Rule Logs
This section provides logs related to rule processing and incident generation
EventType: PH_ANOMALY_CONFIG
Description: Anomaly Detection System Config Event
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_ANOMALY_LATERAL_MOVEMENT_ANALYZE
Description: FSM Anomaly engine: Lateral Movement Module in analyze mode
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
startTime |
Start Time |
Date |
This is the start time of a given item or task, and is stored in epoch milliseconds |
|
endTime |
End Time |
Date |
This is the end time of a given item or task, stored in epoch milliseconds. |
EventType: PH_ANOMALY_LATERAL_MOVEMENT_DETECT
Description: FSM Anomaly engine detected Lateral Movement
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
srcIpAddr |
Source IP |
IP |
Source IP of a device as identified in the event. |
|
srcIpAddrList |
Source IP List |
string |
Comma separated list of source IP addresses as identified in a log message |
|
destIpAddrList |
Destination IP List |
string |
Comma separated list of destination IP addresses as identified in a log message |
|
endTime |
End Time |
Date |
This is the end time of a given item or task, stored in epoch milliseconds. |
EventType: PH_ANOMALY_LATERAL_MOVEMENT_TRAIN
Description: FSM Anomaly engine: Lateral Movement Module in training mode
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
startTime |
Start Time |
Date |
This is the start time of a given item or task, and is stored in epoch milliseconds |
|
endTime |
End Time |
Date |
This is the end time of a given item or task, stored in epoch milliseconds. |
EventType: PH_ANOMALY_SYSTEM
Description: Anomaly Detection System Event
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_ANOMALY_TIMER
Description: Anomaly Detection System Timer Event
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_DROP_EVENT_FROM_SHARED_BUFFER
Description: Event dropped from shared buffer
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
collectorId |
Collector ID |
uint32 |
This field captures the ID of a FortiSIEM Collector |
|
count |
Count |
uint32 |
A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also. |
EventType: PH_DROP_INCIDENT
Description: Incident dropped
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
|
details |
Details |
string |
|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_DROP_INCIDENT_COUNT
Description: Dropped incident count
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
incidentCount |
Triggered Event Count |
uint32 |
This field represents the number of Triggering events in an Incident. |
|
policyName |
Policy Name |
string |
|
EventType: PH_JMS_QUEUE_SIZE_WARNING
Description: JMS Queue large
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_ML_ANOMALY_DETECTED
Description: Machine Learning Anomaly Detected
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMASTER_TEST_RULES_CHECK_SYNTAX
Description: Rule master starts to check syntax
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMASTER_TEST_RULES_FINALIZE_STATE
Description: Rule master finalizes state report summary
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMASTER_TEST_RULES_UPDATE_STATE
Description: Rule master updates state report summary
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMOD_AGGREGATOR_EMPTY
Description: Rule Master/Rule Worker encountered empty aggregator. This rule definition will be incomplete
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ARITH_OP_ILLEGAL
Description: Rule Master/Rule Worker encountered illegal arithmetic operation. This rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_ATTR_ALREADY_ASSOCIATED
Description: Rule Master/Rule Worker encountered attribute already associated with given event type in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_RULEMOD_ATTR_ID_LOOKUP_BY_NAME_FAILED
Description: Rule Master/Rule Worker failed to lookup attribute ID by name in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process could terminate depending on the attribute type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_ID_UNDEFINED
Description: Rule Master/Rule Worker encountered undefined attribute ID. This rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_MISSING
Description: Rule Master/Rule Worker failed to locate certain attribute in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. This attribute will be skipped
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_NAME_LOOKUP_BY_ID_FAILED
Description: Query Master/Rule Master/Rule Worker failed to lookup attribute name by ID. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_UNDEFINED
Description: Query Master/Rule Master/Rule Worker encountered undefined event attribute. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_BUFFER_EMPTY
Description: Rule Master/Rule Worker encountered empty buffer in loading '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_CLEAR_CONDITION_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid clear condition in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_CLEAR_CONDITION_SET_FAILED
Description: Query Master/Rule Master/Rule Worker failed to set clear condition in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_CONFIG_UNDEFINED
Description: Rule Master encountered undefined config item of db_server_host. Incident processing will not work
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
configName |
Config Name |
string |
|
EventType: PH_RULEMOD_CONSTRUCTOR_ERROR
Description: Rule Master/Rule Worker encountered error in constructor of given module. This rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
module |
Module Name |
string |
|
EventType: PH_RULEMOD_CUST_ID_LIST_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid customer ID list in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_RULEMOD_DATA_REQUEST_PARSE_FAILED
Description: Query Master failed to parse data request from App Server. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_RULEMOD_DATA_SIZE_OVERFLOW
Description: Rule Master/Rule Worker encountered data size exceeding its capacity. This rule parsing or evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_DATA_UNSUPPORTED
Description: Rule Master/Rule Worker encountered unsupported data. This rule parsing or evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_DB_SERVER_HOST_UNDEFINED
Description: Database server host not defined for rule master
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
configName |
Config Name |
string |
|
EventType: PH_RULEMOD_DIR_OPEN_FAILED
