All Logs Page 5
Every FortiSIEM internally generated event log regardless of category
EventType: PH_QUERY_PCAP_FINALIZE_FAILED
Description: Query Master failed to finalize pcap export - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PCAP_LOAD_FAILED
Description: Query Master failed to load query results in pcap format - results will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_PCAP_RENAME_FAILED
Description: Query Master failed to rename pcap file - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_QUERY_PCAP_TRANSFER_FAILED
Description: Query Master failed to transfer event to pcap packet - results will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_PGDB_EXEC_SQL_FAILED
Description: Query Master failed to execute SQL statement against Supervisor Postgres DB for Incident Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbQuery |
Database Query |
string |
|
EventType: PH_QUERY_PGDB_RECONNECT_FAILED
Description: Query Master failed to reconnect to Supervisor Postgres DB - Query Master will remain disconnected and all incident queries will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PGDB_SQL_GET_VAL_FAILED
Description: Query Master failed to get column value from SQL result - incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_POST_FILTER_PARSE_FAILED
Description: Query Master failed to parse post-filter inline query results - no post-filtering is going to occur
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_PQ_ERROR
Description: FortiSIEM Postgres DB connection or execution error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_PROCESS_GET_FAILED
Description: Query Master failed to get its own parent process
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PROFILE_ATTR_UNSPECIFIED
Description: Query Master failed to find specified attribute in Profile Query XML from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_PROFILE_EVENT_TYPE_ERROR
Description: Query Master encountered unexpected event type in a Profile Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_PROFILE_FUNCITION_ERROR
Description: Query Master hit Function error while executing Profile Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_PROFILE_NOT_MARKED_AS_BASELINE
Description: Query Master will not execute a profile query since it is not marked as baseline
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_PROGRESS_REJECTED
Description: Query Worker fails to upload query progress to Query Master - some progress reporting will be skipped
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_QUERY_REPORTEXPORT_TASK_CREAT_FAILED
Description: Query Master failed to create task for exporting CSV/PCAP formatted Query request from App Server - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_REPORTEXPORT_TASK_INSERT_FAILED
Description: Query Master failed to insert task for exporting CSV/PCAP formatted Query request from App Server into internal task queue - export will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_REPORT_RESULTS_LOAD_FAILED
Description: Query Master failed to load inline query report results from file - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_REPORT_RESULTS_POST_FILTER_FAILED
Description: Query Master failed to post-filter inline query report results - no post-filtering is going to occur
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_REPORT_RESULT_FILE_NOT_EXIST
Description: Query report result file not exist
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_QUERY_REQUEST_BAD
Description: FortiSIEM Query Engine received bad request
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
queryId |
Query Id |
string |
|
EventType: PH_QUERY_RESULT_FILES_MERGE_FAILED
Description: Query Master failed to merge inline query result files - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_RESULT_GET_FAILED
Description: Query Master failed to produce inline query result / CSV export - operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_RESULT_NOT_READY
Description: Query Master failed to find Query result directory for CSV export
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_RESULT_PARSE_FAILED
Description: Query Master failed to parse trigger event query result from Data Manager
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
queryId |
Query Id |
string |
|
EventType: PH_QUERY_RESULT_REJECTED
Description: Query Master rejected query result upload from Query Worker
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_QUERY_RESULT_SAVE_FAILED
Description: FortiSIEM Query Engine failed to save query result
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
EventType: PH_QUERY_RESULT_UPLOAD_FAILED
Description: Query Worker failed to upload query result to Query Master - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
queryId |
Query Id |
string |
|
filePath |
File Path |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_RT_ERROR
Description: Query Worker spawned excessive threads to handle reat time search and will exit (delete)
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_QUERY_SORT_SPEC_GET_FAILED
Description: Query Master failed to get sort specfication for cached query result - query will automatically rerun
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_START_FAILED
Description: Query Worker failed to start a query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
queryId |
Query Id |
string |
|
reportName |
Report Name |
string |
FortiSIEM report name. |
EventType: PH_QUERY_STATE_BAD
Description: Query Master encounters invalid query state - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_STATUS_LOAD_FAILED
Description: Query Master failed to load query status from disk - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_STATUS_SAVE_FAILED
Description: Query Master failed to save query status to disk - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_ATTR_BAD
Description: Query Master encoutered bad attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_ATTR_MISSING
Description: Query Master failed to locate an attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_ATTR_UPDATE_FAILED
Description: Query Master failed to update certain host attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_QUERY_SUMM_COLUMN_UNSUPPORTED
Description: Query Master encountered unsupported attribute in Summary Dashboard data cache - cache will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_SUMM_EVENT_SKIPPED
Description: Query Master skipped a bad event for Summary Dashboard data cache - performance metrics will be partially updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_SUMM_PARSE_FAILED
Description: Query Master failed to parse Summary Dashboard Query XML - one query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_QUERY_SUMM_PERF_ETINFO_UNSUPPORTED
Description: Query Master encountered unsupported perfETInfo in Summary Dashboard Query - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_TASK_INVALID
Description: FortiSIEM Query task and worker IP are not matched
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
clientIpAddr |
Client IP |
IP |
|
EventType: PH_QUERY_TASK_REROUTED
Description: FortiSIEM Query task is rerouted
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
srcIpAddr |
Source IP |
IP |
Source IP of a device as identified in the event. |
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
EventType: PH_QUERY_TASK_REROUTE_FAILED
Description: FortiSIEM Query Task Reroute failed
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_VALUE_TYPE_UNSUPPORTED
Description: FortiSIEM Query Engine encountered bad value type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_QUERY_WORKERS_GET_FAILED
Description: Query Master failed to get the list of query workers - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_QUERY_WORKERS_SPLIT_AMONG_FAILED
Description: Query Master failed to split query among workers - query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_QUERY_WORKER_CHANGED_TO_OFFLINE
Description: FortiSIEM Query Worker Status Changed from online to offline
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
serverIpAddr |
Server IP |
IP |
|
EventType: PH_QUERY_WORKER_CHANGED_TO_ONLINE
Description: FortiSIEM Query Worker Status Changed from offline to online
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
serverIpAddr |
Server IP |
IP |
|
EventType: PH_QUERY_XML_PARSE_FAILED
Description: Query Master / Worker failed to parse query XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_READER_BLOCK_WRITE
Description: Reader is blocking writer&Restart
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reptProcName |
Reported Process Name |
string |
|
EventType: PH_REPORT_ACTION_STATUS
Description: Record action result for report notification
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ACT_FAILED
Description: Query Master/Query Worker/Report Worker/Report Loader failed to perform requested ACTION from App Server, i.e. UPDATE, REMOVE. Event Role will not be updated.
