AppServer Logs
This section provides logs generated by the App Server module
EventType: PH_APPSERVER_ADMIN_AGENT_GET_UPDATE_FAILED_ERROR
Description: App Server failed to get update
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_ADMIN_AGENT_UNKOWN_TASK_ID_ERROR
Description: App Server detects unkown Admin Agent task ID
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_ADMIN_CUST_GENERATE_KEY_ERROR
Description: App Server failed to generate organization key
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_ADMIN_GET_RESOURCE_FAILED
Description: App Server failed to get resource for admin tab
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_ADMIN_LOCATE_KEY_FAILED
Description: App Server failed to locate resource for admin tab
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_ADMIN_RESET_FIELD_FAILED_ERROR
Description: App Server failed to reset resource for admin tab
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_AUDIT_REPORT_EXPORT_ERROR
Description: Audit Data Export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEACON_LIB_ERROR
Description: App Server Beaconing library error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEACON_REGISTER_ERROR
Description: App Server Beaconing Register error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEACON_SERVER_ERROR
Description: App Server Beaconing Server error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEACON_WEB_SERVER_ERROR
Description: App Server Beaconing Web Server error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEAN_REF_CHECK_WARN
Description: App Server check entity bean reference warning
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEAN_SYNC_PROPERTIES_ERROR
Description: App Server entity bean sync properties error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEAN_TO_VALUE_ERROR
Description: App Server entity bean to property value map error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEAN_TO_XML_ERROR
Description: App Server entity to XML generation error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_BEAN_VALUE_TO_BEAN_ERROR
Description: App Server set value for Entity bean error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_CMDB_REPORT_DATA_ERROR
Description: CMDB Report Data error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_CMDB_REPORT_EXPORT_ERROR
Description: CMDB Report export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_CMDB_REPORT_IMPORT_ERROR
Description: CMDB Report import error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_CMDB_REPORT_QUERY_ERROR
Description: CMDB Report query error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_CMDB_REPORT_TYPE_ERROR
Description: CMDB Report Type error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_COLLECTOR_INFO_ERROR
Description: Collector information error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_COLLECTOR_LICENSE_ERROR
Description: Collector license error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_COLLECTOR_STATUS_ERROR
Description: Collector status error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_COMMONPWD_EXPORT_ERROR
Description: Common password data export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DASHBOARD_DATA_ERROR
Description: Dashbaord Data error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DASHBOARD_HTML_BUILD_XML_ERROR
Description: App Server failed to build dashboard XML content
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DASHBOARD_WIDGET_ERROR
Description: Dashbaord Widget error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DATA_IMPORT_ERROR
Description: App Server failed to import data during initialization
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DATA_ROBUST_INFO_ERROR
Description: Data Robust Info error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DB_CONNECTION_CLOSE_ERROR
Description: PostGreSQL database connection close error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DB_DATA_ERROR
Description: PostGreSQL database data error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DB_DELETE_ERROR
Description: PostGreSQL database data delete error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DB_QUERY_ERROR
Description: PostGreSQL database query error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DB_UPDATE_ERROR
Description: PostGreSQL database data update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DISCOVERY_CREDENTIAL_DECRYPT_PASSWORD_WARN
Description: App Server discovery result credential decrypt error
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DISCOVERY_RESULT_ENCRYPT_XML_ELEMENT_ERROR
Description: App Server discovery result credential encrypt error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DISCOVERY_RESULT_ERROR
Description: App Server failed to process discovery result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_DISCOVERY_RESULT_UNKOWN_TASK_ID_ERROR
Description: App Server detects unknown Discovery Result task ID
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EAMIL_GENERATE_EVENT_ERROR
Description: App Server failed to generate raw event for email notification
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_ELASTIC_UPDATE_ERROR
Description: App Server failed to update Elasticsearch configuration
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EMAIL_PREPARE_DATA_ERROR
Description: App Server failed to prepare email body for email notification
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EVENTDB_EXPORT_ERROR
Description: Event DB data export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EVENT_ATTRIBUTE_BUILD_XML_ERROR
Description: App Server failed to build Event Attribute XML content
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EXPORT_ERROR
