Fortinet white logo
Fortinet white logo

Important Logs By Use case

Important Logs By Use case

This section identifies important logs for several failure use cases.

Collector clock skew detected

PH_COLLECTOR_CLOCK_SKEW

Description: Clock skew between Collector and Super

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

collectorId

Collector ID

uint32

This field captures the ID of a FortiSIEM Collector

collectorIp

Collector IP

IP

This field captures the IP address of a FortiSIEM Collector

superTime

Supervisor Time

Date

This field represents SupervisorTime used to determine Clock Skew between Collector and Supervisor. A Clock Skew may develop if NTP is not configured correctly in both Collector and Supervisor.

collectorTime

Collector Time

Date

This field represents Collector Time used to determine Clock Skew between Collector and Supervisor. A Clock Skew may develop if NTP is not configured correctly in both Collector and Supervisor.

timeSkewSec

Time skew

uint32

Time skew between Collector and Supervisor. If there is significant time skew then rules may not trigger, since rules need to be evaluated based on a time window.

Collector failing to forward events to External System

PH_AGENTMGR_KAFKA_PRODUCER_ERROR

Description: Agent Manager / Kafka Consumer encountered error occurred in Kafka producer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

PH_EVENT_FWD_SOCKET_CONNECT_FAILED

Description: Event Forwarder failed to connect the destination for TCP based forwarding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32

PH_EVENT_FWD_SOCKET_WRITE_FAILED

Description: Event Forwarder failed to write to socket for sending events

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32

Collector failing to send events to Worker on time

PH_COLLECTOR_EVENT_STORE_DELAYED

Description: Collector event file delayed

Severity: 9 (High)

Event Category: 3 (System Logs)

Collector failing to send events to Workers

PH_EVENT_PKG_FILE_UPLOAD_FAILED

Description: Event Packager failed to upload event file to Worker or Super; will retry

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

serverIpAddr

Server IP

IP

PH_EVENT_PKG_HTTP_FAILED

Description: Event Packager encountered HTTPS error response code

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_EVENT_PKG_HTTP_INIT_FAILED

Description: Event Packager HTTP client initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE

Description: FortiSIEM Event Packager file upload failure

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

Collector/Worker to Supervisor communication issue

PH_COLLECTOR_DOWN

Description: Collector down

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_WORKER_DOWN

Description: Worker down

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EPS License Exceeded

PH_PARSER_GLOBAL_LICENSE_EXCEED

Description: Global EPS license exceeded and events will be dropped

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

licenseEventsPerSec

License EPS

uint64

EPS Reporting

PH_SYSTEM_EPS_GLOBAL

Description: FortiSIEM Global event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

licenseEventsPerSec

License EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

unusedEvents

Unused Event Count

uint64

The difference between licenseEventsPerSec and incomingEventsPerSec accumulated.

PH_SYSTEM_EPS_NODE

Description: FortiSIEM per Node event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

role

Role

string

hostName

Host Name

string

This is the hostname of the device of interest in the event

guaranteedEventsPerSec

Guaranteed EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

ingestedEventsPerSec

Ingested Event Rate

double

dropPolicyEvents

Policy Dropped Events

uint64

The number of events dropped by Event Dropping Rules in the last 3 minutes.

dropPolicyEventsPerSec

Policy Droppped Event Rate

double

This is the per second count of events dropped by policy, which is calculated as dropPolicyEvents (3min interval) / 180 seconds.

peakDropPolicyEventsPerSec

Peak Policy Dropped Event Rate

double

The max value of dropPolicyEventsPerSec, over all 3-minute periods, since phParser started.

dropLicenseEvents

License Dropped Events

uint64

This is the total count of events dropped due to exceeding license over all 3 minute intervals since phParser started.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

dropLicenseEventRatio

License Dropped Event Ratio

uint16

Ratio of dropped events due to license to total incoming events in last 3 minutes.