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
roleId |
Role ID |
uint32 |
|
EventType: PH_REPORT_AGGR_FIELDS_EMPTY
Description: Report Master/Report Worker encountered empty aggregate fields. Report file will be incomplete
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_AGGR_FIELD_NOT_ADDED
Description: Query Master/Report Master/Report Worker failed to add certain aggregate field to report schema. The schema will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_AGGR_FUNC_EMPTY
Description: Report Master/Report Worker encountered empty aggregate function. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_AGGR_TYPE_ERROR
Description: Report Master/Report Worker encountered aggregate type error. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_AGGR_TYPE_UNDEFINED
Description: Report Master/Report Worker encountered undefined aggregate type. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ATTR_ID_UNSUPPORTED
Description: Report Master/Report Worker encountered unsupported attribute ID. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ATTR_MISSING
Description: Report Master/Report Worker failed to locate certain attribute. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ATTR_UNDEFINED
Description: Report Master/Report Worker encountered undefined attribute. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_BUFFER_OVERFLOW
Description: Report buffer overflow
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
size |
Size |
uint32 |
|
EventType: PH_REPORT_CHECKSUM_MISMATCH
Description: Query Master encountered checksum mismatch in report results. The inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_CONFIG_UPDATE_NULL
Description: Report Worker/Report Loader encountered NULL object in config update. Config update will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_CONVERT_FAILED
Description: FortiSIEM internal error used for testing
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
EventType: PH_REPORT_DATA_INIT_FAILED
Description: Query Master/Report Master failed to initialize report results block data. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_SIZE_MISMATCH
Description: Query Master/Report Master/Report Worker/Report Loader encountered size mismatch between two pieces of data. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_DATA_SIZE_OVERFLOW
Description: Query Master/Report Master/Report Worker/Report Loader encountered data size overflow. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_SIZE_UNEXPECTED
Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_SIZE_UNKNOWN
Description: Query Master/Report Master/Report Worker/Report Loader encountered unknown data size. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_TYPE_UNEXPECTED
Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DIR_CREATE_FAILED
Description: FortiSIEM Report Engine failed to create directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_DIR_OPEN_FAILED
Description: FortiSIEM Report Engine failed to open directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_DIR_REMOVE_FAILED
Description: FortiSIEM Report Engine failed to remove directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_ES_BUCKETS_EMPTY
Description: Data Manager encountered empty Elastic Search buckets. Report data will not be written to disk
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ES_POST_FAILED
Description: Report Master/Report Worker failed to POST Elastic Search data to App Server. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_REPORT_ES_PROFILE_EMPTY
Description: Report Master encountered empty Elastic Search profile. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_REPORT_ES_PROFILE_TIMEOUT
Description: Report Master encountered timeout in Elastic Search profile response. This profile will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_ES_PURGE_INDEX_FAILED
Description: Elastic Search Purge Inline Report Index Failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ES_TIME_RANGE_INVALID
Description: Report Master encountered invalid time range in Elastic Search profile query. This query will failed to be built
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_EXPR_PARSE_FAILED
Description: Query Master failed to parse schema expression. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_REPORT_FILE_CONTENT_MISSING
Description: Report Master failed to locate certain content in report file. Report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_COPY_FAILED
Description: Report Master/Report Worker failed to copy report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_HEADER_BAD
Description: Query Master/Report Master/Report Worker encountered bad report file header. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_INIT_FAILED
Description: Report Master/Report Worker failed to initialize report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_LINK_FAILED
Description: Report Master failed to link report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_MAGIC_BAD
Description: Query Master/Report Master/Report Worker encountered bad report file magic. Inline query or report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_MMAP_FAILED
Description: Query Master/Report Master failed to memory-map report file. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_NAME_BAD
Description: Report Master/Report Loader encountered bad report file name. This report rolling or loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_OPEN_FAILED
Description: Query Master/Report Master/Report Worker/Report Loader failed to open report file. Related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_PARSE_FAILED
Description: FortiSIEM Report Engine failed to parse file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_READ_FAILED
Description: Identity Master/Identity Worker failed to read entry IDs file. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_REMOVE_FAILED
Description: Report Master failed to remove report file. Disk will eventually be full
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_RENAME_FAILED
Description: Report Master failed to rename report file. This report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_RSYNC_FAILED
Description: Report Master failed to rsync report file to remote super
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
targetHostName |
Target Host Name |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_STAT_FAILED
Description: Report Worker/Report Loader failed to stat report file. This report writing or loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_TYPE_UNKNOWN
Description: Report Worker/Report Loader encountered unknown report file type. This report writing or loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_UNSPECIFIED
Description: Report Master/Report Worker encountered unspecified report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_FILE_WRITE_FAILED
Description: Identity Master/Identity Worker failed to write entry IDs to file. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FUNC_OBJ_DEF_ERROR
Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_FUNC_OBJ_DEF_GET_FAILED
Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_FUNC_OBJ_DEF_UNKNOWN
Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ID_LOC_DEVICE_EXCLUDED_INVALID
Description: FortiSIEM Identity and location module encountered invalid excluded device
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ID_LOC_EVENT_SEND_FAILED
Description: FortiSIEM Identity and location module failed to upload events
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_ID_LOC_RESULT_UPLOAD_FAILED
Description: FortiSIEM Identity and location module failed to upload results to App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_REPORT_ID_LOC_SYNCH_DATA_UPLOAD_FAILED
Description: FortiSIEM Identity and location module failed to upload Synch Data (Worker to Master)
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_ID_LOC_USER_ALREADY_EXCLUDED
Description: FortiSIEM Identity and location module found already excluded user
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
user |
User |
string |
|
EventType: PH_REPORT_ID_LOC_USER_EXCLUDE_FAILED
Description: FortiSIEM Identity and location module failed to exclude user
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
user |
User |
string |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_REPORT_INDEX_OVERFLOW
Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered index out of bound. Related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
size |
Size |
uint32 |
|
EventType: PH_REPORT_IP_GET_FAILED
Description: Failed to get host IP
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_REPORT_IP_TYPE_INVALID
Description: Invalid IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_KEY_LOAD_FAILED
Description: FortiSIEM Report module failed to load event attribute keys
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_MODULE_INIT_FAILED
Description: Report Master/Report Worker/Report Loader/Identity Master/Identity Worker failed to initialize certain module. Related operation will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_REPORT_MODULE_UNCONFIGURED
Description: Report Worker encountered unconfigured item. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
EventType: PH_REPORT_OLD_REPORT_DATA
Description: Report Master encountered older report data from Worker, might enlarge block_collection_window
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_OP_UNEXPECTED
Description: Query Master/Report Master/Report Worker encountered unexpected operator type. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ORDER_BY_ATTR_EMPTY