Description: App Server Generic Export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EXT_THREAT_INTEL_DOWNLOAD_ERROR
Description: External Threat Intelligence download error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EXT_THREAT_INTEL_PARSE_ERROR
Description: External Threat Intelligence parse error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR
Description: External Threat Intelligence update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FILE_NOT_FOUND
Description: App Server cannot find specified file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FILE_READ_ERROR
Description: App Server cannot read from specified file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FILE_SYSTEM_ERROR
Description: App Server encountered file system error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FILE_WRITE_ERROR
Description: App Server cannot write to specified file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FLEX_INTERCEPTOR_NO_LOGIN_EXCEPTION_ERROR
Description: App Server encountered Flex API exception
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR
Description: FortiGuard IOC data download/parse error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_REGISTER_ERROR
Description: App Server Registration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_RUN_THREAD_ERROR
Description: App Server run thread error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_SECURITY_CHECK_LICENSE_WARN
Description: App Server Check license warning
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_SECURITY_GET_ENTITY_MANAGER_ERROR
Description: App Server cannot get EntityManager
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_SECURITY_GET_RS_EXPIRATION_ERROR
Description: App Server Get Report Server expiration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR
Description: App Server Phoenix Caching system initialization failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_SERVICE_MISSED_WARN
Description: App Server can not find service
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_FRAMEWORK_SHUTDOWN_SERVICE_STARTER_WARN
Description: App Server cannot shutdown service starter
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_GENERIC_ERROR
Description: Unknown Application Server error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_GENERIC_INFO
Description: Generic Application Server Informational log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_GENERIC_WARN
Description: Generic Application Server Warn
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_GET_MAX_CONFIG_ITEM_COUNT_ERROR
Description: App Server encountered error while getting max system configuration iten count
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_GROUP_DATA_ERROR
Description: Group Data error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_IDENTIYLOCATION_EXPORT_ERROR
Description: Identity location export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_INCIDENT_NOTIFY_ERROR
Description: App Server failed to notify Incident via email or other methods
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_INCIDENT_UPDATE_ERROR
Description: App Server failed to update Incident in PostGreSQL database
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_INTEGRATION_ERROR
Description: External ticketing system integration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_INTEGRATION_UPDATE_POLICY_ERROR
Description: App Server encountered error while updating Ticketing system integration policy
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_INTEGRATION_UPDATE_POLICY_WARN
Description: App Server encountered warning while updating Ticketing system integration policy
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_INTEGRATION_WARN
Description: External ticketing system integration warning
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_IN_INTEGRATION_ERROR
Description: Inbound external ticketing system integration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_IOC_LICENSE_CHECK_FAILED_WARN
Description: App Server failed to check External Threat Intelligence License
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR
Description: App Server failed to create External Threat Intelligence Update task
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_JOB_DISTRIBUTE_ERROR
Description: Application Server monitoring job distribution error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_LICENSE_EXPIRY_ERROR
Description: License Expiration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_LICENSE_VALIDATION_ERROR
Description: License Validation error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_LOGIN_ERROR
Description: App Server Login exception
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_LOG_INTEGRITY_ERROR
Description: App Server failed to update log integrity hashes
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_MONITOR_AUDIT_PERF_ERROR
Description: App Server encountered exception while updating performance monitor job status
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_MONITOR_HEALTH_CONFIG_SET_ERROR
Description: App Server failed to update CMDB Device Monitor Health
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NETSEGMENT_EXPORT_ERROR
Description: Network Segment Export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NOTIFICATION_EMAIL_GET_RESOURCE_FAILED
Description: App Server failed to get resource for email notification
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NOTIFICATION_ERROR
Description: App Server notification error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NOTIFICATION_JMS_CONNECTION_ERROR