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

PH_SYSTEM_EPS_ORG

Description: FortiSIEM per Organization event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

Event Archiving Error (Elasticsearch to EventDB/NFS)

PH_ES_HOT_STORAGE_ARCHIVING_FAILED

Description: Failed archive indices from hot nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

PH_ES_WARM_STORAGE_ARCHIVING_FAILED

Description: Failed to archive indices from warm nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

Event Archiving Error (EventDB to EventDB/NFS)

PH_SYSTEM_DISK_ARCHIVING_FAILED

Description: Online FortiSIEM EventDB Archiving encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)

PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 10 (High)

Event Category: 3 (System Logs)

FortiSIEM Process is Down

PH_MODULE_EXITING

Description: Module exiting

Severity: 1 (Low)

Event Category: 3 (System Logs)

PH_MODULE_INIT_FAILURE

Description: Module initialization failure

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

PH_MODULE_ABORT

Description: Module exited abnormally

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

coreDumpFile

Coredump File Name

string

PH_MODULE_ABORT_FOUND

Description: Module found aborted

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptProcName

Reported Process Name

string

eventTime

Event Occur Time

Date

PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR

Description: App Server Phoenix Caching system initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

FortiSIEM process to Supervisor communication issue

PH_DATAMANAGER_HTTP_UPLOAD_ERROR

Description: Data Manager module failed to upload event database statistics to App server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_IDENTITYMASTER_HTTP_UPLOAD_ERROR

Description: Identity Master failed to upload identity location information to App server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

errReason

Reason for Error

string

This is the reason for an error if given.

PH_PARSER_HTTP_RESPONSE_ERROR

Description: Parser module failed to get response from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_PARSER_HTTP_UPLOAD_FAILURE

Description: Parser module failed to upload information to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_EVT_PACKAGER_HTTP_RESPONSE_ERROR

Description: FortiSIEM Event Packager http response error from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

PH_MONITOR_UNABLE_CONTACT_APPSVR

Description: phMonitor uable to contact App Server - see respnse code

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

httpStatusCode

HTTP Status

string

GUI Change Audit

PH_AUDIT_USER_DEFAULT_ROLE_CHANGED

Description: FortiSIEM Admin User Default Role Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string

PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED

Description: FortiSIEM Admin User Organization Role enabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED

Description: FortiSIEM Admin User Organization Role changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string

PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED

Description: FortiSIEM Admin User Organization Role disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string

PH_AUDIT_RULE_ACTIVATED

Description: FortiSIEM Rule activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

PH_AUDIT_RULE_DEACTIVATED

Description: FortiSIEM Rule de-activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

PH_AUDIT_REPORT_SCHEDULED

Description: FortiSIEM Report Scheduled

Severity: 1 (Low)

Event Category: 3 (System Logs)

PH_AUDIT_DASHBOARD_SHARED

Description: FortiSIEM dashboard folder shared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

targetUserGrp

Target User Group

string

PH_AUDIT_CASE_CREATED

Description: FortiSIEM Case Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

details

Details

string

PH_AUDIT_CASE_UPDATED

Description: FortiSIEM Case Updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

details

Details

string

PH_AUDIT_CASE_CLOSED

Description: FortiSIEM Case Closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

details

Details

string

PH_AUDIT_INCIDENT_USER_CLEAR

Description: FortiSIEM Incident User Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

PH_AUDIT_INCIDENT_SYS_CLEAR

Description: FortiSIEM Incident System Auto-Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

PH_AUDIT_DEVICE_STATUS_CHANGED

Description: CMDB Device audit status changed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

user

User

string

origStatus

Original Status

string

newStatus

New Status

string

eventSource

Event Source

string

PH_AUDIT_USER_ADDED

Description: System user added

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string

PH_AUDIT_USER_DELETED

Description: System user deleted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

user

User

string

targetUser

Target User

string

details

Details

string

PH_AUDIT_PASSWORD_CHANGED

Description: System user password changed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string

PH_AUDIT_OBJECT_CREATED

Description: System data object created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

osObjName

Object Name

string

PH_AUDIT_OBJECT_DELETED

Description: System data object deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

PH_AUDIT_OBJECT_UPDATED

Description: System data object updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

objType

Object Type

string

osObjName

Object Name

string

osObjAction

Object Action

string

targetCustomer

Target Organization Name

string

oldSettingsValue

Old Settings Value

string

newSettingsValue

New Settings Value

string

PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED

Description: System CMDB device changed by discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

objType

Object Type

string

addedItem

Added Item

string

PH_AUDIT_DEVICE_DELETED

Description: System CMDB device deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

PH_AUDIT_DEVICE_ADDED

Description: System CMDB device added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

Description: Two devices with different hostname merged becsuase of overlapping IP addresses

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

targetHostName

Target Host Name

string

overlapIp

Overlapping IP

string

This field repsents the list of IP addresses of a just discovered device that overlaps with an existing device in CMDB.