Description: Query Master/phRuleMaster/Report Master encountered empty order-by attributes in report. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_ORDER_BY_INVALID
Description: Query Master/phRuleMaster/Report Master encountered invalid order-by attributes in report. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_PACK_FAILED
Description: Failed to pack data
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_REPORT_PACK_FAILED_COUNT
Description: Failed to pack or unpack data
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PARSED_EVENT_LOAD_FAILED
Description: FortiSIEM Report module failed to load event
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PGDB_CONNECT_FAILED
Description: Report Loader failed to connect to Postgres DB. Report loading will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PGDB_EXEC_FAILED
Description: Report Loader failed to execute SQL statement in Postgres DB. This report loading will fail
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbQuery |
Database Query |
string |
|
EventType: PH_REPORT_PGDB_NOT_CONNECTED
Description: Query Master/Report Loader encountered disconnected Postgres DB while executing SQL statement. This incident query or report loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbQuery |
Database Query |
string |
|
EventType: PH_REPORT_PGDB_NOT_INIT
Description: Query Master/Report Loader encountered uninitialized Postgres DB connection manager. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_REPORT_POINTER_NULL
Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered NULL pointer. Related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_POINTER_NULL_WARNING
Description: NULL pointer detected
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_POSITIVE_INTEGER_EXPECTED
Description: Query Master/Data Manager expected positive integer in performance data but got other value. Default value will be set instead
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_REPORT_PQ_ERROR
Description: Query Master/Report Loader encountered PQ function error in Postgres DB. This incident query or report loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_PROFILE_TYPE_BAD
Description: FortiSIEM Report module encountered bad profile
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PROFILE_TYPE_WRONG_FORMAT
Description: Query Master encountered wrong format of profile. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_PROFILE_UPDATE_FAILED
Description: FortiSIEM Report module failed to upload profile
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
profDateType |
Profile Date Type |
uchar |
|
EventType: PH_REPORT_ROW_LENGTH_ZERO
Description: Query Master encountered empty row for given report ID. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_RULE_ATTR_MISSING
Description: Query Master failed to locate certain rule attribute in profile. This profile query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_REPORT_SCHEMA_INCOMPATIBLE
Description: Query Master/Report Master encountered incompatible report schema. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_SCHEMA_INVALID
Description: Query Master/Report Master encountered invalid report schema. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_SCHEMA_LOAD_FAILED
Description: Query Master/Report Master failed to load report schema. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_SQLITE3_BATCH_BEGIN_FAILED
Description: Report Master failed to begin SQLite3 batch transaction. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
profDateType |
Profile Date Type |
uchar |
|
hourOfDay |
Hour Of Day |
uint16 |
This attribute is not used |
EventType: PH_REPORT_SQLITE3_BATCH_COMMIT_FAILED
Description: Report Master failed to commit SQLite3 batch transaction. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
profDateType |
Profile Date Type |
uchar |
|
hourOfDay |
Hour Of Day |
uint16 |
This attribute is not used |
EventType: PH_REPORT_SQLITE3_BIND_VALUE_FAILED
Description: Report Master failed to bind certain value to SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
tablespaceName |
DB Tablespace Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_BUSY
Description: Report Master encountered SQLite3 busy state. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_BUSY_TIMEOUT_ERROR
Description: Report Master encountered SQLite3 busy timeout. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
EventType: PH_REPORT_SQLITE3_CHECKPOINT_FAILED
Description: FortiSIEM Report module failed to checkpoint profile
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_COMMIT_ERROR
Description: Report Master encountered commit error in SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
tablespaceName |
DB Tablespace Name |
string |
|
EventType: PH_REPORT_SQLITE3_CONFIG_FAILED
Description: Report Master failed to configurate SQLite3 with multi-thread mode. Performance will degrade
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_ENABLE_SHARED_CACHE_FAILED
Description: Report Master failed to enable shared cache for SQLite3. Performance will degrade
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
EventType: PH_REPORT_SQLITE3_EXEC_FAILED
Description: Report Master failed to execute SQLite3 statement. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbQuery |
Database Query |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
tablespaceName |
DB Tablespace Name |
string |
|
EventType: PH_REPORT_SQLITE3_EXTENDED_RESULT_CODES_ERROR
Description: Report Master failed to enable extended result codes for SQLite3. Maintainability will degrade
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
EventType: PH_REPORT_SQLITE3_OPEN_FAILED
Description: Report Master failed to open SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_PREPARE_ERROR
Description: Report Master failed to prepare SQLite3 statement. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
tablespaceName |
DB Tablespace Name |
string |
|
dbQuery |
Database Query |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_PROFILE_ENTRY_DELETE_FAILED
Description: Report Master failed to delete profile entry from SQLite3. Profile or Daily DB will contain redundant data
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
reportId |
Report ID |
uint32 |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
profDateType |
Profile Date Type |
uchar |
|
hourOfDay |
Hour Of Day |
uint16 |
This attribute is not used |
EventType: PH_REPORT_SQLITE3_PROFILE_NOT_FOUND
Description: Report Master failed to find profile ID in SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbName |
DB Name |
string |
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_SQLITE3_STEP_ERROR
Description: Report Master failed to step SQLite3 statement. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
tablespaceName |
DB Tablespace Name |
string |
|
dbRetCode |
DB Return Code |
uint32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_UNPACK_FAILED
Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_ID_FAILED
Description: Report-related process failed to lookup value type by attribute ID. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_NAME_FAILED
Description: Report-related process failed to lookup value type by attribute name. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_OF_ID_UNEXPECTED
Description: Report-related process encountered unexpected value type of certain attribute ID. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_OF_NAME_UNEXPECTED
Description: Report-related process encountered unexpected value type of certain attribute name. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_OF_STAT_UNEXPECTED
Description: Report-related process encountered unexpected value type of stat item. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_UNSUPPORTED
Description: Report-related process encountered unsupported value type. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_WORKER_UPLOAD_FAILED
Description: Failed to upload a data block buffer
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reportId |
Report ID |
uint32 |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_REPORT_XML_ELEMENT_DUPLICATE
Description: Query Master encountered duplicate XML element. This performance metrics update will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_REPORT_XML_ELEMENT_MISSING
Description: Report Master failed to locate certain XML element. This report rolling will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_XML_ELEMENT_PARSE_FAILED
Description: Query Master failed to parse certain XML element. This performance metrics update will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_REPORT_XML_PARSE_FAILED
Description: Report-related process failed to parse certain XML. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_ZLIB_COMPRESSION_TYPE_UNKNOWN
Description: Query Master encountered unknown Zlib compression type for report results file. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ZLIB_UNCOMPRESS_FAILED
Description: Query Master failed to uncompress Zlib report results file. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
exitValue |
Command exit value |
int32 |
|
EventType: PH_RULEMASTER_TEST_RULES_CHECK_SYNTAX
Description: Rule master starts to check syntax
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMASTER_TEST_RULES_FINALIZE_STATE
Description: Rule master finalizes state report summary
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMASTER_TEST_RULES_UPDATE_STATE
Description: Rule master updates state report summary
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMOD_AGGREGATOR_EMPTY
Description: Rule Master/Rule Worker encountered empty aggregator. This rule definition will be incomplete