Description: Rule Master/Rule Worker failed to open rule XML directory. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_RULEMOD_ENCODE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to encode given data. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ENTITY_VERSION_MISSING
Description: Query Master/Rule Master/Rule Worker failed to identify entity version of rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_EVENT_TYPE_GROUP_INVALID
Description: Rule Worker failed to parse certain event type group in rules. Affected rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
eventTypeGrp |
Event Type Group |
string |
This field is not used |
EventType: PH_RULEMOD_EVENT_TYPE_NOT_FOUND
Description: Query Master/Rule Master/Rule Worker failed to find certain event type in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_EXCEPTION_ELEMENT_INVALID
Description: Rule Master encountered invalid element in rule exception. This rule exception parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
description |
Description |
string |
|
EventType: PH_RULEMOD_EXPR_EVAL_UNKNOWN
Description: Query Master encountered unknown expression evaluation of given operator type. This incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_EXPR_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse certain expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_RULEMOD_EXPR_UNSUPPORTED
Description: Query Master/Rule Master/Rule Worker encountered unsupported expression in aggregate function. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_FILE_OPEN_FAILED
Description: Rule Master/Rule Worker failed to open rule-related file. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_RULEMOD_FILE_UNSPECIFIED
Description: Rule Master/Rule Worker encountered unspecified rule XML file. This rule update will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_RULEMOD_FORMAT_ERROR
Description: Query Master/Rule Master/Rule Worker encountered format error in given expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_FUNC_NOT_FOUND
Description: Query Master/Rule Master/Rule Worker failed to locate certain function in given expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_FUNC_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse certain function in given expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_GLOBAL_CONSTRAINT_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid global constraint in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
task |
Task |
string |
|
EventType: PH_RULEMOD_GROUPBY_LIST_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid group-by list in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_RULEMOD_GROUPBY_LIST_NOT_FOUND
Description: Query Master/Rule Master/Rule Worker failed to find group-by list in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_GROUP_EVENT_CONSTRAINT_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid group event constraint in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_RULEMOD_ID_LOOKUP_BY_INCIDENT_FAILED
Description: Rule Master failed to lookup rule ID by incident ID. This incident firing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMOD_INCIDENT_ARG_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid incident argument in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_RULEMOD_INCIDENT_CACHE_NOT_FOUND
Description: Rule Master failed to find incident cache for given incident ID. This incident will not be cleared
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_INCIDENT_DEF_INVALID
Description: Query Master/Rule Master encountered invalid incident definition in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_INCIDENT_NOT_FOUND
Description: Rule Master failed to find given incident ID. This incident will not be cleared
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
EventType: PH_RULEMOD_INCIDENT_REPORT_SEND_FAILED
Description: Rule Master failed to send incident report to phParser. This incident will be missing in eventdb
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
|
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_RULEMOD_INDEX_OVERFLOW
Description: Query Master encountered out-of-bound index in certain data. This incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
|
size |
Size |
uint32 |
|
EventType: PH_RULEMOD_INFO_GET_FAILED
Description: FortiSIEM Report module failed to get statistics
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_IP_GET_FAILED
Description: Rule Worker failed to get host IP of Supervisor. Incident firing will not work
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_RULEMOD_IP_INVALID
Description: Query Master/Rule Master/Rule Worker found invalid IP in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_RULEMOD_IP_TYPE_INVALID
Description: Invalid IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_LOAD_METHOD_UNDEFINED
Description: Rule Master/Rule Worker encountered undefined rule load method. Rule loading will fail
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_MEM_ALLOC_FAILED
Description: Query Master/Rule Master/Rule Worker failed to allocate memory. The related operation will fail
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_MODULE_INIT_FAILED
Description: Rule Master/Rule Worker failed to be initialized. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
module |
Module Name |
string |
|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_MUTEX_ACQUIRE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to acquire mutex. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
module |
Module Name |
string |
|
EventType: PH_RULEMOD_NOTIF_CONNECTION_FAILED
Description: Rule Master failed to establish notification connection to phParser. This incident will be missing in eventdb
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
|
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_RULEMOD_OBJ_GET_FROM_SUBPATTERN_FAILED
Description: Rule Master failed to get certain object from subpattern. This incident cache update will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_OBJ_LOAD_FAILED
Description: Query Master/Rule Master/Rule Worker failed to load certain object in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_OP_NOT_FUNC
Description: Rule Master encountered an operator of non-function type. This incident initialization will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_OP_UNKNOWN
Description: Query Master/Rule Master/Rule Worker encountered unknown operator. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_PARSED_EVENT_LOAD_FAILED
Description: Rule Worker failed to load and skipped a parsed event, causing potential incident loss.