PH_AUDIT_MALWARE_DATA_UPDATED

Description: Malware data updated by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string

PH_AUDIT_MALWARE_DATA_DELETED

Description: Malware data deleted by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string

PH_AUDIT_GROUP_CREATED

Description: FortiSIEM GUI Group Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string

PH_AUDIT_GROUP_DELETED

Description: FortiSIEM GUI Group Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string

PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS

Description: CMDB Disk Prune Success

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32

PH_AUDIT_CMDB_DISK_PRUNE_FAILED

Description: CMDB Disk Prune Failed

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32

GUI User Login

PH_AUDIT_USER_LOGIN_SUCCESS

Description: System user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

userFullName

User Full Name

string

PH_AUDIT_USER_LOGIN_FAILURE

Description: System user failed to login

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

domain

Domain

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

PH_AUDIT_USER_LOGOFF

Description: System user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

userFullName

User Full Name

string

Incident External Integration issue

PH_APPSERVER_OUT_INTEGRATION_ERROR

Description: Outbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_IN_INTEGRATION_ERROR

Description: Inbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Incident email notification issue

PH_INCIDENT_ACTION_STATUS

Description: Record action result for incident notification

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

scriptOutput

Script Output

string

PH_APPSERVER_NOTIFIER_ERROR

Description: App Server Notifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Linux Agent operational errors

PH_FAILED_TO_EXEC

Description: Failed to execute specified command

Severity: 6 (Medium)

Event Category: 3 (System Logs)

PH_LINUX_AGENT_OPEN_PORT_FAILED

Description: Failed to open port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ipPort

IP Port

uint16

IP port number

PH_LINUX_AGENT_CONFIG_ATTR_NOT_FOUND

Description: Cannot find attribute in config file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

PH_LINUX_AGENT_HOST_IP_GOT_FAILED

Description: Failed to get host ip

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_LINUX_AGENT_CREATE_SOCKET_FAILED

Description: Failed to create socket

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

PH_LINUX_AGENT_BIND_PORT_FAILED

Description: Socket failed to bind port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event

PH_LINUX_AGENT_OPEN_FILE_FAILED

Description: Linux agent open file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

PH_LINUX_AGENT_VERIFIER_ERROR

Description: Linux agent verifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

size

Size

uint32

Malware IOC handling Errors

PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR

Description: FortiGuard IOC data download/parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR

Description: External Threat Intelligence update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR

Description: App Server failed to create External Threat Intelligence Update task

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Query Errors

PH_APPSERVER_QUERY_RUN_ERROR

Description: App Server failed to run historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_QUERY_STOP_ERROR

Description: App Server failed to stop historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR

Description: App Server failed to retrieve historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_QUERY_EXPORT_ERROR

Description: App Server failed to export historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR

Description: User defined report run error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Query Performance

PH_AUDIT_QUERY_COMPLETED

Description: Audit query completed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

durationMSec

Duration

uint32

Duration of a connection (in msec)

queryFilter

Query Filter

string

queryDisplay

Query Display

string

queryId

Query Id

string

usageType

Usage Type

string

Rule Performance

PH_RULEMOD_PROFILE

Description: FortiSIEM Rule resource usage profile

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleName

Rule Name

string

FortiSIEM rule name.

memTotalB

Total Memory Bytes

uint32

updateQueueSize

Update Queue Size

uint32

Rule trigger issues

PH_DROP_INCIDENT

Description: Incident dropped

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident

details

Details

string

errReason

Reason for Error

string

This is the reason for an error if given.