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ARITH_OP_ILLEGAL
Description: Rule Master/Rule Worker encountered illegal arithmetic operation. This rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_ATTR_ALREADY_ASSOCIATED
Description: Rule Master/Rule Worker encountered attribute already associated with given event type in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_RULEMOD_ATTR_ID_LOOKUP_BY_NAME_FAILED
Description: Rule Master/Rule Worker failed to lookup attribute ID by name in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process could terminate depending on the attribute type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_ID_UNDEFINED
Description: Rule Master/Rule Worker encountered undefined attribute ID. This rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_MISSING
Description: Rule Master/Rule Worker failed to locate certain attribute in '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. This attribute will be skipped
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_NAME_LOOKUP_BY_ID_FAILED
Description: Query Master/Rule Master/Rule Worker failed to lookup attribute name by ID. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ATTR_UNDEFINED
Description: Query Master/Rule Master/Rule Worker encountered undefined event attribute. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_BUFFER_EMPTY
Description: Rule Master/Rule Worker encountered empty buffer in loading '/opt/phoenix/bin/evtTypeAttrMapForSimpleRule.xml'. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_CLEAR_CONDITION_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid clear condition in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_CLEAR_CONDITION_SET_FAILED
Description: Query Master/Rule Master/Rule Worker failed to set clear condition in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_CONFIG_UNDEFINED
Description: Rule Master encountered undefined config item of db_server_host. Incident processing will not work
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
configName |
Config Name |
string |
|
EventType: PH_RULEMOD_CONSTRUCTOR_ERROR
Description: Rule Master/Rule Worker encountered error in constructor of given module. This rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
EventType: PH_RULEMOD_CUST_ID_LIST_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid customer ID list in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_RULEMOD_DATA_REQUEST_PARSE_FAILED
Description: Query Master failed to parse data request from App Server. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_RULEMOD_DATA_SIZE_OVERFLOW
Description: Rule Master/Rule Worker encountered data size exceeding its capacity. This rule parsing or evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_DATA_UNSUPPORTED
Description: Rule Master/Rule Worker encountered unsupported data. This rule parsing or evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_DB_SERVER_HOST_UNDEFINED
Description: Database server host not defined for rule master
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
configName |
Config Name |
string |
|
EventType: PH_RULEMOD_DIR_OPEN_FAILED
Description: Rule Master/Rule Worker failed to open rule XML directory. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_RULEMOD_ENCODE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to encode given data. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_ENTITY_VERSION_MISSING
Description: Query Master/Rule Master/Rule Worker failed to identify entity version of rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_EVENT_TYPE_GROUP_INVALID
Description: Rule Worker failed to parse certain event type group in rules. Affected rule evaluation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
eventTypeGrp |
Event Type Group |
string |
This field is not used |
EventType: PH_RULEMOD_EVENT_TYPE_NOT_FOUND
Description: Query Master/Rule Master/Rule Worker failed to find certain event type in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_EXCEPTION_ELEMENT_INVALID
Description: Rule Master encountered invalid element in rule exception. This rule exception parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
description |
Description |
string |
|
EventType: PH_RULEMOD_EXPR_EVAL_UNKNOWN
Description: Query Master encountered unknown expression evaluation of given operator type. This incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_EXPR_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse certain expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_RULEMOD_EXPR_UNSUPPORTED
Description: Query Master/Rule Master/Rule Worker encountered unsupported expression in aggregate function. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_FILE_OPEN_FAILED
Description: Rule Master/Rule Worker failed to open rule-related file. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_RULEMOD_FILE_UNSPECIFIED
Description: Rule Master/Rule Worker encountered unspecified rule XML file. This rule update will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_RULEMOD_FORMAT_ERROR
Description: Query Master/Rule Master/Rule Worker encountered format error in given expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_FUNC_NOT_FOUND
Description: Query Master/Rule Master/Rule Worker failed to locate certain function in given expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_FUNC_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse certain function in given expression. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_GLOBAL_CONSTRAINT_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid global constraint in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
task |
Task |
string |
|
EventType: PH_RULEMOD_GROUPBY_LIST_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid group-by list in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_RULEMOD_GROUPBY_LIST_NOT_FOUND
Description: Query Master/Rule Master/Rule Worker failed to find group-by list in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_GROUP_EVENT_CONSTRAINT_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid group event constraint in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_RULEMOD_ID_LOOKUP_BY_INCIDENT_FAILED
Description: Rule Master failed to lookup rule ID by incident ID. This incident firing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEMOD_INCIDENT_ARG_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid incident argument in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_RULEMOD_INCIDENT_CACHE_NOT_FOUND
Description: Rule Master failed to find incident cache for given incident ID. This incident will not be cleared
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_INCIDENT_DEF_INVALID
Description: Query Master/Rule Master encountered invalid incident definition in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_INCIDENT_NOT_FOUND
Description: Rule Master failed to find given incident ID. This incident will not be cleared
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
incidentId |
Incident ID |
uint64 |
Unique ID of a FortiSIEM Incident |
EventType: PH_RULEMOD_INCIDENT_REPORT_SEND_FAILED
Description: Rule Master failed to send incident report to phParser. This incident will be missing in eventdb
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_RULEMOD_INDEX_OVERFLOW
Description: Query Master encountered out-of-bound index in certain data. This incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
size |
Size |
uint32 |
|
EventType: PH_RULEMOD_INFO_GET_FAILED
Description: FortiSIEM Report module failed to get statistics
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_IP_GET_FAILED
Description: Rule Worker failed to get host IP of Supervisor. Incident firing will not work
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_RULEMOD_IP_INVALID
Description: Query Master/Rule Master/Rule Worker found invalid IP in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_RULEMOD_IP_TYPE_INVALID
Description: Invalid IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_LOAD_METHOD_UNDEFINED
Description: Rule Master/Rule Worker encountered undefined rule load method. Rule loading will fail
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_MEM_ALLOC_FAILED
Description: Query Master/Rule Master/Rule Worker failed to allocate memory. The related operation will fail
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_MODULE_INIT_FAILED
Description: Rule Master/Rule Worker failed to be initialized. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_MUTEX_ACQUIRE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to acquire mutex. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
module |
Module Name |
string |
|
EventType: PH_RULEMOD_NOTIF_CONNECTION_FAILED
Description: Rule Master failed to establish notification connection to phParser. This incident will be missing in eventdb
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_RULEMOD_OBJ_GET_FROM_SUBPATTERN_FAILED
Description: Rule Master failed to get certain object from subpattern. This incident cache update will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_OBJ_LOAD_FAILED
Description: Query Master/Rule Master/Rule Worker failed to load certain object in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_OP_NOT_FUNC
Description: Rule Master encountered an operator of non-function type. This incident initialization will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_OP_UNKNOWN
Description: Query Master/Rule Master/Rule Worker encountered unknown operator. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_PARSED_EVENT_LOAD_FAILED
Description: Rule Worker failed to load and skipped a parsed event, causing potential incident loss.
