030.000384@spam_pc1>" direction="outgoing" msg="general email log" subject="testcase215001" size="246" attachment="no"
  • File filter logs:

    1: date=2024-05-27 time=18:52:21 eventtime=1716861141191537397 tz="-0700" logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vdom1" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=536 srcip=10.1.100.22 srcport=55966 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6 service="SMTP" profile="msgId_test" direction="outgoing" action="log-only" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" messageid="<20240528015221.001679@spam_pc1>" subject="703400" attachment="no" rulename="bannedFiles" filesize=105749 filetype="jpeg" msg="File was detected by file filter."
  • DLP logs:

    1: date=2024-05-28 time=11:59:50 eventtime=1716922790136310107 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="test_exe" dlpextra="Sensor 'test' matching any: ('Test-Dictionary'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=1976 epoch=1523674618 eventid=2 srcip=10.1.100.22 srcport=52998 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6 service="SMTP" filetype="N/A" direction="outgoing" action="block" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" messageid="<20240528185950.007871@spam_pc1>" subject="731047" attachment="no" profile="testing"

Message ID in UTM logs NEW

Message ID in UTM logs NEW

FortiOS logs the message ID (messageid) field in UTM logs under the email filter, file filter, and DLP subtypes. The message ID can be used with FortiMail to locate an undesired email. The message ID can also be used with FortiAnalyzer to trace the email and locate the device that sent the undesired traffic.

To view the message ID:
  1. Go to Log & Report > Security Events and select Logs.

  2. Set the filters to display the email filter, file filter, or DLP subtypes. In this example, the Anti-Spam and Disk filters are set to display an entry with the Message ID field.

  3. Select the log, and click Details. The Message ID field is displayed.

Following are examples of the message ID (messageid) field in email filter, file filter, and DLP logs:

  • Email filter logs:

    1: date=2024-05-27 time=15:20:30 eventtime=1716848430551966694 tz="-0700" logid="0512020481" type="utm" subtype="emailfilter" eventtype="email" level="information" vd="vdom1" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=162 srcip=10.1.100.22 srcport=41344 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6 service="SMTP" profile="730866" action="log-only" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" messageid="<20240527222030.000384@spam_pc1>" direction="outgoing" msg="general email log" subject="testcase215001" size="246" attachment="no"
  • File filter logs:

    1: date=2024-05-27 time=18:52:21 eventtime=1716861141191537397 tz="-0700" logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vdom1" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=536 srcip=10.1.100.22 srcport=55966 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6 service="SMTP" profile="msgId_test" direction="outgoing" action="log-only" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" messageid="<20240528015221.001679@spam_pc1>" subject="703400" attachment="no" rulename="bannedFiles" filesize=105749 filetype="jpeg" msg="File was detected by file filter."
  • DLP logs:

    1: date=2024-05-28 time=11:59:50 eventtime=1716922790136310107 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="test_exe" dlpextra="Sensor 'test' matching any: ('Test-Dictionary'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=1976 epoch=1523674618 eventid=2 srcip=10.1.100.22 srcport=52998 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6 service="SMTP" filetype="N/A" direction="outgoing" action="block" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" messageid="<20240528185950.007871@spam_pc1>" subject="731047" attachment="no" profile="testing"