PH_DROP_EVENT_FROM_SHARED_BUFFER

Description: Event dropped from shared buffer

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

collectorId

Collector ID

uint32

This field captures the ID of a FortiSIEM Collector

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

PH_REPORT_PACK_FAILED

Description: Failed to pack data

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

PH_RULEMOD_SUMMARY_UPLOAD_FAILED

Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

PH_UTIL_NOTIFICATION_UPLOAD_FAILURE

Description: Failed to Send Notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string

Scheduled Report issue

PH_REPORT_ACTION_STATUS

Description: Record action result for report notification

Severity: 1 (Low)

Event Category: 3 (System Logs)

Test Connectivity/Discovery Errors

PH_DISCOV_DISCOV_REQ_GET_FAILED

Description: Discovery module failed to get discovery request from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_DISCOV_TEST_CONN_GET_REQ_FAILED

Description: Discovery module failed to get test connectivity request from App server

Severity: 9 (High)

Event Category: 3 (System Logs)

PH_DISCOV_TEST_CONN_RESULT_SEND_ERROR

Description: Discovery module encountered error in sending Test Connectivity result to app server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phDiscovFailCode

PH Discovery Failure Code

string

PH_DISCOV_RESULT_SEND_FAILED

Description: Discovery module failed to send discovery result to App server after many retries; discovery will fail

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phDiscovFailCode

PH Discovery Failure Code

string

Windows/Linux Agent operational errors

PH_AUDIT_AGENT_DISABLED

Description: FortiSIEM Windows/Linux Agent disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event

PH_AUDIT_AGENT_UNINSTALLED

Description: FortiSIEM Windows/Linux Agent uninstalled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event

PH_AUDIT_AGENT_NOTRESPONDING

Description: FortiSIEM Windows/Linux Agent not responding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event

Worker failing to store events in ClickHouse

PH_CLICKHOUSE_INSERTION_DROP_EVENTS

Description: FortiSIEM dropped events while failing to insert them to ClickHouse after retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.

PH_DATAMANAGER_CLICKHOUSE_HTTP_UPLOAD_ERROR

Description: Failed to upload events to ClickHouse

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

serverName

Server Name

string

Worker failing to store events in Elasticsearch

PH_DATAMANAGER_EVTLOADER_ERROR

Description: Data Manager failed to load events from shared buffer

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

dirName

Directory Name

string

PH_DATA_CLUSTER_ELASTIC_INDEX_SEND_FAIL

Description: Elasticsearch indexing failed at the last time

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event

size

Size

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason

Worker failing to store events in EventDB

PH_UNABLE_CREATE_DIR

Description: Unable to create dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_UNABLE_OPEN_DIR

Description: Unable to open dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_UNABLE_ACCESS_DIR

Description: Unable to access archive directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

PH_DATAMANAGER_SUMMARYWRITER_ERROR

Description: Data Manager failed to write inline report results

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

Worker falling behind in storing configuration files to SVN-lite

PH_EVT_HANDLER_SVN_QUEUE_WARNING

Description: Worker Input Event Queue large

Severity: 10 (High)

Event Category: 3 (System Logs)

Worker falling behind in storing events to Event Database

PH_EVT_HANDLER_EVT_QUEUE_WARNING

Description: Worker Input Event Queue large

Severity: 10 (High)

Event Category: 3 (System Logs)

PH_EVT_HANDLER_EVT_QUEUE_LARGE

Description: Uploaded event files size large

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Important Logs By Use case

Important Logs By Use case

This section identifies important logs for several failure use cases.

Collector clock skew detected

PH_COLLECTOR_CLOCK_SKEW

Description: Clock skew between Collector and Super

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

collectorId

Collector ID

uint32

This field captures the ID of a FortiSIEM Collector

collectorIp

Collector IP

IP

This field captures the IP address of a FortiSIEM Collector

superTime

Supervisor Time

Date

This field represents SupervisorTime used to determine Clock Skew between Collector and Supervisor. A Clock Skew may develop if NTP is not configured correctly in both Collector and Supervisor.

collectorTime

Collector Time

Date

This field represents Collector Time used to determine Clock Skew between Collector and Supervisor. A Clock Skew may develop if NTP is not configured correctly in both Collector and Supervisor.

timeSkewSec

Time skew

uint32

Time skew between Collector and Supervisor. If there is significant time skew then rules may not trigger, since rules need to be evaluated based on a time window.