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_PQ_ERROR
Description: Rule Master encountered PQ function error in Postgres DB. Incident processing will not work
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_RULEMOD_PROFILE
Description: FortiSIEM Rule resource usage profile
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
memTotalB |
Total Memory Bytes |
uint32 |
|
updateQueueSize |
Update Queue Size |
uint32 |
|
EventType: PH_RULEMOD_REM_BY_ZERO
Description: Rule Master/Rule Worker caught remainder-by-zero exception. Default value will be set instead
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_REM_BY_ZEROD
Description: FortiSIEM Report module failed to produce statistics
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SELECT_ATTR_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse and skipped certain select attribute. This rule parsing will be incomplete
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SELECT_SPEC_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse at least one select spec field. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SINGLE_EVENT_CONSTRAINT_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid single event constraint in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
EventType: PH_RULEMOD_SUBPATTERN_INVALID
Description: Query Master/Rule Master/Rule Worker encountered invalid subpattern in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_SUBPATTERN_MISSING
Description: Query Master/Rule Master/Rule Worker failed to locate certain subpattern in XML. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_SUBPATTERN_MORE_THAN_ONE
Description: Query Master/Rule Master/Rule Worker encountered more than one subpattern in simple rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_SUBPATTERN_UNDEFINED
Description: Query Master/Rule Master/Rule Worker encountered undefined subpattern in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_SUMMARY_UPLOAD_FAILED
Description: Rule Worker failed to upload rule summary to Rule Master, causing potential incident loss.
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_THREAD_SPAWN_FAILED
Description: Rule Master/Rule Worker failed to spawn thread during initialization. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
EventType: PH_RULEMOD_TOKEN_UNDEFINED
Description: Query Master/Rule Master/Rule Worker encountered undefined token of given type in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_TOKEN_UNEXPECTED
Description: Query Master/Rule Master/Rule Worker encountered unexpected token of given type in rule. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_UNPACK_FAILED
Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_RULEMOD_VALUE_TYPE_UNEXPECTED
Description: Query Master encountered unexpected value type of certain attribute. This incident query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_XML_ELEMENT_EMPTY
Description: Query Master/Rule Master/Rule Worker encountered empty XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_XML_ELEMENT_MISSING
Description: Query Master/Rule Master/Rule Worker encountered missing XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_XML_ELEMENT_PARSE_FAILED
Description: Query Master failed to parse certain XML element. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_XML_ELEMENT_UNEXPECTED
Description: Query Master/Rule Master/Rule Worker encountered unexpected XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_RULEMOD_XML_ELEMENT_UNKNOWN
Description: Query Master/Rule Master/Rule Worker encountered unknown XML element. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEMOD_XML_LOAD_FAILED
Description: Rule Master/Rule Worker failed to load rule XML from file. This rule loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_RULEMOD_XML_PARSE_FAILED
Description: Query Master/Rule Master/Rule Worker failed to parse rule XML. This rule parsing will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
task |
Task |
string |
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_RULEMOD_XML_POINTER_NULL
Description: NULL pointer in XML detected
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_RULEWORKER_TEST_RULES_CHECK_SYNTAX
Description: Rule worker starts to check syntax
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_RULEWORKER_TEST_RULES_EVENT_MATCH_STATUS
Description: Rule worker event test status
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
eventId |
Event ID |
uint64 |
This is a globally unique ID assigned to every raw event ingested into the SIEM. This is used by the system for tying events to incidents, and is typically not needed by end users. |
EventType: PH_Rule_AbuseCH_Botnetc2_MalwareIP_Inbound
Description: Permitted Traffic from AbuseCH Botnet C2 Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_AbuseCH_Botnetc2_MalwareIP_Outbound
Description: Traffic to AbuseCH Botnet C2 Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Blocklist_MalwareIP_Inbound
Description: Permitted Traffic from Blocklist DE Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Blocklist_MalwareIP_Outbound
Description: Traffic to Blocklist DE Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_C2_Tracker_MalwareIP_Inbound
Description: Permitted Traffic from C2 Tracker Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_C2_Tracker_MalwareIP_Outbound
Description: Traffic to C2 Tracker Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_CINSScore_MalwareIP_Inbound
Description: Permitted Traffic from CINS Score Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_CINSScore_MalwareIP_Outbound
Description: Traffic to CINS Score Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Cisco_Talos_MalwareIP_Inbound
Description: Permitted Traffic from Cisco Talos Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Cisco_Talos_MalwareIP_Outbound
Description: Traffic to Cisco Talos Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_DigitalSide_MalwareDomain_Inbound
Description: Permitted Traffic from DigitalSide Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_DigitalSide_MalwareDomain_Outbound
Description: Traffic to DigitalSide Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_DigitalSide_MalwareIP_Inbound
Description: Permitted Traffic from DigitalSide Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_DigitalSide_MalwareIP_Outbound
Description: Traffic to DigitalSide Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_DigitalSide_MalwareURL_Outbound
Description: Traffic to DigitalSide Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FML_Antispam_Malicious_File
Description: FortiMail: Malicious Spam File Attachment Found
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FML_Antispam_Malicious_Url
Description: FortiMail: Antispam Malicious URL found
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FireHol_MalwareIP_Inbound
Description: Permitted Traffic from FireHol Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FireHol_MalwareIP_Outbound
Description: Traffic to FireHol Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiRecon_MalwareDomain_Inbound
Description: Permitted Traffic from FortiRecon Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiRecon_MalwareDomain_Outbound
Description: Traffic to FortiRecon Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiRecon_MalwareIP_Inbound
Description: Permitted Traffic from FortiRecon Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiRecon_MalwareIP_Outbound
Description: Traffic to FortiRecon Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiRecon_MalwareURL_Outbound
Description: Traffic to FortiRecon Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiSOAR_MalwareDomain_Inbound
Description: Permitted Traffic from FortiSOAR Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiSOAR_MalwareDomain_Outbound
Description: Traffic to FortiSOAR Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiSOAR_MalwareIP_Inbound
Description: Permitted Traffic from FortiSOAR Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiSOAR_MalwareIP_Outbound
Description: Traffic to FortiSOAR Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_FortiSOAR_MalwareURL_Outbound
