Fortinet white logo
Fortinet white logo

All Logs Page 5

All Logs Page 5

Every FortiSIEM internally generated event log regardless of category



EventType: PH_QUERY_FILE_COPY_FAILED

Description: Query Master failed to copy query XML file from completed/active to eventdb directory - XXX

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_CORRUPT

Description: Query Master found corrupt query status file for a particular query - query will not be completed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_CREATE_FAILED

Description: Query Master / Worker failed to create query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_EMPTY

Description: Query Master/Worker found empty query status backup file - system loses redundancy for this query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_HEADER_GET_FAILED

Description: Query Master failed to read query related file header from query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_LINK_FAILED

Description: Query Master / Worker failed to hard link query result file - query cache will not be used

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_MAGIC_BAD

Description: Query Master found bad query-related file magic inside query status or result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_MMAP_FAILED

Description: Query Master failed to memory-map summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_NAME_BAD

Description: Query Master found invalidly formatted summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_OPEN_FAILED

Description: Query Master / Worker/ Data Manager failed to open query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_READ_FAILED

Description: Query Master / Worker/ Data Manager failed to read query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_REMOVE_FAILED

Description: Query Master failed to remove cached query result file - disk may eventually get full

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_SEEK_FAILED

Description: Query Master failed to seek trend file to offset for a specific inline report - that inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_FILE_STAT_FAILED

Description: Query Master / Worker/ Data Manager failed to stat query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FORMAT_UNSUPPORTED

Description: Query Master received unsupported report export file format from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FUNC_ERROR

Description: Query Master / Worker encountered internal function error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_ID_DUPLICATE

Description: Query Master / Worker encountered duplicate query ID assigned by App server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_INACTIVE

Description: Query Master / Worker failed to retrieve supposedly active query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_NOT_FOUND

Description: Query Master / Worker failed to find Query ID not found in task queue - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_REMOVE_FAILED

Description: Query Master failed to remove trigger event query ID from task queue - partial results will be returned

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_UNSUPPORTED

Description: Query Master found unsupported query type hint from App Server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_INLINEREQUEST_BAD

Description: Query Master received bad inline query request via TCP socket - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_IPC_EVENT_SEND_FAILED

Description: Query Master failed to send IPC event (containing heartbeat data) to Data Manager - trigger event queries may be slow

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_IP_GET_FAILED

Description: Query Master failed to get Supervisor IP - Query Master will not be able to communicate with Super data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_QUERY_IP_INVALID

Description: Query Worker got invalid Query Master IP - queries will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_CREAT_FAILED

Description: Data Manager failed to create task for exporting log integrity check request from App Server - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_INSERT_FAILED

Description: Data Manager failed to insert task for exporting log integrity check request from App Server into internal task queue - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_DIR_UNCONFIGURED

Description: Query Master failed to obtain log integrity export directory - particular request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_FAILED

Description: Query Master failed to export bad event blocks from file - log integrity query from App server will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_LONG_RUNNING_STOPPED

Description: Long running query stopped

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_MEM_ALLOC_FAILED

Description: Query Master / Worker failed to allocate memory during event / rule processing

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_QUERY_MESSAGE_SEND_FAILED

Description: FortiSIEM Query Engine failed to send message

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

type

Type

string

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_QUERY_MODULE_INIT_FAILED

Description: Query Master / Worker module failed to initialize

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_MODULE_UNCONFIGURED

Description: Query Master / Worker module failed to obtain some parameters during phoenix_config.txt during initialization - module likely will not start

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_QUERY_ONLINE_WORKER_CHANGED

Description: FortiSIEM Online Query Worker number changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_QUERY_PARSED_EVENT_LOAD_FAILED

Description: Query Worker failed to load parsed event from shared buffer during real time query which may not show events from this Query Worker node

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PARTIAL_WORKER_FAILURE

Description: Partial query results due to worker failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_PCAP_FINALIZE_FAILED

Description: Query Master failed to finalize pcap export - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PCAP_LOAD_FAILED

Description: Query Master failed to load query results in pcap format - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PCAP_RENAME_FAILED

Description: Query Master failed to rename pcap file - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_PCAP_TRANSFER_FAILED

Description: Query Master failed to transfer event to pcap packet - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PGDB_EXEC_SQL_FAILED

Description: Query Master failed to execute SQL statement against Supervisor Postgres DB for Incident Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_QUERY_PGDB_RECONNECT_FAILED

Description: Query Master failed to reconnect to Supervisor Postgres DB - Query Master will remain disconnected and all incident queries will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PGDB_SQL_GET_VAL_FAILED

Description: Query Master failed to get column value from SQL result - incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_POST_FILTER_PARSE_FAILED

Description: Query Master failed to parse post-filter inline query results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_PQ_ERROR

Description: FortiSIEM Postgres DB connection or execution error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROCESS_GET_FAILED

Description: Query Master failed to get its own parent process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_ATTR_UNSPECIFIED

Description: Query Master failed to find specified attribute in Profile Query XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_EVENT_TYPE_ERROR

Description: Query Master encountered unexpected event type in a Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_FUNCITION_ERROR

Description: Query Master hit Function error while executing Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_NOT_MARKED_AS_BASELINE

Description: Query Master will not execute a profile query since it is not marked as baseline

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_PROGRESS_REJECTED

Description: Query Worker fails to upload query progress to Query Master - some progress reporting will be skipped

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_REPORTEXPORT_TASK_CREAT_FAILED

Description: Query Master failed to create task for exporting CSV/PCAP formatted Query request from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORTEXPORT_TASK_INSERT_FAILED

Description: Query Master failed to insert task for exporting CSV/PCAP formatted Query request from App Server into internal task queue - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORT_RESULTS_LOAD_FAILED

Description: Query Master failed to load inline query report results from file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REPORT_RESULTS_POST_FILTER_FAILED

Description: Query Master failed to post-filter inline query report results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_REPORT_RESULT_FILE_NOT_EXIST

Description: Query report result file not exist

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REQUEST_BAD

Description: FortiSIEM Query Engine received bad request

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_FILES_MERGE_FAILED

Description: Query Master failed to merge inline query result files - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_GET_FAILED

Description: Query Master failed to produce inline query result / CSV export - operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_NOT_READY

Description: Query Master failed to find Query result directory for CSV export

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_PARSE_FAILED

Description: Query Master failed to parse trigger event query result from Data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_REJECTED

Description: Query Master rejected query result upload from Query Worker

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_RESULT_SAVE_FAILED

Description: FortiSIEM Query Engine failed to save query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_UPLOAD_FAILED

Description: Query Worker failed to upload query result to Query Master - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

queryId

Query Id

string

filePath

File Path

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_RT_ERROR

Description: Query Worker spawned excessive threads to handle reat time search and will exit (delete)

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_SORT_SPEC_GET_FAILED

Description: Query Master failed to get sort specfication for cached query result - query will automatically rerun

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_START_FAILED

Description: Query Worker failed to start a query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_STATE_BAD

Description: Query Master encounters invalid query state - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_STATUS_LOAD_FAILED

Description: Query Master failed to load query status from disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_STATUS_SAVE_FAILED

Description: Query Master failed to save query status to disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_BAD

Description: Query Master encoutered bad attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_MISSING

Description: Query Master failed to locate an attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_UPDATE_FAILED

Description: Query Master failed to update certain host attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_SUMM_COLUMN_UNSUPPORTED

Description: Query Master encountered unsupported attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_EVENT_SKIPPED

Description: Query Master skipped a bad event for Summary Dashboard data cache - performance metrics will be partially updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_SUMM_PARSE_FAILED

Description: Query Master failed to parse Summary Dashboard Query XML - one query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_SUMM_PERF_ETINFO_UNSUPPORTED

Description: Query Master encountered unsupported perfETInfo in Summary Dashboard Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_TASK_INVALID

Description: FortiSIEM Query task and worker IP are not matched

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

clientIpAddr

Client IP

IP



EventType: PH_QUERY_TASK_REROUTED

Description: FortiSIEM Query task is rerouted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_TASK_REROUTE_FAILED

Description: FortiSIEM Query Task Reroute failed

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_VALUE_TYPE_UNSUPPORTED

Description: FortiSIEM Query Engine encountered bad value type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_WORKERS_GET_FAILED

Description: Query Master failed to get the list of query workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_WORKERS_SPLIT_AMONG_FAILED

Description: Query Master failed to split query among workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_WORKER_CHANGED_TO_OFFLINE

Description: FortiSIEM Query Worker Status Changed from online to offline

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_WORKER_CHANGED_TO_ONLINE

Description: FortiSIEM Query Worker Status Changed from offline to online

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_XML_PARSE_FAILED

Description: Query Master / Worker failed to parse query XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_READER_BLOCK_WRITE

Description: Reader is blocking writer&Restart

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptProcName

Reported Process Name

string



EventType: PH_REPORT_ACTION_STATUS

Description: Record action result for report notification

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ACT_FAILED

Description: Query Master/Query Worker/Report Worker/Report Loader failed to perform requested ACTION from App Server, i.e. UPDATE, REMOVE. Event Role will not be updated.

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

roleId

Role ID

uint32



EventType: PH_REPORT_AGGR_FIELDS_EMPTY

Description: Report Master/Report Worker encountered empty aggregate fields. Report file will be incomplete

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_AGGR_FIELD_NOT_ADDED

Description: Query Master/Report Master/Report Worker failed to add certain aggregate field to report schema. The schema will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_AGGR_FUNC_EMPTY

Description: Report Master/Report Worker encountered empty aggregate function. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_AGGR_TYPE_ERROR

Description: Report Master/Report Worker encountered aggregate type error. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_AGGR_TYPE_UNDEFINED

Description: Report Master/Report Worker encountered undefined aggregate type. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ATTR_ID_UNSUPPORTED

Description: Report Master/Report Worker encountered unsupported attribute ID. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ATTR_MISSING

Description: Report Master/Report Worker failed to locate certain attribute. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ATTR_UNDEFINED

Description: Report Master/Report Worker encountered undefined attribute. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_BUFFER_OVERFLOW

Description: Report buffer overflow

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

size

Size

uint32



EventType: PH_REPORT_CHECKSUM_MISMATCH

Description: Query Master encountered checksum mismatch in report results. The inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_CONFIG_UPDATE_NULL

Description: Report Worker/Report Loader encountered NULL object in config update. Config update will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_CONVERT_FAILED

Description: FortiSIEM internal error used for testing

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_REPORT_DATA_INIT_FAILED

Description: Query Master/Report Master failed to initialize report results block data. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_SIZE_MISMATCH

Description: Query Master/Report Master/Report Worker/Report Loader encountered size mismatch between two pieces of data. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_DATA_SIZE_OVERFLOW

Description: Query Master/Report Master/Report Worker/Report Loader encountered data size overflow. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_SIZE_UNEXPECTED

Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_SIZE_UNKNOWN

Description: Query Master/Report Master/Report Worker/Report Loader encountered unknown data size. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_TYPE_UNEXPECTED

Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DIR_CREATE_FAILED

Description: FortiSIEM Report Engine failed to create directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_DIR_OPEN_FAILED

Description: FortiSIEM Report Engine failed to open directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_DIR_REMOVE_FAILED

Description: FortiSIEM Report Engine failed to remove directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_ES_BUCKETS_EMPTY

Description: Data Manager encountered empty Elastic Search buckets. Report data will not be written to disk

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ES_POST_FAILED

Description: Report Master/Report Worker failed to POST Elastic Search data to App Server. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

httpStatusCode

HTTP Status

string



EventType: PH_REPORT_ES_PROFILE_EMPTY

Description: Report Master encountered empty Elastic Search profile. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_REPORT_ES_PROFILE_TIMEOUT

Description: Report Master encountered timeout in Elastic Search profile response. This profile will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_ES_PURGE_INDEX_FAILED

Description: Elastic Search Purge Inline Report Index Failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ES_TIME_RANGE_INVALID

Description: Report Master encountered invalid time range in Elastic Search profile query. This query will failed to be built

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_EXPR_PARSE_FAILED

Description: Query Master failed to parse schema expression. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_REPORT_FILE_CONTENT_MISSING

Description: Report Master failed to locate certain content in report file. Report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_COPY_FAILED

Description: Report Master/Report Worker failed to copy report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_HEADER_BAD

Description: Query Master/Report Master/Report Worker encountered bad report file header. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_INIT_FAILED

Description: Report Master/Report Worker failed to initialize report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_LINK_FAILED

Description: Report Master failed to link report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_MAGIC_BAD

Description: Query Master/Report Master/Report Worker encountered bad report file magic. Inline query or report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_MMAP_FAILED

Description: Query Master/Report Master failed to memory-map report file. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_NAME_BAD

Description: Report Master/Report Loader encountered bad report file name. This report rolling or loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_OPEN_FAILED

Description: Query Master/Report Master/Report Worker/Report Loader failed to open report file. Related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_PARSE_FAILED

Description: FortiSIEM Report Engine failed to parse file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_READ_FAILED

Description: Identity Master/Identity Worker failed to read entry IDs file. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_REMOVE_FAILED

Description: Report Master failed to remove report file. Disk will eventually be full

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_RENAME_FAILED

Description: Report Master failed to rename report file. This report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_RSYNC_FAILED

Description: Report Master failed to rsync report file to remote super

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

targetHostName

Target Host Name

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_STAT_FAILED

Description: Report Worker/Report Loader failed to stat report file. This report writing or loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_TYPE_UNKNOWN

Description: Report Worker/Report Loader encountered unknown report file type. This report writing or loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_UNSPECIFIED

Description: Report Master/Report Worker encountered unspecified report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_FILE_WRITE_FAILED

Description: Identity Master/Identity Worker failed to write entry IDs to file. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FUNC_OBJ_DEF_ERROR

Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_FUNC_OBJ_DEF_GET_FAILED

Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_FUNC_OBJ_DEF_UNKNOWN

Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ID_LOC_DEVICE_EXCLUDED_INVALID

Description: FortiSIEM Identity and location module encountered invalid excluded device

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ID_LOC_EVENT_SEND_FAILED

Description: FortiSIEM Identity and location module failed to upload events

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_ID_LOC_RESULT_UPLOAD_FAILED