Collector failing to forward events to External System

PH_AGENTMGR_KAFKA_PRODUCER_ERROR

Description: Agent Manager / Kafka Consumer encountered error occurred in Kafka producer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

PH_EVENT_FWD_SOCKET_CONNECT_FAILED

Description: Event Forwarder failed to connect the destination for TCP based forwarding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32

PH_EVENT_FWD_SOCKET_WRITE_FAILED

Description: Event Forwarder failed to write to socket for sending events

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32

Collector failing to send events to Worker on time

PH_COLLECTOR_EVENT_STORE_DELAYED

Description: Collector event file delayed

Severity: 9 (High)

Event Category: 3 (System Logs)

Collector failing to send events to Workers

PH_EVENT_PKG_FILE_UPLOAD_FAILED

Description: Event Packager failed to upload event file to Worker or Super; will retry

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

serverIpAddr

Server IP

IP

PH_EVENT_PKG_HTTP_FAILED

Description: Event Packager encountered HTTPS error response code

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_EVENT_PKG_HTTP_INIT_FAILED

Description: Event Packager HTTP client initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE

Description: FortiSIEM Event Packager file upload failure

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32

destName

Destination Host Name

string

Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address.

Collector/Worker to Supervisor communication issue

PH_COLLECTOR_DOWN

Description: Collector down

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_WORKER_DOWN

Description: Worker down

Severity: 7 (Medium)

Event Category: 3 (System Logs)

EPS License Exceeded

PH_PARSER_GLOBAL_LICENSE_EXCEED

Description: Global EPS license exceeded and events will be dropped

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

licenseEventsPerSec

License EPS

uint64

EPS Reporting

PH_SYSTEM_EPS_GLOBAL

Description: FortiSIEM Global event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

licenseEventsPerSec

License EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

unusedEvents

Unused Event Count

uint64

The difference between licenseEventsPerSec and incomingEventsPerSec accumulated.

PH_SYSTEM_EPS_NODE

Description: FortiSIEM per Node event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

role

Role

string

hostName

Host Name

string

This is the hostname of the device of interest in the event

guaranteedEventsPerSec

Guaranteed EPS

uint64

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

ingestedEventsPerSec

Ingested Event Rate

double

dropPolicyEvents

Policy Dropped Events

uint64

The number of events dropped by Event Dropping Rules in the last 3 minutes.

dropPolicyEventsPerSec

Policy Droppped Event Rate

double

This is the per second count of events dropped by policy, which is calculated as dropPolicyEvents (3min interval) / 180 seconds.

peakDropPolicyEventsPerSec

Peak Policy Dropped Event Rate

double

The max value of dropPolicyEventsPerSec, over all 3-minute periods, since phParser started.

dropLicenseEvents

License Dropped Events

uint64

This is the total count of events dropped due to exceeding license over all 3 minute intervals since phParser started.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

dropLicenseEventRatio

License Dropped Event Ratio

uint16

Ratio of dropped events due to license to total incoming events in last 3 minutes.

reptDevIpAddr

Reporting IP

IP

This is the device that originated the log or event packet, also known as the reporting device.

PH_SYSTEM_EPS_ORG

Description: FortiSIEM per Organization event handling statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

incomingEventsPerSec

Incoming Event Rate

double

This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval.

peakIncomingEventsPerSec

Peak Incoming Event Rate

double

This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points.

dropLicenseEventsPerSec

License Dropped Event Rate

double

The number of events dropped due to exceeding license in past 3 minutes.

peakDropLicenseEventsPerSec

Peak License Dropped Event Rate

double

The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

Event Archiving Error (Elasticsearch to EventDB/NFS)

PH_ES_HOT_STORAGE_ARCHIVING_FAILED

Description: Failed archive indices from hot nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

PH_ES_WARM_STORAGE_ARCHIVING_FAILED

Description: Failed to archive indices from warm nodes on Elasticsearch Cluster

Severity: 10 (High)

Event Category: 3 (System Logs)

Event Archiving Error (EventDB to EventDB/NFS)

PH_SYSTEM_DISK_ARCHIVING_FAILED

Description: Online FortiSIEM EventDB Archiving encountered errors

Severity: 10 (High)

Event Category: 3 (System Logs)

PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED

Description: Failed to purge Archive FortiSIEM EventDB - purge caused by policy

Severity: 10 (High)

Event Category: 3 (System Logs)

FortiSIEM Process is Down

PH_MODULE_EXITING

Description: Module exiting

Severity: 1 (Low)

Event Category: 3 (System Logs)

PH_MODULE_INIT_FAILURE

Description: Module initialization failure

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

module

Module Name

string

PH_MODULE_ABORT

Description: Module exited abnormally

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

coreDumpFile

Coredump File Name

string

PH_MODULE_ABORT_FOUND

Description: Module found aborted

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

reptProcName

Reported Process Name

string

eventTime

Event Occur Time

Date

PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR

Description: App Server Phoenix Caching system initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

FortiSIEM process to Supervisor communication issue

PH_DATAMANAGER_HTTP_UPLOAD_ERROR

Description: Data Manager module failed to upload event database statistics to App server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_IDENTITYMASTER_HTTP_UPLOAD_ERROR

Description: Identity Master failed to upload identity location information to App server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

errReason

Reason for Error

string

This is the reason for an error if given.

PH_PARSER_HTTP_RESPONSE_ERROR

Description: Parser module failed to get response from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_PARSER_HTTP_UPLOAD_FAILURE

Description: Parser module failed to upload information to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_EVT_PACKAGER_HTTP_RESPONSE_ERROR

Description: FortiSIEM Event Packager http response error from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNoInt

Error Number Int

int32

PH_MONITOR_UNABLE_CONTACT_APPSVR

Description: phMonitor uable to contact App Server - see respnse code

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

httpStatusCode

HTTP Status

string

GUI Change Audit

PH_AUDIT_USER_DEFAULT_ROLE_CHANGED

Description: FortiSIEM Admin User Default Role Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string

PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED

Description: FortiSIEM Admin User Organization Role enabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED

Description: FortiSIEM Admin User Organization Role changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string

PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED

Description: FortiSIEM Admin User Organization Role disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string

PH_AUDIT_RULE_ACTIVATED

Description: FortiSIEM Rule activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

PH_AUDIT_RULE_DEACTIVATED

Description: FortiSIEM Rule de-activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

PH_AUDIT_REPORT_SCHEDULED

Description: FortiSIEM Report Scheduled

Severity: 1 (Low)

Event Category: 3 (System Logs)

PH_AUDIT_DASHBOARD_SHARED

Description: FortiSIEM dashboard folder shared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

targetUserGrp

Target User Group

string

PH_AUDIT_CASE_CREATED

Description: FortiSIEM Case Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

details

Details

string

PH_AUDIT_CASE_UPDATED

Description: FortiSIEM Case Updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

details

Details

string

PH_AUDIT_CASE_CLOSED

Description: FortiSIEM Case Closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

details

Details

string

PH_AUDIT_INCIDENT_USER_CLEAR

Description: FortiSIEM Incident User Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

PH_AUDIT_INCIDENT_SYS_CLEAR

Description: FortiSIEM Incident System Auto-Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string

PH_AUDIT_DEVICE_STATUS_CHANGED

Description: CMDB Device audit status changed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

user

User

string

origStatus

Original Status

string

newStatus

New Status

string

eventSource

Event Source

string

PH_AUDIT_USER_ADDED

Description: System user added

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string

PH_AUDIT_USER_DELETED

Description: System user deleted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

user

User

string

targetUser

Target User

string

details

Details

string

PH_AUDIT_PASSWORD_CHANGED

Description: System user password changed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string

PH_AUDIT_OBJECT_CREATED

Description: System data object created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

osObjName

Object Name

string

PH_AUDIT_OBJECT_DELETED

Description: System data object deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

PH_AUDIT_OBJECT_UPDATED

Description: System data object updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

objType

Object Type

string

osObjName

Object Name

string

osObjAction

Object Action

string

targetCustomer

Target Organization Name

string

oldSettingsValue

Old Settings Value

string

newSettingsValue

New Settings Value

string

PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED

Description: System CMDB device changed by discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

objType

Object Type

string

addedItem

Added Item

string

PH_AUDIT_DEVICE_DELETED

Description: System CMDB device deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

PH_AUDIT_DEVICE_ADDED

Description: System CMDB device added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

Description: Two devices with different hostname merged becsuase of overlapping IP addresses

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

targetHostName

Target Host Name

string

overlapIp

Overlapping IP

string

This field repsents the list of IP addresses of a just discovered device that overlaps with an existing device in CMDB.

PH_AUDIT_MALWARE_DATA_UPDATED

Description: Malware data updated by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string

PH_AUDIT_MALWARE_DATA_DELETED

Description: Malware data deleted by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string

PH_AUDIT_GROUP_CREATED

Description: FortiSIEM GUI Group Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string

PH_AUDIT_GROUP_DELETED

Description: FortiSIEM GUI Group Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string

PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS

Description: CMDB Disk Prune Success

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32

PH_AUDIT_CMDB_DISK_PRUNE_FAILED

Description: CMDB Disk Prune Failed

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32

GUI User Login

PH_AUDIT_USER_LOGIN_SUCCESS

Description: System user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

userFullName

User Full Name

string

PH_AUDIT_USER_LOGIN_FAILURE

Description: System user failed to login

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

domain

Domain

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

PH_AUDIT_USER_LOGOFF

Description: System user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

userFullName

User Full Name

string

Incident External Integration issue

PH_APPSERVER_OUT_INTEGRATION_ERROR

Description: Outbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_IN_INTEGRATION_ERROR

Description: Inbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Incident email notification issue

PH_INCIDENT_ACTION_STATUS

Description: Record action result for incident notification

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

scriptOutput

Script Output

string

PH_APPSERVER_NOTIFIER_ERROR

Description: App Server Notifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Linux Agent operational errors

PH_FAILED_TO_EXEC

Description: Failed to execute specified command

Severity: 6 (Medium)

Event Category: 3 (System Logs)

PH_LINUX_AGENT_OPEN_PORT_FAILED

Description: Failed to open port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ipPort

IP Port

uint16

IP port number

PH_LINUX_AGENT_CONFIG_ATTR_NOT_FOUND

Description: Cannot find attribute in config file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

PH_LINUX_AGENT_HOST_IP_GOT_FAILED

Description: Failed to get host ip

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_LINUX_AGENT_CREATE_SOCKET_FAILED

Description: Failed to create socket

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

PH_LINUX_AGENT_BIND_PORT_FAILED

Description: Socket failed to bind port

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event

PH_LINUX_AGENT_OPEN_FILE_FAILED

Description: Linux agent open file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

PH_LINUX_AGENT_VERIFIER_ERROR

Description: Linux agent verifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason

size

Size

uint32

Malware IOC handling Errors

PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR

Description: FortiGuard IOC data download/parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR

Description: External Threat Intelligence update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR

Description: App Server failed to create External Threat Intelligence Update task

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Query Errors

PH_APPSERVER_QUERY_RUN_ERROR

Description: App Server failed to run historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_QUERY_STOP_ERROR

Description: App Server failed to stop historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR

Description: App Server failed to retrieve historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_QUERY_EXPORT_ERROR

Description: App Server failed to export historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR

Description: User defined report run error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Query Performance

PH_AUDIT_QUERY_COMPLETED

Description: Audit query completed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

durationMSec

Duration

uint32

Duration of a connection (in msec)

queryFilter

Query Filter

string

queryDisplay

Query Display

string

queryId

Query Id

string

usageType

Usage Type

string

Rule Performance

PH_RULEMOD_PROFILE

Description: FortiSIEM Rule resource usage profile

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleName

Rule Name

string

FortiSIEM rule name.

memTotalB

Total Memory Bytes

uint32

updateQueueSize

Update Queue Size

uint32

Rule trigger issues

PH_DROP_INCIDENT

Description: Incident dropped

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

incidentId

Incident ID

uint64

Unique ID of a FortiSIEM Incident

details

Details

string

errReason

Reason for Error

string

This is the reason for an error if given.

PH_DROP_EVENT_FROM_SHARED_BUFFER

Description: Event dropped from shared buffer

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

collectorId

Collector ID

uint32

This field captures the ID of a FortiSIEM Collector

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

PH_REPORT_PACK_FAILED

Description: Failed to pack data

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

PH_RULEMOD_SUMMARY_UPLOAD_FAILED

Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

PH_UTIL_NOTIFICATION_UPLOAD_FAILURE

Description: Failed to Send Notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string

Scheduled Report issue

PH_REPORT_ACTION_STATUS

Description: Record action result for report notification

Severity: 1 (Low)

Event Category: 3 (System Logs)

Test Connectivity/Discovery Errors

PH_DISCOV_DISCOV_REQ_GET_FAILED

Description: Discovery module failed to get discovery request from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

PH_DISCOV_TEST_CONN_GET_REQ_FAILED

Description: Discovery module failed to get test connectivity request from App server

Severity: 9 (High)

Event Category: 3 (System Logs)

PH_DISCOV_TEST_CONN_RESULT_SEND_ERROR

Description: Discovery module encountered error in sending Test Connectivity result to app server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phDiscovFailCode

PH Discovery Failure Code

string

PH_DISCOV_RESULT_SEND_FAILED

Description: Discovery module failed to send discovery result to App server after many retries; discovery will fail

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phDiscovFailCode

PH Discovery Failure Code

string

Windows/Linux Agent operational errors

PH_AUDIT_AGENT_DISABLED

Description: FortiSIEM Windows/Linux Agent disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event

PH_AUDIT_AGENT_UNINSTALLED

Description: FortiSIEM Windows/Linux Agent uninstalled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event

PH_AUDIT_AGENT_NOTRESPONDING

Description: FortiSIEM Windows/Linux Agent not responding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event

Worker failing to store events in ClickHouse

PH_CLICKHOUSE_INSERTION_DROP_EVENTS

Description: FortiSIEM dropped events while failing to insert them to ClickHouse after retries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

totBytes64

Total Bytes64

uint64

Total number of sent and received bytes by a host. This has 64bit resolution.

PH_DATAMANAGER_CLICKHOUSE_HTTP_UPLOAD_ERROR

Description: Failed to upload events to ClickHouse

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

serverName

Server Name

string

Worker failing to store events in Elasticsearch

PH_DATAMANAGER_EVTLOADER_ERROR

Description: Data Manager failed to load events from shared buffer

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

dirName

Directory Name

string

PH_DATA_CLUSTER_ELASTIC_INDEX_SEND_FAIL

Description: Elasticsearch indexing failed at the last time

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event

size

Size

uint32

errorString

Error String

string

This is the error message, synonymous to attribute errReason

Worker failing to store events in EventDB

PH_UNABLE_CREATE_DIR

Description: Unable to create dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_UNABLE_OPEN_DIR

Description: Unable to open dir

Severity: 6 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

PH_UNABLE_ACCESS_DIR

Description: Unable to access archive directory

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string

PH_DATAMANAGER_SUMMARYWRITER_ERROR

Description: Data Manager failed to write inline report results

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

Worker falling behind in storing configuration files to SVN-lite

PH_EVT_HANDLER_SVN_QUEUE_WARNING

Description: Worker Input Event Queue large

Severity: 10 (High)

Event Category: 3 (System Logs)

Worker falling behind in storing events to Event Database

PH_EVT_HANDLER_EVT_QUEUE_WARNING

Description: Worker Input Event Queue large

Severity: 10 (High)

Event Category: 3 (System Logs)

PH_EVT_HANDLER_EVT_QUEUE_LARGE

Description: Uploaded event files size large

Severity: 6 (Medium)

Event Category: 3 (System Logs)