Description: Traffic to FortiSOAR Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Greensnow_MalwareIP_Inbound
Description: Permitted Traffic from Greensnow Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Greensnow_MalwareIP_Outbound
Description: Traffic to Greensnow Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_IPSum_MalwareIP_Inbound
Description: Permitted Traffic from IPSum Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_IPSum_MalwareIP_Outbound
Description: Traffic to IPSum Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_MISP_MalwareDomain_Inbound
Description: Permitted Traffic from MISP Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_MISP_MalwareDomain_Outbound
Description: Traffic to MISP Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_MISP_MalwareIP_Inbound
Description: Permitted Traffic from MISP Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_MISP_MalwareIP_Outbound
Description: Traffic to MISP Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_MISP_MalwareURL_Outbound
Description: Traffic to MISP Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_OPENCTI_MalDomain_Inbound
Description: Permitted Traffic from OpenCTI Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_OPENCTI_MalDomain_Outbound
Description: Traffic to OpenCTI Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_OPENCTI_MalwareIP_Inbound
Description: Permitted Traffic from OpenCTI Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_OPENCTI_MalwareIP_Outbound
Description: Traffic to OpenCTI Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_OPENCTI_MalwareURL_Outbound
Description: Traffic to OpenCTI Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_OpenPhish_MalwareURL_Outbound
Description: Traffic to OpenPhish Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Proofpoint_MalwareIP_Inbound
Description: Permitted Traffic from Proofpoint Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Proofpoint_MalwareIP_Outbound
Description: Traffic to Proofpoint Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Snort_MalwareIP_Inbound
Description: Permitted Traffic from Snort Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Snort_MalwareIP_Outbound
Description: Traffic to Snort Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_ThreatFox_MalwareURL_Outbound
Description: Traffic to ThreatFox Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_TweetFeed_MalwareDomain_Inbound
Description: Permitted Traffic from TweetFeed Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_TweetFeed_MalwareDomain_Outbound
Description: Traffic to TweetFeed Malware Domain List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_TweetFeed_MalwareURL_Outbound
Description: Traffic to TweetFeed Malware URL List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Tweetfeed_MalwareIP_Inbound
Description: Permitted Traffic from TweetFeed Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_Rule_Tweetfeed_MalwareIP_Outbound
Description: Traffic to TweetFeed Malware IP List
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_SAAS_OP_COLLECTOR_DOWN
Description: Collector down
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SAAS_OP_COLLECTOR_UP
Description: Collector up
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SCHEDULED_RULE_QUERY_FAILED
Description: Failed to run query for scheduled rule
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
queryId |
Query Id |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_SER_MON_SERVICE_DOWN
Description: PH process down
Severity: 8 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SHAREDSTORE_ACQUIRE_ERROR
Description: A module failed to acquire shared store. The module will abort
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_SHAREDSTORE_WRITER_POS_UNEXPECTED_ALTERED
Description: Shared store writer position altered unexpectedly
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_SHAREDSTORE_WRITE_ERROR
Description: Parser module encountered error while writing to shared store. Events will be lost
Severity: 9 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_SSL_SHUTDOWN_ERROR
Description: PH system ssl shutdown error
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_ACCOUNT_UNMATCHED
Description: Perf / STM module encountered unmatched LOOP_EMAIL_42 account in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_AUTH_TYPE_UNKNOWN
Description: Perf / STM module encountered unknown auth type in monitor in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_BAD_ELEM
Description: Perf / STM module encountered bad element in monitor in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_BAD_ELEM_VALUE
Description: Perf / STM module encountered bad element values in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_BAD_PORT
Description: Perf / STM module encountered bad port in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_BAD_RTT_LINE
Description: Perf / STM module encountered bad RTT line in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_BAD_SSL
Description: Perf / STM module encountered bad SSL in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_BAD_TAG
Description: Perf / STM module encountered bad Tag in XML received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_CMD_EXEC_FAILED
Description: Perf / STM module failed to execute command
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
command |
Command |
string |
|
exitValue |
Command exit value |
int32 |
|
EventType: PH_STM_CRED_INVALID
Description: Perf / STM module found that credential doesn't match with Custom Perf Object
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_CURL_ESCAPE_FAILED
Description: Perf / STM module found that curl_easy_escape() returned NULL
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_CURL_INIT_FAILED
Description: Perf / STM module failed to init curl - HTTP based communication will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_STM_DNS_TYPE_UNSUPPORT
Description: Perf / STM module found unsupported dns resource record type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_DUPLICATED
Description: Perf / STM module found duplicated srvcMonitor name or id
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_ELEM_EMPTY
Description: Perf / STM module found empty XML element received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_ELEM_MISSING
Description: Perf / STM module found missing XML element received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_ELEM_NEGATIVE
Description: Perf / STM module found negative XML element received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_ERROR
Description: Perf / STM module encountered STM monior error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
ipPort |
IP Port |
uint16 |
IP port number |
user |
User |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_STM_FILE_OPEN_FAILED
Description: Perf / STM module failed to open file during STM operation
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
exitValue |
Command exit value |
int32 |
|
EventType: PH_STM_GET_HOST_FAILED
Description: Perf / STM module failed to get outgoing host
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
EventType: PH_STM_GUESS_TYPE_FAILED
Description: Perf / STM module could not guess resource record type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_HTTP_RESP_FAILED
Description: Perf / STM module did not find response time from command output
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
command |
Command |
string |
|
EventType: PH_STM_METHOD_UNKNOWN
Description: Perf / STM module found unknown url method in monitor
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_MONITOR_MISSING_ACTION
Description: Perf / STM module found that No action is specified for monitor
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_MONITOR_RESULT_UPLOAD_FAILED
Description: Perf / STM module failed to upload test service monitor result xml to APP server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_NO_ORACLE_NAME
Description: Perf / STM module found missing instance name and service name for Oracle server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
serverIpAddr |
Server IP |
IP |
|
EventType: PH_STM_PORT_UNKNOWN