Description: FortiSIEM Identity and location module failed to upload results to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

httpStatusCode

HTTP Status

string



EventType: PH_REPORT_ID_LOC_SYNCH_DATA_UPLOAD_FAILED

Description: FortiSIEM Identity and location module failed to upload Synch Data (Worker to Master)

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_ID_LOC_USER_ALREADY_EXCLUDED

Description: FortiSIEM Identity and location module found already excluded user

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string



EventType: PH_REPORT_ID_LOC_USER_EXCLUDE_FAILED

Description: FortiSIEM Identity and location module failed to exclude user

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_REPORT_INDEX_OVERFLOW

Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered index out of bound. Related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

size

Size

uint32



EventType: PH_REPORT_IP_GET_FAILED

Description: Failed to get host IP

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_REPORT_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_KEY_LOAD_FAILED

Description: FortiSIEM Report module failed to load event attribute keys

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_MODULE_INIT_FAILED

Description: Report Master/Report Worker/Report Loader/Identity Master/Identity Worker failed to initialize certain module. Related operation will fail

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_REPORT_MODULE_UNCONFIGURED

Description: Report Worker encountered unconfigured item. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_REPORT_OLD_REPORT_DATA

Description: Report Master encountered older report data from Worker, might enlarge block_collection_window

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_OP_UNEXPECTED

Description: Query Master/Report Master/Report Worker encountered unexpected operator type. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ORDER_BY_ATTR_EMPTY

Description: Query Master/phRuleMaster/Report Master encountered empty order-by attributes in report. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_ORDER_BY_INVALID

Description: Query Master/phRuleMaster/Report Master encountered invalid order-by attributes in report. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_PACK_FAILED

Description: Failed to pack data

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_REPORT_PACK_FAILED_COUNT

Description: Failed to pack or unpack data

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PARSED_EVENT_LOAD_FAILED

Description: FortiSIEM Report module failed to load event

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PGDB_CONNECT_FAILED

Description: Report Loader failed to connect to Postgres DB. Report loading will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PGDB_EXEC_FAILED

Description: Report Loader failed to execute SQL statement in Postgres DB. This report loading will fail

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_REPORT_PGDB_NOT_CONNECTED

Description: Query Master/Report Loader encountered disconnected Postgres DB while executing SQL statement. This incident query or report loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_REPORT_PGDB_NOT_INIT

Description: Query Master/Report Loader encountered uninitialized Postgres DB connection manager. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_REPORT_POINTER_NULL

Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered NULL pointer. Related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_POINTER_NULL_WARNING

Description: NULL pointer detected

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_POSITIVE_INTEGER_EXPECTED

Description: Query Master/Data Manager expected positive integer in performance data but got other value. Default value will be set instead

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_REPORT_PQ_ERROR

Description: Query Master/Report Loader encountered PQ function error in Postgres DB. This incident query or report loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_PROFILE_TYPE_BAD

Description: FortiSIEM Report module encountered bad profile

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PROFILE_TYPE_WRONG_FORMAT

Description: Query Master encountered wrong format of profile. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_PROFILE_UPDATE_FAILED

Description: FortiSIEM Report module failed to upload profile

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar



EventType: PH_REPORT_ROW_LENGTH_ZERO

Description: Query Master encountered empty row for given report ID. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_RULE_ATTR_MISSING

Description: Query Master failed to locate certain rule attribute in profile. This profile query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_REPORT_SCHEMA_INCOMPATIBLE

Description: Query Master/Report Master encountered incompatible report schema. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_SCHEMA_INVALID

Description: Query Master/Report Master encountered invalid report schema. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_SCHEMA_LOAD_FAILED

Description: Query Master/Report Master failed to load report schema. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_SQLITE3_BATCH_BEGIN_FAILED

Description: Report Master failed to begin SQLite3 batch transaction. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

profDateType

Profile Date Type

uchar

hourOfDay

Hour Of Day

uint16

This attribute is not used



EventType: PH_REPORT_SQLITE3_BATCH_COMMIT_FAILED

Description: Report Master failed to commit SQLite3 batch transaction. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

profDateType

Profile Date Type

uchar

hourOfDay

Hour Of Day

uint16

This attribute is not used



EventType: PH_REPORT_SQLITE3_BIND_VALUE_FAILED

Description: Report Master failed to bind certain value to SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_BUSY

Description: Report Master encountered SQLite3 busy state. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_BUSY_TIMEOUT_ERROR

Description: Report Master encountered SQLite3 busy timeout. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32



EventType: PH_REPORT_SQLITE3_CHECKPOINT_FAILED

Description: FortiSIEM Report module failed to checkpoint profile

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_COMMIT_ERROR

Description: Report Master encountered commit error in SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string



EventType: PH_REPORT_SQLITE3_CONFIG_FAILED

Description: Report Master failed to configurate SQLite3 with multi-thread mode. Performance will degrade

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_ENABLE_SHARED_CACHE_FAILED

Description: Report Master failed to enable shared cache for SQLite3. Performance will degrade

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32



EventType: PH_REPORT_SQLITE3_EXEC_FAILED

Description: Report Master failed to execute SQLite3 statement. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbQuery

Database Query

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason

tablespaceName

DB Tablespace Name

string



EventType: PH_REPORT_SQLITE3_EXTENDED_RESULT_CODES_ERROR

Description: Report Master failed to enable extended result codes for SQLite3. Maintainability will degrade

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32



EventType: PH_REPORT_SQLITE3_OPEN_FAILED

Description: Report Master failed to open SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_PREPARE_ERROR

Description: Report Master failed to prepare SQLite3 statement. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string

dbQuery

Database Query

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_PROFILE_ENTRY_DELETE_FAILED

Description: Report Master failed to delete profile entry from SQLite3. Profile or Daily DB will contain redundant data

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

reportId

Report ID

uint32

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

profDateType

Profile Date Type

uchar

hourOfDay

Hour Of Day

uint16

This attribute is not used



EventType: PH_REPORT_SQLITE3_PROFILE_NOT_FOUND

Description: Report Master failed to find profile ID in SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

reportId

Report ID

uint32



EventType: PH_REPORT_SQLITE3_STEP_ERROR

Description: Report Master failed to step SQLite3 statement. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_UNPACK_FAILED

Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_ID_FAILED

Description: Report-related process failed to lookup value type by attribute ID. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_NAME_FAILED

Description: Report-related process failed to lookup value type by attribute name. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_OF_ID_UNEXPECTED

Description: Report-related process encountered unexpected value type of certain attribute ID. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_OF_NAME_UNEXPECTED

Description: Report-related process encountered unexpected value type of certain attribute name. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_OF_STAT_UNEXPECTED

Description: Report-related process encountered unexpected value type of stat item. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_UNSUPPORTED

Description: Report-related process encountered unsupported value type. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_WORKER_UPLOAD_FAILED

Description: Failed to upload a data block buffer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_REPORT_XML_ELEMENT_DUPLICATE

Description: Query Master encountered duplicate XML element. This performance metrics update will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_REPORT_XML_ELEMENT_MISSING

Description: Report Master failed to locate certain XML element. This report rolling will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_XML_ELEMENT_PARSE_FAILED

Description: Query Master failed to parse certain XML element. This performance metrics update will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_REPORT_XML_PARSE_FAILED

Description: Report-related process failed to parse certain XML. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_ZLIB_COMPRESSION_TYPE_UNKNOWN

Description: Query Master encountered unknown Zlib compression type for report results file. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ZLIB_UNCOMPRESS_FAILED

Description: Query Master failed to uncompress Zlib report results file. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_RULEMASTER_TEST_RULES_CHECK_SYNTAX

Description: Rule master starts to check syntax

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMASTER_TEST_RULES_FINALIZE_STATE

Description: Rule master finalizes state report summary

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMASTER_TEST_RULES_UPDATE_STATE

Description: Rule master updates state report summary

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMOD_AGGREGATOR_EMPTY

Description: Rule Master/Rule Worker encountered empty aggregator. This rule definition will be incomplete

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ARITH_OP_ILLEGAL

Description: Rule Master/Rule Worker encountered illegal arithmetic operation. This rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_ATTR_ALREADY_ASSOCIATED

Description: Rule Master/Rule Worker encountered attribute already associated with given event type in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_RULEMOD_ATTR_ID_LOOKUP_BY_NAME_FAILED

Description: Rule Master/Rule Worker failed to lookup attribute ID by name in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process could terminate depending on the attribute type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_ID_UNDEFINED

Description: Rule Master/Rule Worker encountered undefined attribute ID. This rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_MISSING

Description: Rule Master/Rule Worker failed to locate certain attribute in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. This attribute will be skipped

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_NAME_LOOKUP_BY_ID_FAILED

Description: Query Master/Rule Master/Rule Worker failed to lookup attribute name by ID. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_UNDEFINED

Description: Query Master/Rule Master/Rule Worker encountered undefined event attribute. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_BUFFER_EMPTY

Description: Rule Master/Rule Worker encountered empty buffer in loading '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_CLEAR_CONDITION_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid clear condition in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_CLEAR_CONDITION_SET_FAILED

Description: Query Master/Rule Master/Rule Worker failed to set clear condition in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_CONFIG_UNDEFINED

Description: Rule Master encountered undefined config item of db_server_host. Incident processing will not work

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_RULEMOD_CONSTRUCTOR_ERROR

Description: Rule Master/Rule Worker encountered error in constructor of given module. This rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_RULEMOD_CUST_ID_LIST_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid customer ID list in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_DATA_REQUEST_PARSE_FAILED

Description: Query Master failed to parse data request from App Server. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_RULEMOD_DATA_SIZE_OVERFLOW

Description: Rule Master/Rule Worker encountered data size exceeding its capacity. This rule parsing or evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_DATA_UNSUPPORTED

Description: Rule Master/Rule Worker encountered unsupported data. This rule parsing or evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_DB_SERVER_HOST_UNDEFINED

Description: Database server host not defined for rule master

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_RULEMOD_DIR_OPEN_FAILED

Description: Rule Master/Rule Worker failed to open rule XML directory. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_RULEMOD_ENCODE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to encode given data. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ENTITY_VERSION_MISSING

Description: Query Master/Rule Master/Rule Worker failed to identify entity version of rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_EVENT_TYPE_GROUP_INVALID

Description: Rule Worker failed to parse certain event type group in rules. Affected rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventTypeGrp

Event Type Group

string

This field is not used



EventType: PH_RULEMOD_EVENT_TYPE_NOT_FOUND

Description: Query Master/Rule Master/Rule Worker failed to find certain event type in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_EXCEPTION_ELEMENT_INVALID

Description: Rule Master encountered invalid element in rule exception. This rule exception parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

description

Description

string



EventType: PH_RULEMOD_EXPR_EVAL_UNKNOWN

Description: Query Master encountered unknown expression evaluation of given operator type. This incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_EXPR_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse certain expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_EXPR_UNSUPPORTED

Description: Query Master/Rule Master/Rule Worker encountered unsupported expression in aggregate function. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_FILE_OPEN_FAILED

Description: Rule Master/Rule Worker failed to open rule-related file. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_RULEMOD_FILE_UNSPECIFIED

Description: Rule Master/Rule Worker encountered unspecified rule XML file. This rule update will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_RULEMOD_FORMAT_ERROR

Description: Query Master/Rule Master/Rule Worker encountered format error in given expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_FUNC_NOT_FOUND

Description: Query Master/Rule Master/Rule Worker failed to locate certain function in given expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_FUNC_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse certain function in given expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_GLOBAL_CONSTRAINT_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid global constraint in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

task

Task

string



EventType: PH_RULEMOD_GROUPBY_LIST_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid group-by list in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_GROUPBY_LIST_NOT_FOUND

Description: Query Master/Rule Master/Rule Worker failed to find group-by list in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_GROUP_EVENT_CONSTRAINT_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid group event constraint in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_ID_LOOKUP_BY_INCIDENT_FAILED

Description: Rule Master failed to lookup rule ID by incident ID. This incident firing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMOD_INCIDENT_ARG_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid incident argument in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_INCIDENT_CACHE_NOT_FOUND

Description: Rule Master failed to find incident cache for given incident ID. This incident will not be cleared

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_INCIDENT_DEF_INVALID

Description: Query Master/Rule Master encountered invalid incident definition in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_INCIDENT_NOT_FOUND

Description: Rule Master failed to find given incident ID. This incident will not be cleared

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident



EventType: PH_RULEMOD_INCIDENT_REPORT_SEND_FAILED

Description: Rule Master failed to send incident report to phParser. This incident will be missing in eventdb

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_RULEMOD_INDEX_OVERFLOW

Description: Query Master encountered out-of-bound index in certain data. This incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

size

Size

uint32



EventType: PH_RULEMOD_INFO_GET_FAILED

Description: FortiSIEM Report module failed to get statistics

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_IP_GET_FAILED

Description: Rule Worker failed to get host IP of Supervisor. Incident firing will not work

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_RULEMOD_IP_INVALID

Description: Query Master/Rule Master/Rule Worker found invalid IP in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_RULEMOD_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_LOAD_METHOD_UNDEFINED

Description: Rule Master/Rule Worker encountered undefined rule load method. Rule loading will fail

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_MEM_ALLOC_FAILED

Description: Query Master/Rule Master/Rule Worker failed to allocate memory. The related operation will fail

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_MODULE_INIT_FAILED

Description: Rule Master/Rule Worker failed to be initialized. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_MUTEX_ACQUIRE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to acquire mutex. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_RULEMOD_NOTIF_CONNECTION_FAILED

Description: Rule Master failed to establish notification connection to phParser. This incident will be missing in eventdb

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_RULEMOD_OBJ_GET_FROM_SUBPATTERN_FAILED

Description: Rule Master failed to get certain object from subpattern. This incident cache update will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_OBJ_LOAD_FAILED

Description: Query Master/Rule Master/Rule Worker failed to load certain object in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_OP_NOT_FUNC

Description: Rule Master encountered an operator of non-function type. This incident initialization will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_OP_UNKNOWN

Description: Query Master/Rule Master/Rule Worker encountered unknown operator. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_PARSED_EVENT_LOAD_FAILED

Description: Rule Worker failed to load and skipped a parsed event, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_PQ_ERROR

Description: Rule Master encountered PQ function error in Postgres DB. Incident processing will not work

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_RULEMOD_PROFILE

Description: FortiSIEM Rule resource usage profile

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleName

Rule Name

string

FortiSIEM rule name.

memTotalB

Total Memory Bytes

uint32

updateQueueSize

Update Queue Size

uint32



EventType: PH_RULEMOD_REM_BY_ZERO

Description: Rule Master/Rule Worker caught remainder-by-zero exception. Default value will be set instead

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_REM_BY_ZEROD

Description: FortiSIEM Report module failed to produce statistics

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SELECT_ATTR_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse and skipped certain select attribute. This rule parsing will be incomplete

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SELECT_SPEC_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse at least one select spec field. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SINGLE_EVENT_CONSTRAINT_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid single event constraint in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_SUBPATTERN_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid subpattern in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_SUBPATTERN_MISSING

Description: Query Master/Rule Master/Rule Worker failed to locate certain subpattern in XML. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SUBPATTERN_MORE_THAN_ONE

Description: Query Master/Rule Master/Rule Worker encountered more than one subpattern in simple rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_SUBPATTERN_UNDEFINED

Description: Query Master/Rule Master/Rule Worker encountered undefined subpattern in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_SUMMARY_UPLOAD_FAILED

Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_THREAD_SPAWN_FAILED

Description: Rule Master/Rule Worker failed to spawn thread during initialization. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_TOKEN_UNDEFINED

Description: Query Master/Rule Master/Rule Worker encountered undefined token of given type in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_TOKEN_UNEXPECTED

Description: Query Master/Rule Master/Rule Worker encountered unexpected token of given type in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_UNPACK_FAILED

Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_VALUE_TYPE_UNEXPECTED

Description: Query Master encountered unexpected value type of certain attribute. This incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_XML_ELEMENT_EMPTY

Description: Query Master/Rule Master/Rule Worker encountered empty XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_XML_ELEMENT_MISSING

Description: Query Master/Rule Master/Rule Worker encountered missing XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_XML_ELEMENT_PARSE_FAILED

Description: Query Master failed to parse certain XML element. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_XML_ELEMENT_UNEXPECTED

Description: Query Master/Rule Master/Rule Worker encountered unexpected XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_XML_ELEMENT_UNKNOWN

Description: Query Master/Rule Master/Rule Worker encountered unknown XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_XML_LOAD_FAILED

Description: Rule Master/Rule Worker failed to load rule XML from file. This rule loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_RULEMOD_XML_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse rule XML. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_RULEMOD_XML_POINTER_NULL

Description: NULL pointer in XML detected

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEWORKER_TEST_RULES_CHECK_SYNTAX

Description: Rule worker starts to check syntax

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEWORKER_TEST_RULES_EVENT_MATCH_STATUS

Description: Rule worker event test status

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventId

Event ID

uint64

This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users.



EventType: PH_Rule_FML_Antispam_Malicious_File

Description: FortiMail: Malicious Spam File Attachment Found

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_Rule_FML_Antispam_Malicious_Url

Description: FortiMail: Malicious URL found

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_SAAS_OP_COLLECTOR_DOWN

Description: Collector down

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SAAS_OP_COLLECTOR_UP

Description: Collector up

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SCHEDULED_RULE_QUERY_FAILED

Description: Failed to run query for scheduled rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SER_MON_SERVICE_DOWN

Description: PH process down

Severity: 8 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SHAREDSTORE_ACQUIRE_ERROR

Description: A module failed to acquire shared store. The module will abort

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SHAREDSTORE_WRITER_POS_UNEXPECTED_ALTERED

Description: Shared store writer position altered unexpectedly

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_SHAREDSTORE_WRITE_ERROR

Description: Parser module encountered error while writing to shared store. Events will be lost

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SSL_SHUTDOWN_ERROR

Description: PH system ssl shutdown error

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ACCOUNT_UNMATCHED

Description: Perf / STM module encountered unmatched LOOP_EMAIL_42 account in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_AUTH_TYPE_UNKNOWN

Description: Perf / STM module encountered unknown auth type in monitor in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_ELEM

Description: Perf / STM module encountered bad element in monitor in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_ELEM_VALUE

Description: Perf / STM module encountered bad element values in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_PORT

Description: Perf / STM module encountered bad port in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_RTT_LINE

Description: Perf / STM module encountered bad RTT line in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_SSL

Description: Perf / STM module encountered bad SSL in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_TAG

Description: Perf / STM module encountered bad Tag in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_CMD_EXEC_FAILED

Description: Perf / STM module failed to execute command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

exitValue

Command exit value

int32



EventType: PH_STM_CRED_INVALID

Description: Perf / STM module found that credential doesn't match with Custom Perf Object

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_CURL_ESCAPE_FAILED

Description: Perf / STM module found that curl_easy_escape() returned NULL

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_CURL_INIT_FAILED

Description: Perf / STM module failed to init curl - HTTP based communication will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_STM_DNS_TYPE_UNSUPPORT

Description: Perf / STM module found unsupported dns resource record type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_DUPLICATED

Description: Perf / STM module found duplicated srvcMonitor name or id

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ELEM_EMPTY

Description: Perf / STM module found empty XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ELEM_MISSING

Description: Perf / STM module found missing XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ELEM_NEGATIVE

Description: Perf / STM module found negative XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ERROR

Description: Perf / STM module encountered STM monior error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

ipPort

IP Port

uint16

IP port number

user

User

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_STM_FILE_OPEN_FAILED

Description: Perf / STM module failed to open file during STM operation

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

exitValue

Command exit value

int32



EventType: PH_STM_GET_HOST_FAILED

Description: Perf / STM module failed to get outgoing host

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_STM_GUESS_TYPE_FAILED

Description: Perf / STM module could not guess resource record type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_HTTP_RESP_FAILED

Description: Perf / STM module did not find response time from command output

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_STM_METHOD_UNKNOWN

Description: Perf / STM module found unknown url method in monitor

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_MONITOR_MISSING_ACTION

Description: Perf / STM module found that No action is specified for monitor

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_MONITOR_RESULT_UPLOAD_FAILED

Description: Perf / STM module failed to upload test service monitor result xml to APP server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_NO_ORACLE_NAME

Description: Perf / STM module found missing instance name and service name for Oracle server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_STM_PORT_UNKNOWN

Description: Perf / STM module found unknown service monitor port

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_PROCESS_INVOKE_FAILED

Description: Perf / STM module failed to invoke SrvcMonJobExec::execute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_PROTO_UNKNOWN

Description: Perf / STM module encountered unknown proto in STM job definition

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_PROTO_UNSUPPORT

Description: Perf / STM module encountered unsupported mail protocol in STM job definition

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_SERVER_ADDR_INVALID

Description: Perf / STM module encountered invalid server address in STM job definition

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_SPECIAL_LINE_NOT_FOUND

Description: Perf / STM module could not find either RTT line or packet loss line in ping response from device

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_STM_GET_PROCESS_FAILED

Description: Perf / STM module cannot get process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_STM_GET_PROCESS_NAME_FAILED

Description: Perf / STM module cannot get process name

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TAG_MISSING

Description: Perf / STM module found missing tag XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TAG_NOT_FOUND

Description: Perf / STM module found missing tag XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TAG_UNKNOWN

Description: Perf / STM module found unknown tag XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TRACEROUTE_FAILED

Description: Perf / STM module failed to parse traceroute output

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_XML_PARSE_FAILED

Description: Perf / STM module failed to parse xml file received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_SYSTEM_ARCHIVE_LOW

Description: FortiSIEM EventDB Archive disk space low

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGED_LOW_SPACE

Description: Event database archive files purged to make room for new archive

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGED_POLICY

Description: Event database archive files purged by policy

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by low available space

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_FINISHED

Description: Successfully purged Archive FortiSIEM EventDB -purge caused by low available space

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_STARTED

Description: Started to purge Archive FortiSIEM EventDB because of low available space

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_SUCCESS

Description: Successfully purged Archive FortiSIEM EventDB because of low available space

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FINISHED

Description: Successfully purged Archive FortiSIEM EventDB - purge caused by policy

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_STARTED

Description: Started to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_SUCCESS

Description: Successfully purged Archive FortiSIEM EventDB - purge caused by policy

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_RETENTION_POLICY_VIOLATED

Description: Archive retention policy violation

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_ARCHIVE_USAGE

Description: Archive disk usage

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

diskUsage

Disk Used MB

uint64



EventType: PH_SYSTEM_DATAMGR_ARCHIVE_SKIP

Description: Online FortiSIEM EventDB Archiving skipped since the directory has data

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DEVAPP_EVENTS_PER_SEC

Description: FortiSIEM per application EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptVendor

Reporting Vendor

string

This field captures the vendor of the reported event

reptModel

Reporting Model

string

This field captures the model of the reported event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.



EventType: PH_SYSTEM_DEVAPP_NO_EVENTS

Description: No events from a reporting module in last 1 hour

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptVendor

Reporting Vendor

string

This field captures the vendor of the reported event

reptModel

Reporting Model

string

This field captures the model of the reported event

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

reptDevName

Reporting Device

string

This is the hostname of the device that originated the log or event packet.



EventType: PH_SYSTEM_DEVICE_NO_EVENTS

Description: No events from a device in last 1 hour

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_FAILED

Description: Online FortiSIEM EventDB Archiving encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_FINISHED

Description: Online FortiSIEM EventDB Archiving completed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_STARTED

Description: Online FortiSIEM EventDB Archiving started

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_SUCCESS

Description: Online FortiSIEM EventDB Archiving success

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGED

Description: Event database files purged

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_DISK_PURGING_FAILED

Description: Online FortiSIEM EventDB Purging encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGING_FINISHED

Description: Online FortiSIEM EventDB Purging completed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGING_STARTED

Description: Online FortiSIEM EventDB Purging started

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGING_SUCCESS

Description: Online FortiSIEM EventDB Purging success

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_USAGE

Description: Disk usage of customer

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

diskUsage

Disk Used MB

uint64



EventType: PH_SYSTEM_DISK_USAGE_EXCEED_LICENSE

Description: Event database disk usage exceeded limit

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_DISK_USAGE_WARNING

Description: FortiSIEM EventDB disk usage close to limit

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_EPS_GLOBAL

Description: FortiSIEM Global event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

licenseEventsPerSec

License EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

unusedEvents

Unused Event Count

uint64

The difference between licenseEventsPerSec and incomingEventsPerSec accumulated.



EventType: PH_SYSTEM_EPS_NODE

Description: FortiSIEM per Node event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

role

Role

string

hostName

Host Name

string

This is the hostname of the device of interest in the event

guaranteedEventsPerSec

Guaranteed EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

ingestedEventsPerSec

Ingested Event Rate

double

dropPolicyEvents

Policy Dropped Events

uint64

The number of events dropped by Event Dropping Rules in the last 3 minutes.

dropPolicyEventsPerSec

Policy Droppped Event Rate

double

This is the per second count of events dropped by policy, which is calculated as dropPolicyEvents (3min interval) / 180 seconds.

peakDropPolicyEventsPerSec

Peak Policy Dropped Event Rate

double

The max value of dropPolicyEventsPerSec, over all 3-minute periods, since phParser started.

dropLicenseEvents

License Dropped Events

uint64

This is the total count of events dropped due to exceeding license over all 3 minute intervals since phParser started.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

dropLicenseEventRatio

License Dropped Event Ratio

uint16

Ratio of dropped events due to license to total incoming events in last 3 minutes.

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.



EventType: PH_SYSTEM_EPS_ORG

Description: FortiSIEM per Organization event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.



EventType: PH_SYSTEM_EVENTS_FWD_STAT

Description: Forwarded EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

role

Role

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

fwdEventsPerSec

Forwarded Event Rate

double

This field represents the average rate (events per sec) over a 3 minute window, at which events are forwarded from FortiSIEM to an external system

peakFwdEventsPerSec

Peak Forwarded Event Rate

double

This field represents the maximum rate (events per sec) over a 3 minute window, at which events are forwarded from FortiSIEM to an external system

dropFwdEventsPerSec

Dropped Forwarded Event Rate

double

peakDropFwdEventsPerSec

Peak Dropped Forwarded Event Rate

double

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

reptDevName

Reporting Device

string

This is the hostname of the device that originated the log or event packet.



EventType: PH_SYSTEM_EVENTS_PER_SEC

Description: Received EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double

guaranteedEventsPerSec

Guaranteed EPS

uint64



EventType: PH_SYSTEM_EVENTS_VIA_ZMQ_EPS

Description: Events Pushed by ZMQ EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totEventCount

Total Event Count

uint32

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.



EventType: PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE

Description: System event rate exceeds licensed event rate

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_INTERNAL_EVENTS_PER_SEC

Description: FortiSIEM Internal EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_SYSTEM_IP_EVENTS_PER_SEC

Description: FortiSIEM per device EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_ONLINE_RETENTION_POLICY_VIOLATED

Description: Online data retention policy violation

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

policyName

Policy Name

string



EventType: PH_SYSTEM_PERF_EVENTS_PER_SEC

Description: FortiSIEM performance monitoring EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_SYSTEM_RETENTION_POLICY_EXEC_TIME

Description: Data retention policy enforcement time

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

runTime

Run Time

uint64



EventType: PH_SYSTEM_RETENTION_POLICY_FAILED

Description: Data retention policy enforcement failed

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SYSTEM_RETENTION_POLICY_FINISHED

Description: Data retention policy enforcement finished

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_RETENTION_POLICY_STARTED

Description: Data retention policy enforcement started

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_RETENTION_POLICY_STATS

Description: Data retention policy enforcement statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_SYSTEM_RETENTION_POLICY_SUCCESS

Description: Data retention policy enforcement succeeded

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_STORAGE_LOW

Description: System data storage is low

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

diskName

Disk Name

string

freeDiskMB

Free Disk MB

uint32

diskUtil

Disk Capacity Util

double



EventType: PH_SYSTEM_STORED_EVENTS_PER_SEC

Description: Stored EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_SYSTEM_SUMM_EVENTS_STORED_EPS

Description: Summary Events Stored EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totEventCount

Total Event Count

uint32

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.



EventType: PH_SYS_ERROR_XML_SEND_ERROR

Description: Error in sending system error to app server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYS_ERROR_XML_SENT

Description: System error sent to app server

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_COMPLETE

Description: Test Connectivity completed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_CONTACT_APP_SERVER

Description: Test Connectivity module contacting app server

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_TEST_CONN_FAILED_INVALID_REQUEST

Description: Test Connectivity failed - invalid discovery request from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_FAILED_INVALID_REQUEST_XML

Description: Test Connectivity failed - invalid discovery request XML from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_RECVD_VALID_REQUEST

Description: Received valid test connectivity request from app server

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_TEST_CONN_RESULT_SENT

Description: Test Connectivity results sent to app server

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_STARTED

Description: Starting test connectivity for a device

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_TEST_RULES_PARSE_STATUS

Description: Syntax check status

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_THREAD_EXITING

Description: Module exiting thread

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

threadName

Thread Name

string



EventType: PH_THREAD_RECVD_EXIT

Description: Thread received exit request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

threadName

Thread Name

string



EventType: PH_THREAD_STARTING

Description: Module starting thread

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

threadName

Thread Name

string



EventType: PH_UNABLE_ACCESS_DIR

Description: Unable to access archive directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_UNABLE_ALLOC_MEMORY

Description: Unable to allocate memory

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UNABLE_CREATE_DIR

Description: Unable to create dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_CREATE_FILE

Description: Unable to create file

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_CREATE_TIMER

Description: Unable to create timer

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UNABLE_OPEN_DIR

Description: Unable to open dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_OPEN_FILE

Description: Unable to open file

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_PARSE_XML

Description: Unable to parse xml

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string



EventType: PH_UNABLE_RENAME_FILE

Description: Unable to rename file

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNRESOLVABLE_HOSTNAME

Description: FortiSIEM module failed to resolve host name

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_UPDATE_RULE_SUCCEED

Description: Rule update succeeded

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

opName

Operation Name

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_USER_MON_SUDDEN_LOC_CHANGE

Description: User location anomaly detected

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

eventSource

Event Source

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.

durationMSec

Duration

uint32

Duration of a connection (in msec)



EventType: PH_USER_MON_SUDDEN_LOGIN_DISTRIBUTION_CHANGE

Description: Change in user login distribution pattern

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

computer

Computer

string

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

oldDistrib

Old Distribution

string

newDistrib

New Distribution

string



EventType: PH_USER_MON_SUDDEN_LOGIN_VOLUME_CHANGE

Description: Increase in User Login Volume

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

computer

Computer

string

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

oldValue

Old Value

uint64

newValue

New Value

uint64



EventType: PH_UTIL_BIZ_CHANGE_UPDATE_SPAWN_FAILURE

Description: phMonitor encountered error in spawning thread

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_UTIL_BIZ_HTTP_REQUEST_FAILURE

Description: HTTP Request Error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CMD_FAILURE

Description: FortiSIEM system command execution failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_CONFIG_IP_MISSING

Description: Found empty IP address

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CONFIG_LOAD_FAILURE

Description: Failed to load configuration type from the app server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

objType

Object Type

string



EventType: PH_UTIL_CONFIG_LOAD_FILE_ACESS_FAILURE

Description: Failed to load configuration type from the app server - tmp file not accessible

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

objType

Object Type

string



EventType: PH_UTIL_CONFIG_PARSE_FAILURE

Description: Failed to parse system/phoenixServer xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_CONFIG_UNKNOWN_SERVER_TYPE

Description: Found unknown server type in App server returned XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

objType

Object Type

string



EventType: PH_UTIL_CSV_LINE_ILLEGAL

Description: Found illegal line in csv file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

lineContent

Line Content

string



EventType: PH_UTIL_CSV_READ_FAILURE

Description: Failed to open CSV file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_CUSTOMER_COLLECTOR_MISSING

Description: Failed to parse collectors and no collector found

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CUSTOMER_COLLECTOR_PARSE_FAILURE

Description: Failed to parsephCustomerDevice Collector info

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CUSTOMER_DOMAIN_MISSING

Description: No domain item found in xml file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CUSTOMER_INFO_PARSE_FAILURE

Description: Failed to parse value group xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_CUSTOMER_PARSE_FAILURE

Description: Failed to parse phCustomerDevice Customer info in XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_DASHBOARD_DUPLICATE_IP

Description: Encountered duplicate ip in device info for same customer Id

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_UTIL_DASHBOARD_DUPLICATE_ITEM

Description: Encountered duplicate item id in device info for same custId

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

item

Item

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_UTIL_DASHBOARD_PARSE_FAILURE

Description: Failed to parse dashboard device info xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_DEVICE_MAP_PROP_ERROR

Description: Encountered device map property error in XML

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_DEVICE_PROP_ERROR

Description: Encountered device property error in XML

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_DEVICE_SIMPLE_PROP_PARSE_FAILURE

Description: Failed to parse NULL element for property in XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propName

Property Name

string



EventType: PH_UTIL_DGA_FREQ_FILE_OPEN_FAILURE

Description: Failed to open DGA freq file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_DGA_WHITELIST_FILE_OPEN_FAILURE

Description: Failed to open DGA white list file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_DIR_CREATE_FAILURE

Description: Failed to create directory after a few attempts

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_DIR_CREATE_RETRIED

Description: Retried to created dir

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_UTIL_DIR_OPEN_FAILURE

Description: Failed to open directory after a few attempts

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_DIR_PARENT_NOT_EXIST

Description: Failed to locate Parent directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_UTIL_DIR_REMOVE_FAILURE

Description: Failed to remove directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errReason

Reason for Error

string

This is the reason for an error if given.

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_DISK_USAGE_INFO_GET_FAILURE

Description: Unable to get disk usage information

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_UTIL_DISPATH_CMD_XML_ILLEGAL

Description: Encountered malformatted XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_DISPATH_CMD_XML_PARSE_FAILURE

Description: Encountered XML parsing failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_EMAIL_SEND_FAILURE

Description: Failed to send email to server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.



EventType: PH_UTIL_EVENT_FILE_ERROR

Description: Encountered Event file error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_EVENT_GROUP_ERROR

Description: Encountered Event Group error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_EVENT_STATUS_REPORTER_SPAWN_FAILURE

Description: Failed to initialize external event status reporter thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_EVENT_STATUS_UPLOAD_FAILURE

Description: Failed to upload external event status xml after 3 retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_EVENT_TYPE_ERROR

Description: Encountered Event type error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_FILE_NOT_EXIST

Description: File doesn't exsit

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_FILE_OPEN_FAILURE

Description: Failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_READ_FAILURE

Description: Error reading file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_SIZE_MISMATCH

Description: File size mismatch

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_FILE_SIZE_TOO_SMALL

Description: File size too small

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

fileSize64

File Size64 Bytes

uint64



EventType: PH_UTIL_FILE_STATFS_FAILURE

Description: Failed to run statfs() command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_STAT_FAILURE

Description: Failed to stat file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_WRITE_FAILURE

Description: Error writing file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FORK_FAILURE

Description: System fork failed - likely system highly utilized

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_GET_ADDR_FAILURE

Description: Failed to run Getaddrinfo command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.



EventType: PH_UTIL_GET_JOB_STATUS_FAILURE

Description: Failed to get job status to status file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

paraName

Param Name

string



EventType: PH_UTIL_HOSTNAME_GET_FAILURE

Description: Failed to look up Host name

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_INET_PTON_FAILURE

Description: Failed to run inet_ntop command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_INODE_INFO_GET_FAILURE

Description: Unable to get inode information

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_UTIL_IOCTL_FAILURE

Description: Failed to run ioctl commands

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_IOCTL_SIOCGIFADDR_FAILURE

Description: Failed to run ioctl SIOCGIFADDR command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_IP_TYPE_MISMATCH

Description: Mismatch IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JOB_STATUS_REPORTER_SPAWN_FAILURE

Description: Failed to initialize job status reporter thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JOB_STATUS_UPLOAD_FAILURE

Description: Failed to upload job status xml after 3 retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JSON_GET_NODE_FAILURE

Description: Failed to get JSON node value from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

jsonBody

JSON Body

string



EventType: PH_UTIL_JSON_OBJ_EMPTY

Description: JSON object empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JSON_PARSE_FAILURE

Description: Failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

jsonBody

JSON Body

string



EventType: PH_UTIL_KILLPG_FAILURE

Description: Failed to send SIGKILL to child process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_LOAD_EXT_FUNC_FILE_OPEN_FAILUE

Description: Dynamic loaded function load failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_LOAD_EXT_FUNC_FORMAT_INVALID

Description: Dynamic loaded function name should be fileName.functionName format

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propValue

Property Value

string



EventType: PH_UTIL_LOAD_EXT_FUNC_GET_NAME_FAILUE

Description: Dynamic loaded function in file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_LOCAL_IP_MISSING

Description: Failed to get ip address of this machine

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE

Description: Duplicate lookup table found

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbTable

Database Table

string



EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE_COLUMN

Description: Duplicate lookup table column found

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbTable

Database Table

string

dbColumn

Database Column

string



EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE_KEY

Description: Duplicate lookup table key found

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbTable

Database Table

string

dbId

DB ID

uint32



EventType: PH_UTIL_MAIL_CMD_RUN_FAILURE

Description: Failed to send email to server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.



EventType: PH_UTIL_MAIL_SMTP_INIT_FAILURE

Description: Fail to initialize SMTP server problem

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_MD5_ERROR

Description: Failed to calculate MD5

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_MEM_ALLOC_FAILURE

Description: Could not allocate memory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileSize64

File Size64 Bytes

uint64



EventType: PH_UTIL_MKDTEMP_FAILURE

Description: Failed to create directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

filePath

File Path

string



EventType: PH_UTIL_MKSTEMP_FAILURE

Description: Failed to create temporary filename

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

filePath

File Path

string



EventType: PH_UTIL_MMAP_FAILURE

Description: Failed to mmap file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

fileSize64

File Size64 Bytes

uint64

errorNoInt

Error Number Int

int32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_MOVE_FILE_FAILURE

Description: Failed to rename file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_NOTIFICATION_SENDER_SPAWN_FAILURE

Description: Failed to initialize notification sender thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_NOTIFICATION_SERVER_INIT_FAILURE

Description: Failed to initialize notification reporter

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_NOTIFICATION_UPLOAD_FAILURE

Description: Failed to Send Notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_UTIL_PHOENIX_CONFIG_ITEM_MISSING

Description: Could not find specific item in phoenix_config.txt

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propName

Property Name

string



EventType: PH_UTIL_PIPE_FAILURE

Description: The command pipe() returned error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_PROP_DEF_SET_PARSE_FAILURE

Description: Failed to parse propertyDefs xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_REDIS_CONNECTION_ERROR

Description: redis connection error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_REGEX_PATTERN_EMPTY

Description: Regex Pattern is NULL

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_REGEX_PATTERN_TOO_LONG

Description: Regex Pattern too long

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msgLen

Message Length

uint64



EventType: PH_UTIL_SEND_TO_UDP_PORT_FAILURE

Description: Failed to send message to udp port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_UTIL_SETPGRP_FAILURE

Description: Failed to run system comand setpgrp()

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_SET_JOB_STATUS_FAILURE

Description: Failed to set job status to status file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

paraName

Param Name

string



EventType: PH_UTIL_SOCKET_FAILURE

Description: Failed to run system command socket()

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_STR_TO_IP_FAILURE

Description: Failed to run system call inet_pton

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propValue

Property Value

string



EventType: PH_UTIL_SVN_DIFF_FAILURE

Description: Failed to execute system command svn diff

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_SYS_ERROR_REPORTER_INIT_FAILURE

Description: Failed to initialize system error reporter thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_TIME_RANGE_INVALID

Description: Found Invalid time range

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propValue

Property Value

string



EventType: PH_UTIL_TIME_STR_FORMAT_INVALID

Description: Found incorrect time string parameters

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

paraName

Param Name

string



EventType: PH_UTIL_UNKNOWN_PHOENIX_ERROR_NUMBER

Description: Found incorrect PH error number

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_VALUE_GROUP_ERROR

Description: Encountered Value group error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_WAITPID_FAILURE

Description: Failed to run system command waitpid on child process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_WAITPID_LAST_TRY_FAILUE

Description: Failed to run system command waitpid on child process after several tries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_WINDOWS_BID_LOAD_FAILURE

Description: Failed to load Windows Built In SID file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_WRITE_BIN_FILE_OPEN_FAILURE

Description: Failed to open binary file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_WRITE_FILE_OPEN_FAILURE

Description: Failed to open file for write

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_XML_HANDLING_ERROR

Description: Found Invalid xml from App Server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_ZIP_DECOMPRESS_FAILED

Description: Failed to decompress zip string

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_VA_EVENTS_PER_SEC

Description: Total event rate to an FortiSIEM VA

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_VA_LICENSE_UPDATE

Description: License on VA has been updated

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_VULN_LOAD_ERROR

Description: Parser module failed to load external scanner-found vulnerabilities from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_VULN_UPDATE_ERROR

Description: Parser module failed to upload external scanner-found vulnerabilities to App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_WORKER_DOWN

Description: Worker down

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_WORKER_PROVISION_FAILED

Description: Phoenix worker provision failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_WORKER_UP

Description: Worker up

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_WS_COMM_ERROR

Description: Web service communication error

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: WEBSENSE_MAIL_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: WEBSENSE_WEB_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

All Logs Page 5

All Logs Page 5

Every FortiSIEM internally generated event log regardless of category



EventType: PH_QUERY_FILE_COPY_FAILED

Description: Query Master failed to copy query XML file from completed/active to eventdb directory - XXX

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_CORRUPT

Description: Query Master found corrupt query status file for a particular query - query will not be completed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_CREATE_FAILED

Description: Query Master / Worker failed to create query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_EMPTY

Description: Query Master/Worker found empty query status backup file - system loses redundancy for this query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_HEADER_GET_FAILED

Description: Query Master failed to read query related file header from query result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_LINK_FAILED

Description: Query Master / Worker failed to hard link query result file - query cache will not be used

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_MAGIC_BAD

Description: Query Master found bad query-related file magic inside query status or result file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FILE_MMAP_FAILED

Description: Query Master failed to memory-map summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_NAME_BAD

Description: Query Master found invalidly formatted summary event cache file - summary event query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_FILE_OPEN_FAILED

Description: Query Master / Worker/ Data Manager failed to open query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_READ_FAILED

Description: Query Master / Worker/ Data Manager failed to read query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_REMOVE_FAILED

Description: Query Master failed to remove cached query result file - disk may eventually get full

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FILE_SEEK_FAILED

Description: Query Master failed to seek trend file to offset for a specific inline report - that inline report will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_FILE_STAT_FAILED

Description: Query Master / Worker/ Data Manager failed to stat query related file - related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_FORMAT_UNSUPPORTED

Description: Query Master received unsupported report export file format from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_FUNC_ERROR

Description: Query Master / Worker encountered internal function error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_ID_DUPLICATE

Description: Query Master / Worker encountered duplicate query ID assigned by App server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_INACTIVE

Description: Query Master / Worker failed to retrieve supposedly active query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_NOT_FOUND

Description: Query Master / Worker failed to find Query ID not found in task queue - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_REMOVE_FAILED

Description: Query Master failed to remove trigger event query ID from task queue - partial results will be returned

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_ID_UNSUPPORTED

Description: Query Master found unsupported query type hint from App Server - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_INLINEREQUEST_BAD

Description: Query Master received bad inline query request via TCP socket - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_IPC_EVENT_SEND_FAILED

Description: Query Master failed to send IPC event (containing heartbeat data) to Data Manager - trigger event queries may be slow

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_IP_GET_FAILED

Description: Query Master failed to get Supervisor IP - Query Master will not be able to communicate with Super data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_QUERY_IP_INVALID

Description: Query Worker got invalid Query Master IP - queries will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_CREAT_FAILED

Description: Data Manager failed to create task for exporting log integrity check request from App Server - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOGINTEGRITYEXPORT_TASK_INSERT_FAILED

Description: Data Manager failed to insert task for exporting log integrity check request from App Server into internal task queue - request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_DIR_UNCONFIGURED

Description: Query Master failed to obtain log integrity export directory - particular request will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_LOG_INTEGRITY_EXPORT_FAILED

Description: Query Master failed to export bad event blocks from file - log integrity query from App server will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_LONG_RUNNING_STOPPED

Description: Long running query stopped

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_MEM_ALLOC_FAILED

Description: Query Master / Worker failed to allocate memory during event / rule processing

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_QUERY_MESSAGE_SEND_FAILED

Description: FortiSIEM Query Engine failed to send message

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

type

Type

string

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_QUERY_MODULE_INIT_FAILED

Description: Query Master / Worker module failed to initialize

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_MODULE_UNCONFIGURED

Description: Query Master / Worker module failed to obtain some parameters during phoenix_config.txt during initialization - module likely will not start

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_QUERY_ONLINE_WORKER_CHANGED

Description: FortiSIEM Online Query Worker number changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_QUERY_PARSED_EVENT_LOAD_FAILED

Description: Query Worker failed to load parsed event from shared buffer during real time query which may not show events from this Query Worker node

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PARTIAL_WORKER_FAILURE

Description: Partial query results due to worker failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_PCAP_FINALIZE_FAILED

Description: Query Master failed to finalize pcap export - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PCAP_LOAD_FAILED

Description: Query Master failed to load query results in pcap format - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PCAP_RENAME_FAILED

Description: Query Master failed to rename pcap file - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_QUERY_PCAP_TRANSFER_FAILED

Description: Query Master failed to transfer event to pcap packet - results will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_PGDB_EXEC_SQL_FAILED

Description: Query Master failed to execute SQL statement against Supervisor Postgres DB for Incident Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_QUERY_PGDB_RECONNECT_FAILED

Description: Query Master failed to reconnect to Supervisor Postgres DB - Query Master will remain disconnected and all incident queries will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PGDB_SQL_GET_VAL_FAILED

Description: Query Master failed to get column value from SQL result - incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_POST_FILTER_PARSE_FAILED

Description: Query Master failed to parse post-filter inline query results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_PQ_ERROR

Description: FortiSIEM Postgres DB connection or execution error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROCESS_GET_FAILED

Description: Query Master failed to get its own parent process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_ATTR_UNSPECIFIED

Description: Query Master failed to find specified attribute in Profile Query XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_PROFILE_EVENT_TYPE_ERROR

Description: Query Master encountered unexpected event type in a Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_FUNCITION_ERROR

Description: Query Master hit Function error while executing Profile Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_PROFILE_NOT_MARKED_AS_BASELINE

Description: Query Master will not execute a profile query since it is not marked as baseline

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_PROGRESS_REJECTED

Description: Query Worker fails to upload query progress to Query Master - some progress reporting will be skipped

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_REPORTEXPORT_TASK_CREAT_FAILED

Description: Query Master failed to create task for exporting CSV/PCAP formatted Query request from App Server - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORTEXPORT_TASK_INSERT_FAILED

Description: Query Master failed to insert task for exporting CSV/PCAP formatted Query request from App Server into internal task queue - export will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_REPORT_RESULTS_LOAD_FAILED

Description: Query Master failed to load inline query report results from file - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REPORT_RESULTS_POST_FILTER_FAILED

Description: Query Master failed to post-filter inline query report results - no post-filtering is going to occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_REPORT_RESULT_FILE_NOT_EXIST

Description: Query report result file not exist

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_QUERY_REQUEST_BAD

Description: FortiSIEM Query Engine received bad request

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_FILES_MERGE_FAILED

Description: Query Master failed to merge inline query result files - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_GET_FAILED

Description: Query Master failed to produce inline query result / CSV export - operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_NOT_READY

Description: Query Master failed to find Query result directory for CSV export

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_RESULT_PARSE_FAILED

Description: Query Master failed to parse trigger event query result from Data Manager

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

queryId

Query Id

string



EventType: PH_QUERY_RESULT_REJECTED

Description: Query Master rejected query result upload from Query Worker

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

httpStatusCode

HTTP Status

string



EventType: PH_QUERY_RESULT_SAVE_FAILED

Description: FortiSIEM Query Engine failed to save query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.



EventType: PH_QUERY_RESULT_UPLOAD_FAILED

Description: Query Worker failed to upload query result to Query Master - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

queryId

Query Id

string

filePath

File Path

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_RT_ERROR

Description: Query Worker spawned excessive threads to handle reat time search and will exit (delete)

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_QUERY_SORT_SPEC_GET_FAILED

Description: Query Master failed to get sort specfication for cached query result - query will automatically rerun

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_START_FAILED

Description: Query Worker failed to start a query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

queryId

Query Id

string

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_QUERY_STATE_BAD

Description: Query Master encounters invalid query state - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_STATUS_LOAD_FAILED

Description: Query Master failed to load query status from disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_STATUS_SAVE_FAILED

Description: Query Master failed to save query status to disk - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_BAD

Description: Query Master encoutered bad attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_MISSING

Description: Query Master failed to locate an attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_ATTR_UPDATE_FAILED

Description: Query Master failed to update certain host attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_QUERY_SUMM_COLUMN_UNSUPPORTED

Description: Query Master encountered unsupported attribute in Summary Dashboard data cache - cache will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_SUMM_EVENT_SKIPPED

Description: Query Master skipped a bad event for Summary Dashboard data cache - performance metrics will be partially updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_SUMM_PARSE_FAILED

Description: Query Master failed to parse Summary Dashboard Query XML - one query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_QUERY_SUMM_PERF_ETINFO_UNSUPPORTED

Description: Query Master encountered unsupported perfETInfo in Summary Dashboard Query - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_TASK_INVALID

Description: FortiSIEM Query task and worker IP are not matched

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

clientIpAddr

Client IP

IP



EventType: PH_QUERY_TASK_REROUTED

Description: FortiSIEM Query task is rerouted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_QUERY_TASK_REROUTE_FAILED

Description: FortiSIEM Query Task Reroute failed

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_VALUE_TYPE_UNSUPPORTED

Description: FortiSIEM Query Engine encountered bad value type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_QUERY_WORKERS_GET_FAILED

Description: Query Master failed to get the list of query workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_QUERY_WORKERS_SPLIT_AMONG_FAILED

Description: Query Master failed to split query among workers - query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_QUERY_WORKER_CHANGED_TO_OFFLINE

Description: FortiSIEM Query Worker Status Changed from online to offline

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_WORKER_CHANGED_TO_ONLINE

Description: FortiSIEM Query Worker Status Changed from offline to online

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_QUERY_XML_PARSE_FAILED

Description: Query Master / Worker failed to parse query XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_READER_BLOCK_WRITE

Description: Reader is blocking writer&Restart

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptProcName

Reported Process Name

string



EventType: PH_REPORT_ACTION_STATUS

Description: Record action result for report notification

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ACT_FAILED

Description: Query Master/Query Worker/Report Worker/Report Loader failed to perform requested ACTION from App Server, i.e. UPDATE, REMOVE. Event Role will not be updated.

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

roleId

Role ID

uint32



EventType: PH_REPORT_AGGR_FIELDS_EMPTY

Description: Report Master/Report Worker encountered empty aggregate fields. Report file will be incomplete

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_AGGR_FIELD_NOT_ADDED

Description: Query Master/Report Master/Report Worker failed to add certain aggregate field to report schema. The schema will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_AGGR_FUNC_EMPTY

Description: Report Master/Report Worker encountered empty aggregate function. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_AGGR_TYPE_ERROR

Description: Report Master/Report Worker encountered aggregate type error. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_AGGR_TYPE_UNDEFINED

Description: Report Master/Report Worker encountered undefined aggregate type. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ATTR_ID_UNSUPPORTED

Description: Report Master/Report Worker encountered unsupported attribute ID. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ATTR_MISSING

Description: Report Master/Report Worker failed to locate certain attribute. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ATTR_UNDEFINED

Description: Report Master/Report Worker encountered undefined attribute. Report file will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_BUFFER_OVERFLOW

Description: Report buffer overflow

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

size

Size

uint32



EventType: PH_REPORT_CHECKSUM_MISMATCH

Description: Query Master encountered checksum mismatch in report results. The inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_CONFIG_UPDATE_NULL

Description: Report Worker/Report Loader encountered NULL object in config update. Config update will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_CONVERT_FAILED

Description: FortiSIEM internal error used for testing

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string



EventType: PH_REPORT_DATA_INIT_FAILED

Description: Query Master/Report Master failed to initialize report results block data. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_SIZE_MISMATCH

Description: Query Master/Report Master/Report Worker/Report Loader encountered size mismatch between two pieces of data. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_DATA_SIZE_OVERFLOW

Description: Query Master/Report Master/Report Worker/Report Loader encountered data size overflow. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_SIZE_UNEXPECTED

Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_SIZE_UNKNOWN

Description: Query Master/Report Master/Report Worker/Report Loader encountered unknown data size. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DATA_TYPE_UNEXPECTED

Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_DIR_CREATE_FAILED

Description: FortiSIEM Report Engine failed to create directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_DIR_OPEN_FAILED

Description: FortiSIEM Report Engine failed to open directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_DIR_REMOVE_FAILED

Description: FortiSIEM Report Engine failed to remove directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_ES_BUCKETS_EMPTY

Description: Data Manager encountered empty Elastic Search buckets. Report data will not be written to disk

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ES_POST_FAILED

Description: Report Master/Report Worker failed to POST Elastic Search data to App Server. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

httpStatusCode

HTTP Status

string



EventType: PH_REPORT_ES_PROFILE_EMPTY

Description: Report Master encountered empty Elastic Search profile. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_REPORT_ES_PROFILE_TIMEOUT

Description: Report Master encountered timeout in Elastic Search profile response. This profile will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_ES_PURGE_INDEX_FAILED

Description: Elastic Search Purge Inline Report Index Failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ES_TIME_RANGE_INVALID

Description: Report Master encountered invalid time range in Elastic Search profile query. This query will failed to be built

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_EXPR_PARSE_FAILED

Description: Query Master failed to parse schema expression. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_REPORT_FILE_CONTENT_MISSING

Description: Report Master failed to locate certain content in report file. Report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_COPY_FAILED

Description: Report Master/Report Worker failed to copy report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_HEADER_BAD

Description: Query Master/Report Master/Report Worker encountered bad report file header. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_INIT_FAILED

Description: Report Master/Report Worker failed to initialize report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_LINK_FAILED

Description: Report Master failed to link report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_MAGIC_BAD

Description: Query Master/Report Master/Report Worker encountered bad report file magic. Inline query or report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_MMAP_FAILED

Description: Query Master/Report Master failed to memory-map report file. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_NAME_BAD

Description: Report Master/Report Loader encountered bad report file name. This report rolling or loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_OPEN_FAILED

Description: Query Master/Report Master/Report Worker/Report Loader failed to open report file. Related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_PARSE_FAILED

Description: FortiSIEM Report Engine failed to parse file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_READ_FAILED

Description: Identity Master/Identity Worker failed to read entry IDs file. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_REMOVE_FAILED

Description: Report Master failed to remove report file. Disk will eventually be full

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_RENAME_FAILED

Description: Report Master failed to rename report file. This report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_RSYNC_FAILED

Description: Report Master failed to rsync report file to remote super

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

targetHostName

Target Host Name

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_STAT_FAILED

Description: Report Worker/Report Loader failed to stat report file. This report writing or loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FILE_TYPE_UNKNOWN

Description: Report Worker/Report Loader encountered unknown report file type. This report writing or loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_REPORT_FILE_UNSPECIFIED

Description: Report Master/Report Worker encountered unspecified report file. Report data will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_FILE_WRITE_FAILED

Description: Identity Master/Identity Worker failed to write entry IDs to file. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_REPORT_FUNC_OBJ_DEF_ERROR

Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_FUNC_OBJ_DEF_GET_FAILED

Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_FUNC_OBJ_DEF_UNKNOWN

Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ID_LOC_DEVICE_EXCLUDED_INVALID

Description: FortiSIEM Identity and location module encountered invalid excluded device

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ID_LOC_EVENT_SEND_FAILED

Description: FortiSIEM Identity and location module failed to upload events

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_ID_LOC_RESULT_UPLOAD_FAILED

Description: FortiSIEM Identity and location module failed to upload results to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

httpStatusCode

HTTP Status

string



EventType: PH_REPORT_ID_LOC_SYNCH_DATA_UPLOAD_FAILED

Description: FortiSIEM Identity and location module failed to upload Synch Data (Worker to Master)

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_ID_LOC_USER_ALREADY_EXCLUDED

Description: FortiSIEM Identity and location module found already excluded user

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string



EventType: PH_REPORT_ID_LOC_USER_EXCLUDE_FAILED

Description: FortiSIEM Identity and location module failed to exclude user

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_REPORT_INDEX_OVERFLOW

Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered index out of bound. Related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

size

Size

uint32



EventType: PH_REPORT_IP_GET_FAILED

Description: Failed to get host IP

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_REPORT_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_KEY_LOAD_FAILED

Description: FortiSIEM Report module failed to load event attribute keys

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_MODULE_INIT_FAILED

Description: Report Master/Report Worker/Report Loader/Identity Master/Identity Worker failed to initialize certain module. Related operation will fail

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_REPORT_MODULE_UNCONFIGURED

Description: Report Worker encountered unconfigured item. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_REPORT_OLD_REPORT_DATA

Description: Report Master encountered older report data from Worker, might enlarge block_collection_window

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_OP_UNEXPECTED

Description: Query Master/Report Master/Report Worker encountered unexpected operator type. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ORDER_BY_ATTR_EMPTY

Description: Query Master/phRuleMaster/Report Master encountered empty order-by attributes in report. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_ORDER_BY_INVALID

Description: Query Master/phRuleMaster/Report Master encountered invalid order-by attributes in report. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_PACK_FAILED

Description: Failed to pack data

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_REPORT_PACK_FAILED_COUNT

Description: Failed to pack or unpack data

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PARSED_EVENT_LOAD_FAILED

Description: FortiSIEM Report module failed to load event

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PGDB_CONNECT_FAILED

Description: Report Loader failed to connect to Postgres DB. Report loading will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PGDB_EXEC_FAILED

Description: Report Loader failed to execute SQL statement in Postgres DB. This report loading will fail

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_REPORT_PGDB_NOT_CONNECTED

Description: Query Master/Report Loader encountered disconnected Postgres DB while executing SQL statement. This incident query or report loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbQuery

Database Query

string



EventType: PH_REPORT_PGDB_NOT_INIT

Description: Query Master/Report Loader encountered uninitialized Postgres DB connection manager. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_REPORT_POINTER_NULL

Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered NULL pointer. Related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_POINTER_NULL_WARNING

Description: NULL pointer detected

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_POSITIVE_INTEGER_EXPECTED

Description: Query Master/Data Manager expected positive integer in performance data but got other value. Default value will be set instead

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_REPORT_PQ_ERROR

Description: Query Master/Report Loader encountered PQ function error in Postgres DB. This incident query or report loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_PROFILE_TYPE_BAD

Description: FortiSIEM Report module encountered bad profile

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_PROFILE_TYPE_WRONG_FORMAT

Description: Query Master encountered wrong format of profile. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_PROFILE_UPDATE_FAILED

Description: FortiSIEM Report module failed to upload profile

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar



EventType: PH_REPORT_ROW_LENGTH_ZERO

Description: Query Master encountered empty row for given report ID. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32



EventType: PH_REPORT_RULE_ATTR_MISSING

Description: Query Master failed to locate certain rule attribute in profile. This profile query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_REPORT_SCHEMA_INCOMPATIBLE

Description: Query Master/Report Master encountered incompatible report schema. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_SCHEMA_INVALID

Description: Query Master/Report Master encountered invalid report schema. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_SCHEMA_LOAD_FAILED

Description: Query Master/Report Master failed to load report schema. This inline query or report rolling will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_SQLITE3_BATCH_BEGIN_FAILED

Description: Report Master failed to begin SQLite3 batch transaction. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

profDateType

Profile Date Type

uchar

hourOfDay

Hour Of Day

uint16

This attribute is not used



EventType: PH_REPORT_SQLITE3_BATCH_COMMIT_FAILED

Description: Report Master failed to commit SQLite3 batch transaction. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

profDateType

Profile Date Type

uchar

hourOfDay

Hour Of Day

uint16

This attribute is not used



EventType: PH_REPORT_SQLITE3_BIND_VALUE_FAILED

Description: Report Master failed to bind certain value to SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_BUSY

Description: Report Master encountered SQLite3 busy state. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_BUSY_TIMEOUT_ERROR

Description: Report Master encountered SQLite3 busy timeout. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32



EventType: PH_REPORT_SQLITE3_CHECKPOINT_FAILED

Description: FortiSIEM Report module failed to checkpoint profile

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_COMMIT_ERROR

Description: Report Master encountered commit error in SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string



EventType: PH_REPORT_SQLITE3_CONFIG_FAILED

Description: Report Master failed to configurate SQLite3 with multi-thread mode. Performance will degrade

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_ENABLE_SHARED_CACHE_FAILED

Description: Report Master failed to enable shared cache for SQLite3. Performance will degrade

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32



EventType: PH_REPORT_SQLITE3_EXEC_FAILED

Description: Report Master failed to execute SQLite3 statement. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbQuery

Database Query

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason

tablespaceName

DB Tablespace Name

string



EventType: PH_REPORT_SQLITE3_EXTENDED_RESULT_CODES_ERROR

Description: Report Master failed to enable extended result codes for SQLite3. Maintainability will degrade

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32



EventType: PH_REPORT_SQLITE3_OPEN_FAILED

Description: Report Master failed to open SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_PREPARE_ERROR

Description: Report Master failed to prepare SQLite3 statement. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string

dbQuery

Database Query

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_SQLITE3_PROFILE_ENTRY_DELETE_FAILED

Description: Report Master failed to delete profile entry from SQLite3. Profile or Daily DB will contain redundant data

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

reportId

Report ID

uint32

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

profDateType

Profile Date Type

uchar

hourOfDay

Hour Of Day

uint16

This attribute is not used



EventType: PH_REPORT_SQLITE3_PROFILE_NOT_FOUND

Description: Report Master failed to find profile ID in SQLite3. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbName

DB Name

string

reportId

Report ID

uint32



EventType: PH_REPORT_SQLITE3_STEP_ERROR

Description: Report Master failed to step SQLite3 statement. Profile or Daily DB will not be updated

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

tablespaceName

DB Tablespace Name

string

dbRetCode

DB Return Code

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_REPORT_UNPACK_FAILED

Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_ID_FAILED

Description: Report-related process failed to lookup value type by attribute ID. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_NAME_FAILED

Description: Report-related process failed to lookup value type by attribute name. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_OF_ID_UNEXPECTED

Description: Report-related process encountered unexpected value type of certain attribute ID. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_OF_NAME_UNEXPECTED

Description: Report-related process encountered unexpected value type of certain attribute name. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_OF_STAT_UNEXPECTED

Description: Report-related process encountered unexpected value type of stat item. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_VALUE_TYPE_UNSUPPORTED

Description: Report-related process encountered unsupported value type. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_WORKER_UPLOAD_FAILED

Description: Failed to upload a data block buffer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reportId

Report ID

uint32

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_REPORT_XML_ELEMENT_DUPLICATE

Description: Query Master encountered duplicate XML element. This performance metrics update will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_REPORT_XML_ELEMENT_MISSING

Description: Report Master failed to locate certain XML element. This report rolling will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_XML_ELEMENT_PARSE_FAILED

Description: Query Master failed to parse certain XML element. This performance metrics update will not be complete

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_REPORT_XML_PARSE_FAILED

Description: Report-related process failed to parse certain XML. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_REPORT_ZLIB_COMPRESSION_TYPE_UNKNOWN

Description: Query Master encountered unknown Zlib compression type for report results file. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_REPORT_ZLIB_UNCOMPRESS_FAILED

Description: Query Master failed to uncompress Zlib report results file. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_RULEMASTER_TEST_RULES_CHECK_SYNTAX

Description: Rule master starts to check syntax

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMASTER_TEST_RULES_FINALIZE_STATE

Description: Rule master finalizes state report summary

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMASTER_TEST_RULES_UPDATE_STATE

Description: Rule master updates state report summary

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMOD_AGGREGATOR_EMPTY

Description: Rule Master/Rule Worker encountered empty aggregator. This rule definition will be incomplete

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ARITH_OP_ILLEGAL

Description: Rule Master/Rule Worker encountered illegal arithmetic operation. This rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_ATTR_ALREADY_ASSOCIATED

Description: Rule Master/Rule Worker encountered attribute already associated with given event type in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

compEventType

Component Event Type

string

This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute.



EventType: PH_RULEMOD_ATTR_ID_LOOKUP_BY_NAME_FAILED

Description: Rule Master/Rule Worker failed to lookup attribute ID by name in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process could terminate depending on the attribute type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_ID_UNDEFINED

Description: Rule Master/Rule Worker encountered undefined attribute ID. This rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_MISSING

Description: Rule Master/Rule Worker failed to locate certain attribute in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. This attribute will be skipped

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_NAME_LOOKUP_BY_ID_FAILED

Description: Query Master/Rule Master/Rule Worker failed to lookup attribute name by ID. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ATTR_UNDEFINED

Description: Query Master/Rule Master/Rule Worker encountered undefined event attribute. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_BUFFER_EMPTY

Description: Rule Master/Rule Worker encountered empty buffer in loading '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_CLEAR_CONDITION_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid clear condition in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_CLEAR_CONDITION_SET_FAILED

Description: Query Master/Rule Master/Rule Worker failed to set clear condition in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_CONFIG_UNDEFINED

Description: Rule Master encountered undefined config item of db_server_host. Incident processing will not work

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_RULEMOD_CONSTRUCTOR_ERROR

Description: Rule Master/Rule Worker encountered error in constructor of given module. This rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_RULEMOD_CUST_ID_LIST_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid customer ID list in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_DATA_REQUEST_PARSE_FAILED

Description: Query Master failed to parse data request from App Server. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_RULEMOD_DATA_SIZE_OVERFLOW

Description: Rule Master/Rule Worker encountered data size exceeding its capacity. This rule parsing or evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_DATA_UNSUPPORTED

Description: Rule Master/Rule Worker encountered unsupported data. This rule parsing or evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_DB_SERVER_HOST_UNDEFINED

Description: Database server host not defined for rule master

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

configName

Config Name

string



EventType: PH_RULEMOD_DIR_OPEN_FAILED

Description: Rule Master/Rule Worker failed to open rule XML directory. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_RULEMOD_ENCODE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to encode given data. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_ENTITY_VERSION_MISSING

Description: Query Master/Rule Master/Rule Worker failed to identify entity version of rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_EVENT_TYPE_GROUP_INVALID

Description: Rule Worker failed to parse certain event type group in rules. Affected rule evaluation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventTypeGrp

Event Type Group

string

This field is not used



EventType: PH_RULEMOD_EVENT_TYPE_NOT_FOUND

Description: Query Master/Rule Master/Rule Worker failed to find certain event type in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_EXCEPTION_ELEMENT_INVALID

Description: Rule Master encountered invalid element in rule exception. This rule exception parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

description

Description

string



EventType: PH_RULEMOD_EXPR_EVAL_UNKNOWN

Description: Query Master encountered unknown expression evaluation of given operator type. This incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_EXPR_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse certain expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_EXPR_UNSUPPORTED

Description: Query Master/Rule Master/Rule Worker encountered unsupported expression in aggregate function. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_FILE_OPEN_FAILED

Description: Rule Master/Rule Worker failed to open rule-related file. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_RULEMOD_FILE_UNSPECIFIED

Description: Rule Master/Rule Worker encountered unspecified rule XML file. This rule update will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_RULEMOD_FORMAT_ERROR

Description: Query Master/Rule Master/Rule Worker encountered format error in given expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_FUNC_NOT_FOUND

Description: Query Master/Rule Master/Rule Worker failed to locate certain function in given expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_FUNC_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse certain function in given expression. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_GLOBAL_CONSTRAINT_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid global constraint in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

task

Task

string



EventType: PH_RULEMOD_GROUPBY_LIST_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid group-by list in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_GROUPBY_LIST_NOT_FOUND

Description: Query Master/Rule Master/Rule Worker failed to find group-by list in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_GROUP_EVENT_CONSTRAINT_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid group event constraint in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_ID_LOOKUP_BY_INCIDENT_FAILED

Description: Rule Master failed to lookup rule ID by incident ID. This incident firing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEMOD_INCIDENT_ARG_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid incident argument in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_INCIDENT_CACHE_NOT_FOUND

Description: Rule Master failed to find incident cache for given incident ID. This incident will not be cleared

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_INCIDENT_DEF_INVALID

Description: Query Master/Rule Master encountered invalid incident definition in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_INCIDENT_NOT_FOUND

Description: Rule Master failed to find given incident ID. This incident will not be cleared

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident



EventType: PH_RULEMOD_INCIDENT_REPORT_SEND_FAILED

Description: Rule Master failed to send incident report to phParser. This incident will be missing in eventdb

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_RULEMOD_INDEX_OVERFLOW

Description: Query Master encountered out-of-bound index in certain data. This incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

seqNum

Sequence Number

uint64

TCP Sequence number field in TCP header.

size

Size

uint32



EventType: PH_RULEMOD_INFO_GET_FAILED

Description: FortiSIEM Report module failed to get statistics

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_IP_GET_FAILED

Description: Rule Worker failed to get host IP of Supervisor. Incident firing will not work

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_RULEMOD_IP_INVALID

Description: Query Master/Rule Master/Rule Worker found invalid IP in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_RULEMOD_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_LOAD_METHOD_UNDEFINED

Description: Rule Master/Rule Worker encountered undefined rule load method. Rule loading will fail

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_MEM_ALLOC_FAILED

Description: Query Master/Rule Master/Rule Worker failed to allocate memory. The related operation will fail

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_MODULE_INIT_FAILED

Description: Rule Master/Rule Worker failed to be initialized. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_MUTEX_ACQUIRE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to acquire mutex. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string



EventType: PH_RULEMOD_NOTIF_CONNECTION_FAILED

Description: Rule Master failed to establish notification connection to phParser. This incident will be missing in eventdb

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_RULEMOD_OBJ_GET_FROM_SUBPATTERN_FAILED

Description: Rule Master failed to get certain object from subpattern. This incident cache update will be incomplete

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_OBJ_LOAD_FAILED

Description: Query Master/Rule Master/Rule Worker failed to load certain object in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_OP_NOT_FUNC

Description: Rule Master encountered an operator of non-function type. This incident initialization will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_OP_UNKNOWN

Description: Query Master/Rule Master/Rule Worker encountered unknown operator. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_PARSED_EVENT_LOAD_FAILED

Description: Rule Worker failed to load and skipped a parsed event, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_PQ_ERROR

Description: Rule Master encountered PQ function error in Postgres DB. Incident processing will not work

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_RULEMOD_PROFILE

Description: FortiSIEM Rule resource usage profile

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleName

Rule Name

string

FortiSIEM rule name.

memTotalB

Total Memory Bytes

uint32

updateQueueSize

Update Queue Size

uint32



EventType: PH_RULEMOD_REM_BY_ZERO

Description: Rule Master/Rule Worker caught remainder-by-zero exception. Default value will be set instead

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_REM_BY_ZEROD

Description: FortiSIEM Report module failed to produce statistics

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SELECT_ATTR_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse and skipped certain select attribute. This rule parsing will be incomplete

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SELECT_SPEC_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse at least one select spec field. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SINGLE_EVENT_CONSTRAINT_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid single event constraint in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string



EventType: PH_RULEMOD_SUBPATTERN_INVALID

Description: Query Master/Rule Master/Rule Worker encountered invalid subpattern in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_SUBPATTERN_MISSING

Description: Query Master/Rule Master/Rule Worker failed to locate certain subpattern in XML. The related operation will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_SUBPATTERN_MORE_THAN_ONE

Description: Query Master/Rule Master/Rule Worker encountered more than one subpattern in simple rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_SUBPATTERN_UNDEFINED

Description: Query Master/Rule Master/Rule Worker encountered undefined subpattern in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_SUMMARY_UPLOAD_FAILED

Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_THREAD_SPAWN_FAILED

Description: Rule Master/Rule Worker failed to spawn thread during initialization. The process will terminate

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string



EventType: PH_RULEMOD_TOKEN_UNDEFINED

Description: Query Master/Rule Master/Rule Worker encountered undefined token of given type in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_TOKEN_UNEXPECTED

Description: Query Master/Rule Master/Rule Worker encountered unexpected token of given type in rule. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_UNPACK_FAILED

Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_RULEMOD_VALUE_TYPE_UNEXPECTED

Description: Query Master encountered unexpected value type of certain attribute. This incident query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_XML_ELEMENT_EMPTY

Description: Query Master/Rule Master/Rule Worker encountered empty XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_XML_ELEMENT_MISSING

Description: Query Master/Rule Master/Rule Worker encountered missing XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_XML_ELEMENT_PARSE_FAILED

Description: Query Master failed to parse certain XML element. This inline query will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_XML_ELEMENT_UNEXPECTED

Description: Query Master/Rule Master/Rule Worker encountered unexpected XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_RULEMOD_XML_ELEMENT_UNKNOWN

Description: Query Master/Rule Master/Rule Worker encountered unknown XML element. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEMOD_XML_LOAD_FAILED

Description: Rule Master/Rule Worker failed to load rule XML from file. This rule loading will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_RULEMOD_XML_PARSE_FAILED

Description: Query Master/Rule Master/Rule Worker failed to parse rule XML. This rule parsing will fail

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

task

Task

string

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_RULEMOD_XML_POINTER_NULL

Description: NULL pointer in XML detected

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_RULEWORKER_TEST_RULES_CHECK_SYNTAX

Description: Rule worker starts to check syntax

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_RULEWORKER_TEST_RULES_EVENT_MATCH_STATUS

Description: Rule worker event test status

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventId

Event ID

uint64

This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users.



EventType: PH_Rule_FML_Antispam_Malicious_File

Description: FortiMail: Malicious Spam File Attachment Found

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_Rule_FML_Antispam_Malicious_Url

Description: FortiMail: Malicious URL found

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_SAAS_OP_COLLECTOR_DOWN

Description: Collector down

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SAAS_OP_COLLECTOR_UP

Description: Collector up

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SCHEDULED_RULE_QUERY_FAILED

Description: Failed to run query for scheduled rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SER_MON_SERVICE_DOWN

Description: PH process down

Severity: 8 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SHAREDSTORE_ACQUIRE_ERROR

Description: A module failed to acquire shared store. The module will abort

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SHAREDSTORE_WRITER_POS_UNEXPECTED_ALTERED

Description: Shared store writer position altered unexpectedly

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_SHAREDSTORE_WRITE_ERROR

Description: Parser module encountered error while writing to shared store. Events will be lost

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SSL_SHUTDOWN_ERROR

Description: PH system ssl shutdown error

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ACCOUNT_UNMATCHED

Description: Perf / STM module encountered unmatched LOOP_EMAIL_42 account in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_AUTH_TYPE_UNKNOWN

Description: Perf / STM module encountered unknown auth type in monitor in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_ELEM

Description: Perf / STM module encountered bad element in monitor in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_ELEM_VALUE

Description: Perf / STM module encountered bad element values in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_PORT

Description: Perf / STM module encountered bad port in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_RTT_LINE

Description: Perf / STM module encountered bad RTT line in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_SSL

Description: Perf / STM module encountered bad SSL in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_BAD_TAG

Description: Perf / STM module encountered bad Tag in XML received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_CMD_EXEC_FAILED

Description: Perf / STM module failed to execute command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

exitValue

Command exit value

int32



EventType: PH_STM_CRED_INVALID

Description: Perf / STM module found that credential doesn't match with Custom Perf Object

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_CURL_ESCAPE_FAILED

Description: Perf / STM module found that curl_easy_escape() returned NULL

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_CURL_INIT_FAILED

Description: Perf / STM module failed to init curl - HTTP based communication will fail

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_STM_DNS_TYPE_UNSUPPORT

Description: Perf / STM module found unsupported dns resource record type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_DUPLICATED

Description: Perf / STM module found duplicated srvcMonitor name or id

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ELEM_EMPTY

Description: Perf / STM module found empty XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ELEM_MISSING

Description: Perf / STM module found missing XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ELEM_NEGATIVE

Description: Perf / STM module found negative XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_ERROR

Description: Perf / STM module encountered STM monior error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

ipPort

IP Port

uint16

IP port number

user

User

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_STM_FILE_OPEN_FAILED

Description: Perf / STM module failed to open file during STM operation

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

exitValue

Command exit value

int32



EventType: PH_STM_GET_HOST_FAILED

Description: Perf / STM module failed to get outgoing host

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_STM_GUESS_TYPE_FAILED

Description: Perf / STM module could not guess resource record type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_HTTP_RESP_FAILED

Description: Perf / STM module did not find response time from command output

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_STM_METHOD_UNKNOWN

Description: Perf / STM module found unknown url method in monitor

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_MONITOR_MISSING_ACTION

Description: Perf / STM module found that No action is specified for monitor

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_MONITOR_RESULT_UPLOAD_FAILED

Description: Perf / STM module failed to upload test service monitor result xml to APP server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_NO_ORACLE_NAME

Description: Perf / STM module found missing instance name and service name for Oracle server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_STM_PORT_UNKNOWN

Description: Perf / STM module found unknown service monitor port

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_PROCESS_INVOKE_FAILED

Description: Perf / STM module failed to invoke SrvcMonJobExec::execute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_PROTO_UNKNOWN

Description: Perf / STM module encountered unknown proto in STM job definition

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_PROTO_UNSUPPORT

Description: Perf / STM module encountered unsupported mail protocol in STM job definition

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_SERVER_ADDR_INVALID

Description: Perf / STM module encountered invalid server address in STM job definition

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_SPECIAL_LINE_NOT_FOUND

Description: Perf / STM module could not find either RTT line or packet loss line in ping response from device

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_STM_GET_PROCESS_FAILED

Description: Perf / STM module cannot get process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_STM_GET_PROCESS_NAME_FAILED

Description: Perf / STM module cannot get process name

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TAG_MISSING

Description: Perf / STM module found missing tag XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TAG_NOT_FOUND

Description: Perf / STM module found missing tag XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TAG_UNKNOWN

Description: Perf / STM module found unknown tag XML element received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_TRACEROUTE_FAILED

Description: Perf / STM module failed to parse traceroute output

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_STM_XML_PARSE_FAILED

Description: Perf / STM module failed to parse xml file received from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_SYSTEM_ARCHIVE_LOW

Description: FortiSIEM EventDB Archive disk space low

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGED_LOW_SPACE

Description: Event database archive files purged to make room for new archive

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGED_POLICY

Description: Event database archive files purged by policy

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by low available space

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_FINISHED

Description: Successfully purged Archive FortiSIEM EventDB -purge caused by low available space

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_STARTED

Description: Started to purge Archive FortiSIEM EventDB because of low available space

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_SUCCESS

Description: Successfully purged Archive FortiSIEM EventDB because of low available space

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FINISHED

Description: Successfully purged Archive FortiSIEM EventDB - purge caused by policy

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_STARTED

Description: Started to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_SUCCESS

Description: Successfully purged Archive FortiSIEM EventDB - purge caused by policy

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_ARCHIVE_RETENTION_POLICY_VIOLATED

Description: Archive retention policy violation

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_ARCHIVE_USAGE

Description: Archive disk usage

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

diskUsage

Disk Used MB

uint64



EventType: PH_SYSTEM_DATAMGR_ARCHIVE_SKIP

Description: Online FortiSIEM EventDB Archiving skipped since the directory has data

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DEVAPP_EVENTS_PER_SEC

Description: FortiSIEM per application EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptVendor

Reporting Vendor

string

This field captures the vendor of the reported event

reptModel

Reporting Model

string

This field captures the model of the reported event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.



EventType: PH_SYSTEM_DEVAPP_NO_EVENTS

Description: No events from a reporting module in last 1 hour

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptVendor

Reporting Vendor

string

This field captures the vendor of the reported event

reptModel

Reporting Model

string

This field captures the model of the reported event

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

reptDevName

Reporting Device

string

This is the hostname of the device that originated the log or event packet.



EventType: PH_SYSTEM_DEVICE_NO_EVENTS

Description: No events from a device in last 1 hour

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_FAILED

Description: Online FortiSIEM EventDB Archiving encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_FINISHED

Description: Online FortiSIEM EventDB Archiving completed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_STARTED

Description: Online FortiSIEM EventDB Archiving started

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_ARCHIVING_SUCCESS

Description: Online FortiSIEM EventDB Archiving success

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGED

Description: Event database files purged

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_DISK_PURGING_FAILED

Description: Online FortiSIEM EventDB Purging encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGING_FINISHED

Description: Online FortiSIEM EventDB Purging completed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGING_STARTED

Description: Online FortiSIEM EventDB Purging started

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_PURGING_SUCCESS

Description: Online FortiSIEM EventDB Purging success

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_DISK_USAGE

Description: Disk usage of customer

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

diskUsage

Disk Used MB

uint64



EventType: PH_SYSTEM_DISK_USAGE_EXCEED_LICENSE

Description: Event database disk usage exceeded limit

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_DISK_USAGE_WARNING

Description: FortiSIEM EventDB disk usage close to limit

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_EPS_GLOBAL

Description: FortiSIEM Global event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

licenseEventsPerSec

License EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

unusedEvents

Unused Event Count

uint64

The difference between licenseEventsPerSec and incomingEventsPerSec accumulated.



EventType: PH_SYSTEM_EPS_NODE

Description: FortiSIEM per Node event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

role

Role

string

hostName

Host Name

string

This is the hostname of the device of interest in the event

guaranteedEventsPerSec

Guaranteed EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

ingestedEventsPerSec

Ingested Event Rate

double

dropPolicyEvents

Policy Dropped Events

uint64

The number of events dropped by Event Dropping Rules in the last 3 minutes.

dropPolicyEventsPerSec

Policy Droppped Event Rate

double

This is the per second count of events dropped by policy, which is calculated as dropPolicyEvents (3min interval) / 180 seconds.

peakDropPolicyEventsPerSec

Peak Policy Dropped Event Rate

double

The max value of dropPolicyEventsPerSec, over all 3-minute periods, since phParser started.

dropLicenseEvents

License Dropped Events

uint64

This is the total count of events dropped due to exceeding license over all 3 minute intervals since phParser started.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

dropLicenseEventRatio

License Dropped Event Ratio

uint16

Ratio of dropped events due to license to total incoming events in last 3 minutes.

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.



EventType: PH_SYSTEM_EPS_ORG

Description: FortiSIEM per Organization event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.



EventType: PH_SYSTEM_EVENTS_FWD_STAT

Description: Forwarded EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

role

Role

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

fwdEventsPerSec

Forwarded Event Rate

double

This field represents the average rate (events per sec) over a 3 minute window, at which events are forwarded from FortiSIEM to an external system

peakFwdEventsPerSec

Peak Forwarded Event Rate

double

This field represents the maximum rate (events per sec) over a 3 minute window, at which events are forwarded from FortiSIEM to an external system

dropFwdEventsPerSec

Dropped Forwarded Event Rate

double

peakDropFwdEventsPerSec

Peak Dropped Forwarded Event Rate

double

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

reptDevName

Reporting Device

string

This is the hostname of the device that originated the log or event packet.



EventType: PH_SYSTEM_EVENTS_PER_SEC

Description: Received EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double

guaranteedEventsPerSec

Guaranteed EPS

uint64



EventType: PH_SYSTEM_EVENTS_VIA_ZMQ_EPS

Description: Events Pushed by ZMQ EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totEventCount

Total Event Count

uint32

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.



EventType: PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE

Description: System event rate exceeds licensed event rate

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_INTERNAL_EVENTS_PER_SEC

Description: FortiSIEM Internal EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_SYSTEM_IP_EVENTS_PER_SEC

Description: FortiSIEM per device EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_SYSTEM_ONLINE_RETENTION_POLICY_VIOLATED

Description: Online data retention policy violation

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

policyName

Policy Name

string



EventType: PH_SYSTEM_PERF_EVENTS_PER_SEC

Description: FortiSIEM performance monitoring EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_SYSTEM_RETENTION_POLICY_EXEC_TIME

Description: Data retention policy enforcement time

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

runTime

Run Time

uint64



EventType: PH_SYSTEM_RETENTION_POLICY_FAILED

Description: Data retention policy enforcement failed

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_SYSTEM_RETENTION_POLICY_FINISHED

Description: Data retention policy enforcement finished

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_RETENTION_POLICY_STARTED

Description: Data retention policy enforcement started

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_RETENTION_POLICY_STATS

Description: Data retention policy enforcement statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.



EventType: PH_SYSTEM_RETENTION_POLICY_SUCCESS

Description: Data retention policy enforcement succeeded

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_SYSTEM_STORAGE_LOW

Description: System data storage is low

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

diskName

Disk Name

string

freeDiskMB

Free Disk MB

uint32

diskUtil

Disk Capacity Util

double



EventType: PH_SYSTEM_STORED_EVENTS_PER_SEC

Description: Stored EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_SYSTEM_SUMM_EVENTS_STORED_EPS

Description: Summary Events Stored EPS statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totEventCount

Total Event Count

uint32

eventsPerSec

Event Rate

double

A generic attribute for recording event ingestion or handling rate.



EventType: PH_SYS_ERROR_XML_SEND_ERROR

Description: Error in sending system error to app server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_SYS_ERROR_XML_SENT

Description: System error sent to app server

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_COMPLETE

Description: Test Connectivity completed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_CONTACT_APP_SERVER

Description: Test Connectivity module contacting app server

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_TEST_CONN_FAILED_INVALID_REQUEST

Description: Test Connectivity failed - invalid discovery request from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_FAILED_INVALID_REQUEST_XML

Description: Test Connectivity failed - invalid discovery request XML from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_RECVD_VALID_REQUEST

Description: Received valid test connectivity request from app server

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_TEST_CONN_RESULT_SENT

Description: Test Connectivity results sent to app server

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_TEST_CONN_STARTED

Description: Starting test connectivity for a device

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_TEST_RULES_PARSE_STATUS

Description: Syntax check status

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_THREAD_EXITING

Description: Module exiting thread

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

threadName

Thread Name

string



EventType: PH_THREAD_RECVD_EXIT

Description: Thread received exit request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

threadName

Thread Name

string



EventType: PH_THREAD_STARTING

Description: Module starting thread

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

threadName

Thread Name

string



EventType: PH_UNABLE_ACCESS_DIR

Description: Unable to access archive directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_UNABLE_ALLOC_MEMORY

Description: Unable to allocate memory

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UNABLE_CREATE_DIR

Description: Unable to create dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_CREATE_FILE

Description: Unable to create file

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_CREATE_TIMER

Description: Unable to create timer

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UNABLE_OPEN_DIR

Description: Unable to open dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_OPEN_FILE

Description: Unable to open file

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNABLE_PARSE_XML

Description: Unable to parse xml

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string



EventType: PH_UNABLE_RENAME_FILE

Description: Unable to rename file

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_UNRESOLVABLE_HOSTNAME

Description: FortiSIEM module failed to resolve host name

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_UPDATE_RULE_SUCCEED

Description: Rule update succeeded

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

opName

Operation Name

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_USER_MON_SUDDEN_LOC_CHANGE

Description: User location anomaly detected

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

eventSource

Event Source

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.

durationMSec

Duration

uint32

Duration of a connection (in msec)



EventType: PH_USER_MON_SUDDEN_LOGIN_DISTRIBUTION_CHANGE

Description: Change in user login distribution pattern

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

computer

Computer

string

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

oldDistrib

Old Distribution

string

newDistrib

New Distribution

string



EventType: PH_USER_MON_SUDDEN_LOGIN_VOLUME_CHANGE

Description: Increase in User Login Volume

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

computer

Computer

string

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

oldValue

Old Value

uint64

newValue

New Value

uint64



EventType: PH_UTIL_BIZ_CHANGE_UPDATE_SPAWN_FAILURE

Description: phMonitor encountered error in spawning thread

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_UTIL_BIZ_HTTP_REQUEST_FAILURE

Description: HTTP Request Error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CMD_FAILURE

Description: FortiSIEM system command execution failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_CONFIG_IP_MISSING

Description: Found empty IP address

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CONFIG_LOAD_FAILURE

Description: Failed to load configuration type from the app server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

objType

Object Type

string



EventType: PH_UTIL_CONFIG_LOAD_FILE_ACESS_FAILURE

Description: Failed to load configuration type from the app server - tmp file not accessible

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

objType

Object Type

string



EventType: PH_UTIL_CONFIG_PARSE_FAILURE

Description: Failed to parse system/phoenixServer xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_CONFIG_UNKNOWN_SERVER_TYPE

Description: Found unknown server type in App server returned XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

objType

Object Type

string



EventType: PH_UTIL_CSV_LINE_ILLEGAL

Description: Found illegal line in csv file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

lineContent

Line Content

string



EventType: PH_UTIL_CSV_READ_FAILURE

Description: Failed to open CSV file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_CUSTOMER_COLLECTOR_MISSING

Description: Failed to parse collectors and no collector found

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CUSTOMER_COLLECTOR_PARSE_FAILURE

Description: Failed to parsephCustomerDevice Collector info

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CUSTOMER_DOMAIN_MISSING

Description: No domain item found in xml file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_CUSTOMER_INFO_PARSE_FAILURE

Description: Failed to parse value group xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_CUSTOMER_PARSE_FAILURE

Description: Failed to parse phCustomerDevice Customer info in XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_DASHBOARD_DUPLICATE_IP

Description: Encountered duplicate ip in device info for same customer Id

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_UTIL_DASHBOARD_DUPLICATE_ITEM

Description: Encountered duplicate item id in device info for same custId

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

item

Item

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_UTIL_DASHBOARD_PARSE_FAILURE

Description: Failed to parse dashboard device info xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_DEVICE_MAP_PROP_ERROR

Description: Encountered device map property error in XML

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_DEVICE_PROP_ERROR

Description: Encountered device property error in XML

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_DEVICE_SIMPLE_PROP_PARSE_FAILURE

Description: Failed to parse NULL element for property in XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propName

Property Name

string



EventType: PH_UTIL_DGA_FREQ_FILE_OPEN_FAILURE

Description: Failed to open DGA freq file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_DGA_WHITELIST_FILE_OPEN_FAILURE

Description: Failed to open DGA white list file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_DIR_CREATE_FAILURE

Description: Failed to create directory after a few attempts

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_DIR_CREATE_RETRIED

Description: Retried to created dir

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_UTIL_DIR_OPEN_FAILURE

Description: Failed to open directory after a few attempts

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_DIR_PARENT_NOT_EXIST

Description: Failed to locate Parent directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_UTIL_DIR_REMOVE_FAILURE

Description: Failed to remove directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errReason

Reason for Error

string

This is the reason for an error if given.

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_DISK_USAGE_INFO_GET_FAILURE

Description: Unable to get disk usage information

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_UTIL_DISPATH_CMD_XML_ILLEGAL

Description: Encountered malformatted XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_DISPATH_CMD_XML_PARSE_FAILURE

Description: Encountered XML parsing failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_EMAIL_SEND_FAILURE

Description: Failed to send email to server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.



EventType: PH_UTIL_EVENT_FILE_ERROR

Description: Encountered Event file error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_EVENT_GROUP_ERROR

Description: Encountered Event Group error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_EVENT_STATUS_REPORTER_SPAWN_FAILURE

Description: Failed to initialize external event status reporter thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_EVENT_STATUS_UPLOAD_FAILURE

Description: Failed to upload external event status xml after 3 retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_EVENT_TYPE_ERROR

Description: Encountered Event type error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_FILE_NOT_EXIST

Description: File doesn't exsit

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_FILE_OPEN_FAILURE

Description: Failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_READ_FAILURE

Description: Error reading file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_SIZE_MISMATCH

Description: File size mismatch

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_FILE_SIZE_TOO_SMALL

Description: File size too small

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

fileSize64

File Size64 Bytes

uint64



EventType: PH_UTIL_FILE_STATFS_FAILURE

Description: Failed to run statfs() command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_STAT_FAILURE

Description: Failed to stat file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FILE_WRITE_FAILURE

Description: Error writing file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_FORK_FAILURE

Description: System fork failed - likely system highly utilized

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_GET_ADDR_FAILURE

Description: Failed to run Getaddrinfo command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.



EventType: PH_UTIL_GET_JOB_STATUS_FAILURE

Description: Failed to get job status to status file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

paraName

Param Name

string



EventType: PH_UTIL_HOSTNAME_GET_FAILURE

Description: Failed to look up Host name

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_INET_PTON_FAILURE

Description: Failed to run inet_ntop command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_INODE_INFO_GET_FAILURE

Description: Unable to get inode information

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_UTIL_IOCTL_FAILURE

Description: Failed to run ioctl commands

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_IOCTL_SIOCGIFADDR_FAILURE

Description: Failed to run ioctl SIOCGIFADDR command

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_IP_TYPE_INVALID

Description: Invalid IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_IP_TYPE_MISMATCH

Description: Mismatch IP type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JOB_STATUS_REPORTER_SPAWN_FAILURE

Description: Failed to initialize job status reporter thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JOB_STATUS_UPLOAD_FAILURE

Description: Failed to upload job status xml after 3 retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JSON_GET_NODE_FAILURE

Description: Failed to get JSON node value from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

jsonBody

JSON Body

string



EventType: PH_UTIL_JSON_OBJ_EMPTY

Description: JSON object empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_JSON_PARSE_FAILURE

Description: Failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

jsonBody

JSON Body

string



EventType: PH_UTIL_KILLPG_FAILURE

Description: Failed to send SIGKILL to child process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_LOAD_EXT_FUNC_FILE_OPEN_FAILUE

Description: Dynamic loaded function load failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_LOAD_EXT_FUNC_FORMAT_INVALID

Description: Dynamic loaded function name should be fileName.functionName format

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propValue

Property Value

string



EventType: PH_UTIL_LOAD_EXT_FUNC_GET_NAME_FAILUE

Description: Dynamic loaded function in file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

funName

Function Name

string

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_LOCAL_IP_MISSING

Description: Failed to get ip address of this machine

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE

Description: Duplicate lookup table found

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbTable

Database Table

string



EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE_COLUMN

Description: Duplicate lookup table column found

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbTable

Database Table

string

dbColumn

Database Column

string



EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE_KEY

Description: Duplicate lookup table key found

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dbTable

Database Table

string

dbId

DB ID

uint32



EventType: PH_UTIL_MAIL_CMD_RUN_FAILURE

Description: Failed to send email to server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.



EventType: PH_UTIL_MAIL_SMTP_INIT_FAILURE

Description: Fail to initialize SMTP server problem

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_MD5_ERROR

Description: Failed to calculate MD5

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_MEM_ALLOC_FAILURE

Description: Could not allocate memory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileSize64

File Size64 Bytes

uint64



EventType: PH_UTIL_MKDTEMP_FAILURE

Description: Failed to create directory

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

filePath

File Path

string



EventType: PH_UTIL_MKSTEMP_FAILURE

Description: Failed to create temporary filename

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

filePath

File Path

string



EventType: PH_UTIL_MMAP_FAILURE

Description: Failed to mmap file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

fileSize64

File Size64 Bytes

uint64

errorNoInt

Error Number Int

int32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_MOVE_FILE_FAILURE

Description: Failed to rename file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_NOTIFICATION_SENDER_SPAWN_FAILURE

Description: Failed to initialize notification sender thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_NOTIFICATION_SERVER_INIT_FAILURE

Description: Failed to initialize notification reporter

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_NOTIFICATION_UPLOAD_FAILURE

Description: Failed to Send Notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_UTIL_PHOENIX_CONFIG_ITEM_MISSING

Description: Could not find specific item in phoenix_config.txt

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propName

Property Name

string



EventType: PH_UTIL_PIPE_FAILURE

Description: The command pipe() returned error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_PROP_DEF_SET_PARSE_FAILURE

Description: Failed to parse propertyDefs xml

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

xmlBody

XML Body

string



EventType: PH_UTIL_REDIS_CONNECTION_ERROR

Description: redis connection error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_REGEX_PATTERN_EMPTY

Description: Regex Pattern is NULL

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_REGEX_PATTERN_TOO_LONG

Description: Regex Pattern too long

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msgLen

Message Length

uint64



EventType: PH_UTIL_SEND_TO_UDP_PORT_FAILURE

Description: Failed to send message to udp port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event



EventType: PH_UTIL_SETPGRP_FAILURE

Description: Failed to run system comand setpgrp()

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_SET_JOB_STATUS_FAILURE

Description: Failed to set job status to status file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

paraName

Param Name

string



EventType: PH_UTIL_SOCKET_FAILURE

Description: Failed to run system command socket()

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_UTIL_STR_TO_IP_FAILURE

Description: Failed to run system call inet_pton

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propValue

Property Value

string



EventType: PH_UTIL_SVN_DIFF_FAILURE

Description: Failed to execute system command svn diff

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_SYS_ERROR_REPORTER_INIT_FAILURE

Description: Failed to initialize system error reporter thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_UTIL_TIME_RANGE_INVALID

Description: Found Invalid time range

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

propValue

Property Value

string



EventType: PH_UTIL_TIME_STR_FORMAT_INVALID

Description: Found incorrect time string parameters

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

paraName

Param Name

string



EventType: PH_UTIL_UNKNOWN_PHOENIX_ERROR_NUMBER

Description: Found incorrect PH error number

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_VALUE_GROUP_ERROR

Description: Encountered Value group error

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_WAITPID_FAILURE

Description: Failed to run system command waitpid on child process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_WAITPID_LAST_TRY_FAILUE

Description: Failed to run system command waitpid on child process after several tries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_WINDOWS_BID_LOAD_FAILURE

Description: Failed to load Windows Built In SID file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_WRITE_BIN_FILE_OPEN_FAILURE

Description: Failed to open binary file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_UTIL_WRITE_FILE_OPEN_FAILURE

Description: Failed to open file for write

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_UTIL_XML_HANDLING_ERROR

Description: Found Invalid xml from App Server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_UTIL_ZIP_DECOMPRESS_FAILED

Description: Failed to decompress zip string

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_VA_EVENTS_PER_SEC

Description: Total event rate to an FortiSIEM VA

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

peakEventsPerSec

Peak Event Rate

double



EventType: PH_VA_LICENSE_UPDATE

Description: License on VA has been updated

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_VULN_LOAD_ERROR

Description: Parser module failed to load external scanner-found vulnerabilities from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_VULN_UPDATE_ERROR

Description: Parser module failed to upload external scanner-found vulnerabilities to App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_WORKER_DOWN

Description: Worker down

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_WORKER_PROVISION_FAILED

Description: Phoenix worker provision failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_WORKER_UP

Description: Worker up

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_WS_COMM_ERROR

Description: Web service communication error

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: WEBSENSE_MAIL_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: WEBSENSE_WEB_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)