Description: App Server create JMS connection error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NOTIFICATION_UPDATE_ERROR
Description: App Server notification Update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NOTIFIER_ERROR
Description: App Server Notifier error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_NO_WATCHLIST_SELECTED_WARN
Description: No watch list selected for entry warn
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_OPENPROXY_EXPORT_ERROR
Description: Open proxy data export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_OUT_INTEGRATION_ERROR
Description: Outbound external ticketing system integration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_PARSER_IMPORT_ERROR
Description: Custom parser import error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_PARSER_UPDATE_ERROR
Description: Custom parser update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_PARSING_CONSTRAINT_ERROR
Description: Rule/Report constraint parsing error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_PDF_BUILDER_ERROR
Description: App Server failed to build PDF during report export
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_PERFMON_TASK_ERROR
Description: App Server failed to create Performance Monitoring Task
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_CHECK_POLICY_ACTION_WARN
Description: App Server failed to validate Incident notification policy action
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_EXPORT_ERROR
Description: App Server failed to export historical query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_RESULT_PARSER_ERROR
Description: App Server failed to parse historical query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR
Description: App Server failed to retrieve historical query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_RUN_ERROR
Description: App Server failed to run historical query
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_STOP_ERROR
Description: App Server failed to stop historical query
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_QUERY_STRING_ESCAPE_ERROR
Description: App Server can't find close escape string
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RBAC_ERROR
Description: App Server encountered error while setting RBAC policies
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RBAC_NO_PERMISSION_WARN
Description: App Server enforced user RBAC
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REALTIME_QUERY_ERROR
Description: App Server failed to start real time query
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REMEDY_ERROR
Description: App Server failed to create tickets in Remedy
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR
Description: User defined report run error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_COMPILE_ERROR
Description: Compile report to file error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_DEVICE_COMPONENT_SN_ERROR
Description: CMDB device serial number report error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_DEVICE_DETAIL_ERROR
Description: CMDB detail report error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_DEVICE_SN_ERROR
Description: CMDB server serial number report error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_DEVICE_SUMMARY_ERROR
Description: CMDB summary report error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_EXPORT_ERROR
Description: Report Export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_FAILED_BLOCK_SUMMARY_ERROR
Description: Get failed blocks error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_FIRE_TRIGGER_EVENT_ERROR
Description: App Server incident trigger events report error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_GET_PH_CONFIG_ERROR
Description: App Server get phoenix configuration error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_IDENTITY_AND_LOCATION_ERROR
Description: Identity and location report error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_LOG_FILE_SUMMARY_ERROR
Description: App Server get log files error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_TEMPLATE_GENERATE_PDF_ERROR
Description: App Server Report template generate PDF error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_TEMPLATE_INIT_IMAGE_ERROR
Description: App Server Report template init image error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_TEMPLATE_INIT_PARM_ERROR
Description: App Server Report template init parameter error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_TEMPLATE_PDF_SUMMARY_ERROR
Description: App Server Report template create PDF summary error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_TICKET_SUMMARY_ERROR
Description: App Server get tickets error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_UPDATE_ERROR
Description: User defined report update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REPORT_USER_SUMMARY_ERROR
Description: App Server get users error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REST_ERROR
Description: App Server REST error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_REST_H5_ERROR
Description: App Server HTML5 REST error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RISKSCORE_CALCULATE_ERROR
Description: Risk score calculation error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RULE_ACTIVE_ERROR
Description: App Server failed to activate rule
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RULE_CLONE_ERROR
Description: App Server failed to clone rule
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RULE_DEBUG_INVALID_EVENT_DB_ID_ERROR
Description: App Server found invalid event id during rule testing
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RULE_DEBUG_WORKERS_SETTING_ERROR
Description: App Server detected Worker Settings error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RULE_TEST_ERROR
Description: App Server encountered error while testing rule
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_RULE_UPDATE_ERROR
Description: App Server failed to update rule
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SCHEDULE_ERROR
Description: App Server job schedule error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SCHEDULE_UPDATE_ERROR
Description: App Server job schedule Update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SECURITY_ERROR
Description: Application Server System Security Data error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SERVLET_ERROR
Description: App Server Servlet error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SERVLET_NO_ACCESS_TO_URI_WARN
Description: App Server Servlet has no access to URI
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SOCKET_COMM_ERROR
Description: App Server Socket communication error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SVN_ERROR
Description: App Server SVN Repository error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SYNC_UPDATE_CONFIG_ERROR
Description: App Server encountered error on syncing update config for performance monitoring jobs
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SYSCONFIG_GET_ERROR
Description: App Server failed to get system configuration from PostGreSQL database
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SYSTEM_WINAGENT_REGISTER_WARN
Description: Windows Agent Manager not found or not registered
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SYS_APPLICATION_ERROR
Description: Application Server System error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_SYS_DATA_UPDATE_ERROR
Description: Application Server Data Update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_TASK_CREATE_ERROR
Description: App Server create task error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_TASK_FLEX_RESULT_BUILD_XML_ERROR
Description: App Server failed to build Flex XML content
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_TASK_GET_ERROR
Description: App Server get task error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_TASK_UPDATE_ERROR
Description: App Server update task error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_TICKET_EXPORT_ERROR
Description: Incident ticket export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_UPDATER_FIND_EXIST_USER_BY_NOTHING_ERROR
Description: App Server failed to locate existing user in CMDB
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_USERAGENT_EXPORT_ERROR
Description: User agent export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_VULNERABILITY_IGNORE_WARN
Description: App Server ignored host Vulnerability result
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WATCHLIST_ADD_TO_DISTIRBUTED_QUEUE
Description: App Server failed to add incident attribute to watch list
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WATCHLIST_EXPORT_ERROR
Description: Watch List export error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WATCHLIST_IMPORT_ERROR
Description: Watch List import error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WATCHLIST_IMPORT_WARN
Description: Watch List import warnings
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WATCHLIST_UPDATE_ERROR
Description: Watch List update error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WEBSERVICE_UPDATE_TASK_ERROR
Description: App Server encountered error while updating task
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WORKER_PROVISION_FAILED
Description: App Server failed to provision Worker
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_WS_COMM_ERROR
Description: App Server Web service communication error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_APPSERVER_XML_PARSE_ERROR
Description: App Server failed to parse XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ACCOUNT_LOCKED
Description: System user account locked due to excessive login failures
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
reason |
Reason |
string |
|
|
targetUser |
Target User |
string |
|
|
srcIpAddr |
Source IP |
IP |
Source IP of a device as identified in the event. |
EventType: PH_AUDIT_AGENT_DISABLED
Description: FortiSIEM Windows/Linux Agent disabled
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_AGENT_INSTALLED
Description: FortiSIEM Windows/Linux Agent installed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_AGENT_NOTRESPONDING
Description: FortiSIEM Windows/Linux Agent not responding
Severity: 8 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_AGENT_RUNNING
Description: FortiSIEM Windows/Linux Agent is running and sending events
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_AGENT_STARTED
Description: FortiSIEM Windows/Linux Agent started
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_AGENT_STOPPED
Description: FortiSIEM Windows/Linux Agent stopped
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_AGENT_UNINSTALLED
Description: FortiSIEM Windows/Linux Agent uninstalled
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
monitorState |
Monitor State |
string |
|
|
type |
Type |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_AUDIT_CASE_CLOSED
Description: FortiSIEM Case Closed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
osObjHandleID |
Object Handle |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
details |
Details |
string |
|
EventType: PH_AUDIT_CASE_CREATED
Description: FortiSIEM Case Created
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
osObjHandleID |
Object Handle |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
details |
Details |
string |
|
EventType: PH_AUDIT_CASE_UPDATED
Description: FortiSIEM Case Updated
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
osObjHandleID |
Object Handle |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
details |
Details |
string |
|
EventType: PH_AUDIT_CI_QUOTE_EXCEEDED
Description: System CI Quote Exceeded
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_CMDB_DISK_PRUNE_FAILED
Description: CMDB Disk Prune Failed
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
freeDiskMB |
Free Disk MB |
uint32 |
|
EventType: PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS
Description: CMDB Disk Prune Success
Severity: 4 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
freeDiskMB |
Free Disk MB |
uint32 |
|
EventType: PH_AUDIT_DASHBOARD_SHARED
Description: FortiSIEM dashboard folder shared
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
targetUserGrp |
Target User Group |
string |
|
EventType: PH_AUDIT_DATA_PURGE
Description: System data has been purged
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_DEFAULT_PWD_MATCH
Description: Default password match
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
reptVendor |
Reporting Vendor |
string |
This field captures the vendor of the reported event |
|
reptModel |
Reporting Model |
string |
This field captures the model of the reported event |
|
appTransportProto |
Application Protocol |
string |
|
|
user |
User |
string |
|
EventType: PH_AUDIT_DEVICE_ADDED
Description: System CMDB device added
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_AUDIT_DEVICE_DELETED
Description: System CMDB device deleted
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED
Description: System CMDB device changed by discovery
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
objType |
Object Type |
string |
|
|
addedItem |
Added Item |
string |
|
EventType: PH_AUDIT_DEVICE_MAINTENANCE_ENDED
Description: System device maintenance ended
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
maintScheduleName |
Maintenance Schedule Name |
string |
|
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
endTime |
End Time |
Date |
This is the end time of a given item or task, stored in epoch milliseconds. |
EventType: PH_AUDIT_DEVICE_MAINTENANCE_STARTED
Description: System device maintenance started
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
maintScheduleName |
Maintenance Schedule Name |
string |
|
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
startTime |
Start Time |
Date |
This is the start time of a given item or task, and is stored in epoch milliseconds |
EventType: PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME
Description: Two devices with different hostname merged becsuase of overlapping IP addresses
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
targetHostName |
Target Host Name |
string |
|
|
overlapIp |
Overlapping IP |
string |
This field repsents the list of IP addresses of a just discovered device that overlaps with an existing device in CMDB. |
EventType: PH_AUDIT_DEVICE_STATUS_CHANGED
Description: CMDB Device audit status changed
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
user |
User |
string |
|
|
origStatus |
Original Status |
string |
|
|
newStatus |
New Status |
string |
|
|
eventSource |
Event Source |
string |
|
EventType: PH_AUDIT_DEVICE_UNMANAGED
Description: license exceeded - newly discovered device set to Unmanaged
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
|
status |
Status |
string |
|
|
eventSource |
Event Source |
string |
|
|
details |
Details |
string |
|
EventType: PH_AUDIT_DEV_MON_JOB_NOT_STARTED
Description: Performance monitoring Job is not picked up for execution for a long time
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE
Description: Performance monitoring job status changed
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_DISCOVERY
Description: Audit discovery
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
startTime |
Start Time |
Date |
This is the start time of a given item or task, and is stored in epoch milliseconds |
|
type |
Type |
string |
|
|
task |
Task |
string |
|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_EXPORT_REPORT_END
Description: User exported FortiSIEM Report result via GUI or Scheduled Report
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_GENAI_USER_QUERY
Description: FortiSIEM sent Generative AI Query to ChatGPT
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_GENERIC
Description: System generic audit message
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_GROUP_CREATED
Description: FortiSIEM GUI Group Created
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
osObjName |
Object Name |
string |
|
|
osObjType |
OS Object Type |
string |
|
EventType: PH_AUDIT_GROUP_DELETED
Description: FortiSIEM GUI Group Deleted
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
osObjName |
Object Name |
string |
|
|
osObjType |
OS Object Type |
string |
|
EventType: PH_AUDIT_INACTIVE_USER_LOGIN
Description: A system inactive user tried to login
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_INCIDENT_SYS_CLEAR
Description: FortiSIEM Incident System Auto-Cleared
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
osObjHandleID |
Object Handle |
string |
|
EventType: PH_AUDIT_INCIDENT_USER_CLEAR
Description: FortiSIEM Incident User Cleared
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
osObjHandleID |
Object Handle |
string |
|
EventType: PH_AUDIT_INTEGRATION_POLICY_EXECUTED
Description: FortiSIEM Integration Policy Executed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_MALWARE_DATA_DELETED
Description: Malware data deleted by scheduled update