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_PQ_ERROR
Description: Rule Master encountered PQ function error in Postgres DB. Incident processing will not work
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
funName |
Function Name |
string |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_RULEMOD_PROFILE
Description: FortiSIEM Rule resource usage profile
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
memTotalB |
Total Memory Bytes |
uint32 |
|
|
updateQueueSize |
Update Queue Size |
uint32 |
|
EventType: PH_RULEMOD_REM_BY_ZERO
Description: Rule Master/Rule Worker caught remainder-by-zero exception. Default value will be set instead
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_REM_BY_ZEROD
Description: FortiSIEM Report module failed to produce statistics
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SELECT_ATTR_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse and skipped certain select attribute. This rule parsing will be incomplete
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SELECT_SPEC_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse at least one select spec field. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SINGLE_EVENT_CONSTRAINT_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid single event constraint in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_RULEMOD_SUBPATTERN_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid subpattern in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_SUBPATTERN_MISSING
Description: Query Master/Rule Master/Rule Worker failed to locate certain subpattern in XML. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SUBPATTERN_MORE_THAN_ONE
Description: Query Master/Rule Master/Rule Worker encountered more than one subpattern in simple rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_SUBPATTERN_UNDEFINED
Description: Query Master/Rule Master/Rule Worker encountered undefined subpattern in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_SUMMARY_UPLOAD_FAILED
Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_THREAD_SPAWN_FAILED
Description: Rule Master/Rule Worker failed to spawn thread during initialization. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_TOKEN_UNDEFINED
Description: Query Master/Rule Master/Rule Worker encountered undefined token of given type in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_TOKEN_UNEXPECTED
Description: Query Master/Rule Master/Rule Worker encountered unexpected token of given type in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_UNPACK_FAILED
Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_VALUE_TYPE_UNEXPECTED
Description: Query Master encountered unexpected value type of certain attribute. This incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_XML_ELEMENT_EMPTY
Description: Query Master/Rule Master/Rule Worker encountered empty XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_XML_ELEMENT_MISSING
Description: Query Master/Rule Master/Rule Worker encountered missing XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_XML_ELEMENT_PARSE_FAILED
Description: Query Master failed to parse certain XML element. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_XML_ELEMENT_UNEXPECTED
Description: Query Master/Rule Master/Rule Worker encountered unexpected XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_XML_ELEMENT_UNKNOWN
Description: Query Master/Rule Master/Rule Worker encountered unknown XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_XML_LOAD_FAILED
Description: Rule Master/Rule Worker failed to load rule XML from file. This rule loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_RULEMOD_XML_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse rule XML. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_RULEMOD_XML_POINTER_NULL
Description: NULL pointer in XML detected
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEWORKER_TEST_RULES_CHECK_SYNTAX
Description: Rule worker starts to check syntax
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEWORKER_TEST_RULES_EVENT_MATCH_STATUS
Description: Rule worker event test status
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
eventId |
Event ID |
uint64 |
This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users. |
EventType: PH_SCHEDULED_RULE_QUERY_FAILED
Description: Failed to run query for scheduled rule
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
queryId |
Query Id |
string |
|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_TEST_RULES_PARSE_STATUS
Description: Syntax check status
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_UPDATE_RULE_SUCCEED
Description: Rule update succeeded
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
opName |
Operation Name |
string |
|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |