Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Log Message Reference

    Home FortiGate / FortiOS 7.6.0 FortiOS Log Message Reference
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.14
    5.6.13
    5.6.12
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.13
    5.4.12
    5.4.11
    5.4.9
    5.4.8
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.15
    5.2.14
    5.2.13
    5.2.12
    5.2.11
    5.2.10
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1

    Enabling extended logging

    Enabling extended logging

    You can enable extended logging for the following UTM profiles:

    • antivirus

    • application

    • dlp

    • ips

    • waf

    • webfilter

    When you enable the extended-log option for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

    When you enable the web-extended-all-action-log-enable option for webfilter profile, all HTTP header information for HTTP-allow traffic is logged.

    Extended logging option in UTM profiles

    The extended-log option has been added to all UTM profiles, for example:

    config webfilter profile
    edit "test-webfilter"
        set extended-log enable
        set web-extended-all-action-log enable
    next
end
config antivirus profile
    edit "av-proxy-test"
        set extended-log enable
    next
end
config waf profile
    edit "test-waf"
        set extended-log enable
    next
end

    Syslog server mode

    The Syslog server mode changed to udp, reliable, and legacy-reliable. You must set the mode to reliable to support extended logging, for example:

    config log syslogd setting
    set status enable
    set server "<ip address>"
    set mode reliable
    set facility local6
end

    Example 1: Extended log

    Following is an example extended log for a utm log type with a webfilter subtype for a reliable Syslog server. The rawdata field contains the extended log data.

    2: date=2022-03-07 time=14:15:27 eventtime=1646691327786322587 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1 poluuid="fe85f37c-9dd9-51ec-904d-5af91079efbb" policytype="policy" sessionid=7284 srcip=10.1.100.18 srcport=50856 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" dstip=142.250.69.196 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" proto=6 httpmethod="GET" service="HTTPS" hostname="http://www.google.com" forwardedfor="192.168.0.99" agent="curl/7.56.0" profile="webfilter" action="blocked" reqtype="referral" url="https://www.google.com/" referralurl="https://example.com/referer.html" sentbyte=869 rcvdbyte=4313 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=41 catdesc="Search Engines and Portals" rawdata="x-forwarded-for=192.168.0.99"

    Example 2: Extended log for explicit proxy logging

    The rawdata field with the [REQ] and [RESP] fields corresponds to the HTTP header monitor feature which monitors and logs headers in HTTP Request and Response. The request was sent through a FortiGate running transparent or explicit proxy.

    1: date=2023-04-19 time=19:01:19 eventtime=1681956079146481995 tz="-0700" logid="0314012288" type="utm" subtype="webfilter" eventtype="content" level="warning" vd="vdom1" policyid=1 poluuid="4d8dc396-46e3-51ea-7f3f-ee328a5bd07b" policytype="policy" sessionid=40980 srcip=10.1.100.13 srcport=54512 srccountry="Reserved" srcintf="port10" srcintfrole="undefined" srcuuid="6ce0b8ca-30ae-51ea-a388-ceacbb4fb045" dstip=172.16.200.33 dstport=443 dstcountry="Reserved" dstintf="port9" dstintfrole="undefined" dstuuid="6ce0b8ca-30ae-51ea-a388-ceacbb4fb045" proto=6 httpmethod="GET" service="HTTPS" hostname="172.16.200.33" agent="curl/7.61.1" profile="header" reqtype="direct" url="https://172.16.200.33/" sentbyte=0 rcvdbyte=0 direction="incoming" action="blocked" banword="works" msg="URL was blocked because it contained banned word(s)." rawdata="[REQ] test_request_header=aaaaa||[RESP] Content-Type=text/html|ETag=\"34-5b23b9d3b67f4\""

    Example 3: Extended log for DLP inspection

    The following example shows DLP inspection being applied in a policy when extended-log is enabled in the DLP profile and DLP blocks the file.

    config dlp profile
    edit "851560"
        set feature-set proxy
        config rule
            edit 1
                set name "851560"
                set proto http-get http-post
                set file-type 3
                set action block
            next
        end
        set extended-log enable
    next
end
    1: date=2023-08-10 time=10:50:50 eventtime=1691689849954382569 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" filteridx=1 filtername="851560" dlpextra="file-type:3" filtertype="none" filtercat="file" severity="medium" policyid=1 poluuid="c3cd12ea-379f-51ee-c12b-ea7a6620d365" policytype="policy" sessionid=1024 epoch=1334644382 eventid=0 srcip=10.1.100.11 srcport=38182 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="8789d048-379f-51ee-ea7e-79004e2dda0c" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="8789d048-379f-51ee-ea7e-79004e2dda0c" proto=6 service="HTTP" filetype="pdf" direction="incoming" action="block" hostname="172.16.200.55" url="http://172.16.200.55/dlp/files/fortiauto.pdf" agent="curl/7.58.0" httpmethod="GET" filename="fortiauto.pdf" filesize=285442 profile="851560" rawdata="[RESP] Content-Type=application/pdf"
    Previous
    Next

    Enabling extended logging

    Enabling extended logging

    You can enable extended logging for the following UTM profiles:

    • antivirus

    • application

    • dlp

    • ips

    • waf

    • webfilter

    When you enable the extended-log option for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

    When you enable the web-extended-all-action-log-enable option for webfilter profile, all HTTP header information for HTTP-allow traffic is logged.

    Extended logging option in UTM profiles

    The extended-log option has been added to all UTM profiles, for example:

    config webfilter profile
    edit "test-webfilter"
        set extended-log enable
        set web-extended-all-action-log enable
    next
end
config antivirus profile
    edit "av-proxy-test"
        set extended-log enable
    next
end
config waf profile
    edit "test-waf"
        set extended-log enable
    next
end

    Syslog server mode

    The Syslog server mode changed to udp, reliable, and legacy-reliable. You must set the mode to reliable to support extended logging, for example:

    config log syslogd setting
    set status enable
    set server "<ip address>"
    set mode reliable
    set facility local6
end

    Example 1: Extended log

    Following is an example extended log for a utm log type with a webfilter subtype for a reliable Syslog server. The rawdata field contains the extended log data.

    2: date=2022-03-07 time=14:15:27 eventtime=1646691327786322587 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1 poluuid="fe85f37c-9dd9-51ec-904d-5af91079efbb" policytype="policy" sessionid=7284 srcip=10.1.100.18 srcport=50856 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" dstip=142.250.69.196 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" proto=6 httpmethod="GET" service="HTTPS" hostname="http://www.google.com" forwardedfor="192.168.0.99" agent="curl/7.56.0" profile="webfilter" action="blocked" reqtype="referral" url="https://www.google.com/" referralurl="https://example.com/referer.html" sentbyte=869 rcvdbyte=4313 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=41 catdesc="Search Engines and Portals" rawdata="x-forwarded-for=192.168.0.99"

    Example 2: Extended log for explicit proxy logging

    The rawdata field with the [REQ] and [RESP] fields corresponds to the HTTP header monitor feature which monitors and logs headers in HTTP Request and Response. The request was sent through a FortiGate running transparent or explicit proxy.

    1: date=2023-04-19 time=19:01:19 eventtime=1681956079146481995 tz="-0700" logid="0314012288" type="utm" subtype="webfilter" eventtype="content" level="warning" vd="vdom1" policyid=1 poluuid="4d8dc396-46e3-51ea-7f3f-ee328a5bd07b" policytype="policy" sessionid=40980 srcip=10.1.100.13 srcport=54512 srccountry="Reserved" srcintf="port10" srcintfrole="undefined" srcuuid="6ce0b8ca-30ae-51ea-a388-ceacbb4fb045" dstip=172.16.200.33 dstport=443 dstcountry="Reserved" dstintf="port9" dstintfrole="undefined" dstuuid="6ce0b8ca-30ae-51ea-a388-ceacbb4fb045" proto=6 httpmethod="GET" service="HTTPS" hostname="172.16.200.33" agent="curl/7.61.1" profile="header" reqtype="direct" url="https://172.16.200.33/" sentbyte=0 rcvdbyte=0 direction="incoming" action="blocked" banword="works" msg="URL was blocked because it contained banned word(s)." rawdata="[REQ] test_request_header=aaaaa||[RESP] Content-Type=text/html|ETag=\"34-5b23b9d3b67f4\""

    Example 3: Extended log for DLP inspection

    The following example shows DLP inspection being applied in a policy when extended-log is enabled in the DLP profile and DLP blocks the file.

    config dlp profile
    edit "851560"
        set feature-set proxy
        config rule
            edit 1
                set name "851560"
                set proto http-get http-post
                set file-type 3
                set action block
            next
        end
        set extended-log enable
    next
end
    1: date=2023-08-10 time=10:50:50 eventtime=1691689849954382569 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" filteridx=1 filtername="851560" dlpextra="file-type:3" filtertype="none" filtercat="file" severity="medium" policyid=1 poluuid="c3cd12ea-379f-51ee-c12b-ea7a6620d365" policytype="policy" sessionid=1024 epoch=1334644382 eventid=0 srcip=10.1.100.11 srcport=38182 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="8789d048-379f-51ee-ea7e-79004e2dda0c" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="8789d048-379f-51ee-ea7e-79004e2dda0c" proto=6 service="HTTP" filetype="pdf" direction="incoming" action="block" hostname="172.16.200.55" url="http://172.16.200.55/dlp/files/fortiauto.pdf" agent="curl/7.58.0" httpmethod="GET" filename="fortiauto.pdf" filesize=285442 profile="851560" rawdata="[RESP] Content-Type=application/pdf"
    Previous
    Next