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
updateTime |
Update Time |
Date |
|
|
count |
Count |
uint32 |
A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also. |
|
folder |
Folder |
string |
|
EventType: PH_AUDIT_MALWARE_DATA_UPDATED
Description: Malware data updated by scheduled update
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
updateTime |
Update Time |
Date |
|
|
count |
Count |
uint32 |
A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also. |
|
folder |
Folder |
string |
|
EventType: PH_AUDIT_ML_GENERIC_ERROR
Description: Machine Learning generic error log
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ML_GENERIC_INFO
Description: Machine Learning generic info log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ML_INFERENCE_COMPLETED
Description: Machine Learning audit inference completed log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ML_INFERENCE_RESULT
Description: Machine Learning audit inference result log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ML_INFERENCE_STARTED
Description: Machine Learning audit inference started log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ML_TRAINING_COMPLETED
Description: Machine Learning audit training completed log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_ML_TRAINING_STARTED
Description: Machine Learning audit training started log
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_NOTIF_POLICY_EXECUTED
Description: FortiSIEM Incident Notification Policy Executed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
osObjHandleID |
Object Handle |
string |
|
EventType: PH_AUDIT_OBJECT_CREATED
Description: System data object created
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjType |
OS Object Type |
string |
|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_OBJECT_DELETED
Description: System data object deleted
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
EventType: PH_AUDIT_OBJECT_UPDATED
Description: System data object updated
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjType |
OS Object Type |
string |
|
|
objType |
Object Type |
string |
|
|
osObjName |
Object Name |
string |
|
|
osObjAction |
Object Action |
string |
|
|
targetCustomer |
Target Organization Name |
string |
|
|
oldSettingsValue |
Old Settings Value |
string |
|
|
newSettingsValue |
New Settings Value |
string |
|
EventType: PH_AUDIT_ONDEMAND_REMEDIATION_EXECUTED
Description: FortiSIEM Ondemand Remediation Executed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_PASSWORD_CHANGED
Description: System user password changed
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
targetUser |
Target User |
string |
|
|
user |
User |
string |
|
|
domain |
Domain |
string |
|
EventType: PH_AUDIT_QUERY_COMPLETED
Description: Audit query completed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
user |
User |
string |
|
|
osObjName |
Object Name |
string |
|
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
durationMSec |
Duration |
uint32 |
Duration of a connection (in msec) |
|
queryFilter |
Query Filter |
string |
|
|
queryDisplay |
Query Display |
string |
|
|
queryId |
Query Id |
string |
|
|
usageType |
Usage Type |
string |
|
EventType: PH_AUDIT_QUERY_SCHEDULED
Description: System scheduled a query
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
EventType: PH_AUDIT_QUERY_START
Description: System started a query
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
queryId |
Query Id |
string |
|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_QUERY_STOP
Description: System stopped a query
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
queryId |
Query Id |
string |
|
|
osObjName |
Object Name |
string |
|
|
durationMSec |
Duration |
uint32 |
Duration of a connection (in msec) |
|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
EventType: PH_AUDIT_REPORT_SCHEDULED
Description: FortiSIEM Report Scheduled
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_REPORT_SCHEDULE_APPROVE
Description: FortiSIEM Report schedule approval
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
objId |
DB Object Id |
string |
|
|
status |
Status |
string |
|
|
targetUser |
Target User |
string |
|
|
reportId |
Report ID |
uint32 |
|
|
reportName |
Report Name |
string |
FortiSIEM report name. |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_AUDIT_REPORT_SCHEDULE_REQUEST
Description: FortiSIEM Report schedule request
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
objId |
DB Object Id |
string |
|
|
status |
Status |
string |
|
|
targetUser |
Target User |
string |
|
|
reportId |
Report ID |
uint32 |
|
|
reportName |
Report Name |
string |
FortiSIEM report name. |
EventType: PH_AUDIT_REPORT_SERVER_LICENSE_EXPIRED
Description: FortiSIEM Report Server license expired
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_REPORT_SERVER_LICENSE_REMOVED
Description: FortiSIEM Report Server Removed After License Expiry
Severity: 8 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_REPORT_SERVER_LICENSE_TO_EXPIRE
Description: FortiSIEM Report Server license about to expire
Severity: 8 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_RISK_DECREASE_LOW
Description: Device Risk Score decreased to LOW level
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_RISK_DECREASE_MED
Description: Device Risk Score decreased to MEDIUM level
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_RISK_INCREASE_HIGH
Description: Device Risk Score increased to HIGH level
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_RISK_INCREASE_MED
Description: Device Risk Score increased to MEDIUM level
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_RULE_ACTIVATED
Description: FortiSIEM Rule activated
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_RULE_ACTIVATION_APPROVE
Description: FortiSIEM Rule activation approval
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
objId |
DB Object Id |
string |
|
|
status |
Status |
string |
|
|
targetUser |
Target User |
string |
|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_AUDIT_RULE_ACTIVATION_REQUEST
Description: FortiSIEM Rule activation request
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
objId |
DB Object Id |
string |
|
|
status |
Status |
string |
|
|
targetUser |
Target User |
string |
|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_AUDIT_RULE_DEACTIVATED
Description: FortiSIEM Rule de-activated
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
osObjName |
Object Name |
string |
|
EventType: PH_AUDIT_RULE_DEACTIVATION_APPROVE
Description: FortiSIEM Rule de-activation approval
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
objId |
DB Object Id |
string |
|
|
status |
Status |
string |
|
|
targetUser |
Target User |
string |
|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_AUDIT_RULE_DEACTIVATION_REQUEST
Description: FortiSIEM Rule de-activation request
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
objId |
DB Object Id |
string |
|
|
status |
Status |
string |
|
|
targetUser |
Target User |
string |
|
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_AUDIT_SVC_LOGIN_FAILURE
Description: System service user failed to login
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_SVC_LOGIN_SUCCESS
Description: System service user login success
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_SVC_LOGOFF
Description: System Service user logoff
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_SVC_SESSION_TIMEOUT
Description: System service user session timeout
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_TUNNEL_CLOSE
Description: Collector to Super Reverse SSH Tunnel closed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
appTransportProto |
Application Protocol |
string |
|
|
srcIpPort |
Source TCP/UDP Port |
uint16 |
This is the source TCP or UDP port as identified in the event |
|
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
|
collectorIp |
Collector IP |
IP |
This field captures the IP address of a FortiSIEM Collector |
|
tunnelUpTime |
Tunnel Uptime |
uint64 |
|
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
EventType: PH_AUDIT_TUNNEL_OPEN
Description: Collector to Super Reverse SSH Tunnel opened
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
appTransportProto |
Application Protocol |
string |
|
|
srcIpPort |
Source TCP/UDP Port |
uint16 |
This is the source TCP or UDP port as identified in the event |
|
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
|
collectorIp |
Collector IP |
IP |
This field captures the IP address of a FortiSIEM Collector |
|
tunnelUpTime |
Tunnel Uptime |
uint64 |
|
|
phAgentId |
Agent ID |
string |
Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers. |
EventType: PH_AUDIT_USER_ADDED
Description: System user added
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
targetUser |
Target User |
string |
|
|
user |
User |
string |
|
|
domain |
Domain |
string |
|
EventType: PH_AUDIT_USER_CHANGE_ORG_SCOPE
Description: FortiSIEM user changed organization scope
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
userFullName |
User Full Name |
string |
|
|
targetCustomer |
Target Organization Name |
string |
|
EventType: PH_AUDIT_USER_DEFAULT_ROLE_CHANGED
Description: FortiSIEM Admin User Default Role Changed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
user |
User |
string |
|
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
targetUser |
Target User |
string |
|
|
targetCustomer |
Target Organization Name |
string |
|
|
role |
Role |
string |
|
EventType: PH_AUDIT_USER_DELETED
Description: System user deleted
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
user |
User |
string |
|
|
targetUser |
Target User |
string |
|
|
details |
Details |
string |
|
EventType: PH_AUDIT_USER_LOGIN_FAILURE
Description: System user failed to login
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
domain |
Domain |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_AUDIT_USER_LOGIN_SUCCESS
Description: System user login success
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
userFullName |
User Full Name |
string |
|
EventType: PH_AUDIT_USER_LOGOFF
Description: System user logoff
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
userFullName |
User Full Name |
string |
|
EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED
Description: FortiSIEM Admin User Organization Role changed
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
user |
User |
string |
|
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
targetUser |
Target User |
string |
|
|
targetCustomer |
Target Organization Name |
string |
|
|
role |
Role |
string |
|
EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED
Description: FortiSIEM Admin User Organization Role enabled
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED
Description: FortiSIEM Admin User Organization Role disabled
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
user |
User |
string |
|
|
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
|
targetUser |
Target User |
string |
|
|
targetCustomer |
Target Organization Name |
string |
|
|
role |
Role |
string |
|
EventType: PH_AUDIT_USER_SESSION_TIMEOUT
Description: System user session timeout
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
userFullName |
User Full Name |
string |
|
EventType: PH_AUDIT_WS_COMM
Description: System web service communication
Severity: 1 (Low)
Event Category: 3 (System Logs)