Description: Perf / STM module found unknown service monitor port
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_PROCESS_INVOKE_FAILED
Description: Perf / STM module failed to invoke SrvcMonJobExec::execute
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_PROTO_UNKNOWN
Description: Perf / STM module encountered unknown proto in STM job definition
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_PROTO_UNSUPPORT
Description: Perf / STM module encountered unsupported mail protocol in STM job definition
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_SERVER_ADDR_INVALID
Description: Perf / STM module encountered invalid server address in STM job definition
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_SPECIAL_LINE_NOT_FOUND
Description: Perf / STM module could not find either RTT line or packet loss line in ping response from device
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_STM_GET_PROCESS_FAILED
Description: Perf / STM module cannot get process
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_STM_GET_PROCESS_NAME_FAILED
Description: Perf / STM module cannot get process name
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_TAG_MISSING
Description: Perf / STM module found missing tag XML element received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_TAG_NOT_FOUND
Description: Perf / STM module found missing tag XML element received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_TAG_UNKNOWN
Description: Perf / STM module found unknown tag XML element received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_TRACEROUTE_FAILED
Description: Perf / STM module failed to parse traceroute output
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_STM_XML_PARSE_FAILED
Description: Perf / STM module failed to parse xml file received from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_SYSTEM_ARCHIVE_LOW
Description: FortiSIEM EventDB Archive disk space low
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGED_LOW_SPACE
Description: Event database archive files purged to make room for new archive
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGED_POLICY
Description: Event database archive files purged by policy
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_FAILED
Description: Failed to purge Archive FortiSIEM EventDB - purge caused by low available space
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_FINISHED
Description: Successfully purged Archive FortiSIEM EventDB -purge caused by low available space
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_STARTED
Description: Started to purge Archive FortiSIEM EventDB because of low available space
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_LOW_SPACE_SUCCESS
Description: Successfully purged Archive FortiSIEM EventDB because of low available space
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FAILED
Description: Failed to purge Archive FortiSIEM EventDB - purge caused by policy
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_FINISHED
Description: Successfully purged Archive FortiSIEM EventDB - purge caused by policy
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_STARTED
Description: Started to purge Archive FortiSIEM EventDB - purge caused by policy
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_PURGING_POLICY_SUCCESS
Description: Successfully purged Archive FortiSIEM EventDB - purge caused by policy
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_ARCHIVE_RETENTION_POLICY_VIOLATED
Description: Archive retention policy violation
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_SYSTEM_ARCHIVE_USAGE
Description: Archive disk usage
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
diskUsage |
Disk Used MB |
uint64 |
|
EventType: PH_SYSTEM_DATAMGR_ARCHIVE_SKIP
Description: Online FortiSIEM EventDB Archiving skipped since the directory has data
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DEVAPP_EVENTS_PER_SEC
Description: FortiSIEM per application EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reptVendor |
Reporting Vendor |
string |
This field captures the vendor of the reported event |
reptModel |
Reporting Model |
string |
This field captures the model of the reported event |
hostIpAddr |
Host IP |
IP |
This is the IP of the device of interest in the event. |
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
eventsPerSec |
Event Rate |
double |
A generic attribute for recording event ingestion or handling rate. |
EventType: PH_SYSTEM_DEVAPP_NO_EVENTS
Description: No events from a reporting module in last 1 hour
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reptVendor |
Reporting Vendor |
string |
This field captures the vendor of the reported event |
reptModel |
Reporting Model |
string |
This field captures the model of the reported event |
reptDevIpAddr |
Reporting IP |
IP |
This is the device that originated the log or event packet, also known as the reporting device. |
reptDevName |
Reporting Device |
string |
This is the hostname of the device that originated the log or event packet. |
EventType: PH_SYSTEM_DEVICE_NO_EVENTS
Description: No events from a device in last 1 hour
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_ARCHIVING_FAILED
Description: Online FortiSIEM EventDB Archiving encountered errors
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_ARCHIVING_FINISHED
Description: Online FortiSIEM EventDB Archiving completed
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_ARCHIVING_STARTED
Description: Online FortiSIEM EventDB Archiving started
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_ARCHIVING_SUCCESS
Description: Online FortiSIEM EventDB Archiving success
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_PURGED
Description: Event database files purged
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_SYSTEM_DISK_PURGING_FAILED
Description: Online FortiSIEM EventDB Purging encountered errors
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_PURGING_FINISHED
Description: Online FortiSIEM EventDB Purging completed
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_PURGING_STARTED
Description: Online FortiSIEM EventDB Purging started
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_PURGING_SUCCESS
Description: Online FortiSIEM EventDB Purging success
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_DISK_USAGE
Description: Disk usage of customer
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
diskUsage |
Disk Used MB |
uint64 |
|
EventType: PH_SYSTEM_DISK_USAGE_EXCEED_LICENSE
Description: Event database disk usage exceeded limit
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_SYSTEM_DISK_USAGE_WARNING
Description: FortiSIEM EventDB disk usage close to limit
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_SYSTEM_DROP_UNKNOWN_ORG
Description: Dropped events which belong to unknown organization
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_EPS_GLOBAL
Description: FortiSIEM Global event handling statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
licenseEventsPerSec |
License EPS |
uint64 |
|
incomingEventsPerSec |
Incoming Event Rate |
double |
This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval. |
peakIncomingEventsPerSec |
Peak Incoming Event Rate |
double |
This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points. |
dropLicenseEventsPerSec |
License Dropped Event Rate |
double |
The number of events dropped due to exceeding license in past 3 minutes. |
peakDropLicenseEventsPerSec |
Peak License Dropped Event Rate |
double |
The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started. |
unusedEvents |
Unused Event Count |
uint64 |
The difference between licenseEventsPerSec and incomingEventsPerSec accumulated. |
EventType: PH_SYSTEM_EPS_NODE
Description: FortiSIEM per Node event handling statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
role |
Role |
string |
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
guaranteedEventsPerSec |
Guaranteed EPS |
uint64 |
|
incomingEventsPerSec |
Incoming Event Rate |
double |
This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval. |
peakIncomingEventsPerSec |
Peak Incoming Event Rate |
double |
This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points. |
ingestedEventsPerSec |
Ingested Event Rate |
double |
|
dropPolicyEvents |
Policy Dropped Events |
uint64 |
The number of events dropped by Event Dropping Rules in the last 3 minutes. |
dropPolicyEventsPerSec |
Policy Droppped Event Rate |
double |
This is the per second count of events dropped by policy, which is calculated as dropPolicyEvents (3min interval) / 180 seconds. |
peakDropPolicyEventsPerSec |
Peak Policy Dropped Event Rate |
double |
The max value of dropPolicyEventsPerSec, over all 3-minute periods, since phParser started. |
dropLicenseEvents |
License Dropped Events |
uint64 |
This is the total count of events dropped due to exceeding license over all 3 minute intervals since phParser started. |
dropLicenseEventsPerSec |
License Dropped Event Rate |
double |
The number of events dropped due to exceeding license in past 3 minutes. |
peakDropLicenseEventsPerSec |
Peak License Dropped Event Rate |
double |
The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started. |
dropLicenseEventRatio |
License Dropped Event Ratio |
uint16 |
Ratio of dropped events due to license to total incoming events in last 3 minutes. |
reptDevIpAddr |
Reporting IP |
IP |
This is the device that originated the log or event packet, also known as the reporting device. |
EventType: PH_SYSTEM_EPS_ORG
Description: FortiSIEM per Organization event handling statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
incomingEventsPerSec |
Incoming Event Rate |
double |
This is a FortiSIEM event ingestion rate calculated every 3 minutes, divided by 180 to generate a rolling EPS (Events Per Second) interval. |
peakIncomingEventsPerSec |
Peak Incoming Event Rate |
double |
This is the spike or max event ingestion rate seen during a 3 minute interval averaged overall data points. |
dropLicenseEventsPerSec |
License Dropped Event Rate |
double |
The number of events dropped due to exceeding license in past 3 minutes. |
peakDropLicenseEventsPerSec |
Peak License Dropped Event Rate |
double |
The max value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started. |
EventType: PH_SYSTEM_EVENTS_FWD_STAT
Description: Forwarded EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
role |
Role |
string |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
customer |
Organization Name |
string |
This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to. |
fwdEventsPerSec |
Forwarded Event Rate |
double |
This field represents the average rate (events per sec) over a 3 minute window, at which events are forwarded from FortiSIEM to an external system |
peakFwdEventsPerSec |
Peak Forwarded Event Rate |
double |
This field represents the maximum rate (events per sec) over a 3 minute window, at which events are forwarded from FortiSIEM to an external system |
dropFwdEventsPerSec |
Dropped Forwarded Event Rate |
double |
|
peakDropFwdEventsPerSec |
Peak Dropped Forwarded Event Rate |
double |
|
reptDevIpAddr |
Reporting IP |
IP |
This is the device that originated the log or event packet, also known as the reporting device. |
reptDevName |
Reporting Device |
string |
This is the hostname of the device that originated the log or event packet. |
EventType: PH_SYSTEM_EVENTS_PER_SEC
Description: Received EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
peakEventsPerSec |
Peak Event Rate |
double |
|
guaranteedEventsPerSec |
Guaranteed EPS |
uint64 |
|
EventType: PH_SYSTEM_EVENTS_VIA_ZMQ_EPS
Description: Events Pushed by ZMQ EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
totEventCount |
Total Event Count |
uint32 |
|
eventsPerSec |
Event Rate |
double |
A generic attribute for recording event ingestion or handling rate. |
EventType: PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE
Description: System event rate exceeds licensed event rate
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_INTERNAL_EVENTS_PER_SEC
Description: FortiSIEM Internal EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
peakEventsPerSec |
Peak Event Rate |
double |
|
EventType: PH_SYSTEM_IP_EVENTS_PER_SEC
Description: FortiSIEM per device EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
eventsPerSec |
Event Rate |
double |
A generic attribute for recording event ingestion or handling rate. |
reptDevIpAddr |
Reporting IP |
IP |
This is the device that originated the log or event packet, also known as the reporting device. |
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_SYSTEM_ONLINE_RETENTION_POLICY_VIOLATED
Description: Online data retention policy violation
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
policyName |
Policy Name |
string |
|
EventType: PH_SYSTEM_PERF_EVENTS_PER_SEC
Description: FortiSIEM performance monitoring EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
peakEventsPerSec |
Peak Event Rate |
double |
|
EventType: PH_SYSTEM_RETENTION_POLICY_EXEC_TIME
Description: Data retention policy enforcement time
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
runTime |
Run Time |
uint64 |
|
EventType: PH_SYSTEM_RETENTION_POLICY_FAILED
Description: Data retention policy enforcement failed
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_SYSTEM_RETENTION_POLICY_FINISHED
Description: Data retention policy enforcement finished
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_RETENTION_POLICY_STARTED
Description: Data retention policy enforcement started
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_RETENTION_POLICY_STATS
Description: Data retention policy enforcement statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_SYSTEM_RETENTION_POLICY_SUCCESS
Description: Data retention policy enforcement succeeded
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_SYSTEM_STORAGE_LOW
Description: System data storage is low
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
diskName |
Disk Name |
string |
|
freeDiskMB |
Free Disk MB |
uint32 |
|
diskUtil |
Disk Capacity Util |
double |
|
EventType: PH_SYSTEM_STORED_EVENTS_PER_SEC
Description: Stored EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
peakEventsPerSec |
Peak Event Rate |
double |
|
EventType: PH_SYSTEM_SUMM_EVENTS_STORED_EPS
Description: Summary Events Stored EPS statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
totEventCount |
Total Event Count |
uint32 |
|
eventsPerSec |
Event Rate |
double |
A generic attribute for recording event ingestion or handling rate. |
EventType: PH_SYS_ERROR_XML_SEND_ERROR
Description: Error in sending system error to app server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_SYS_ERROR_XML_SENT
Description: System error sent to app server
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_TEST_CONN_COMPLETE
Description: Test Connectivity completed
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_TEST_CONN_CONTACT_APP_SERVER
Description: Test Connectivity module contacting app server
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_TEST_CONN_FAILED_INVALID_REQUEST
Description: Test Connectivity failed - invalid discovery request from App Server
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_TEST_CONN_FAILED_INVALID_REQUEST_XML
Description: Test Connectivity failed - invalid discovery request XML from App Server
Severity: 9 (High)
Event Category: 3 (System Logs)
EventType: PH_TEST_CONN_RECVD_VALID_REQUEST
Description: Received valid test connectivity request from app server
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
EventType: PH_TEST_CONN_RESULT_SENT
Description: Test Connectivity results sent to app server
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_TEST_CONN_STARTED
Description: Starting test connectivity for a device
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
EventType: PH_TEST_RULES_PARSE_STATUS
Description: Syntax check status
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
EventType: PH_THREAD_EXITING
Description: Module exiting thread
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
threadName |
Thread Name |
string |
|
EventType: PH_THREAD_RECVD_EXIT
Description: Thread received exit request
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
threadName |
Thread Name |
string |
|
EventType: PH_THREAD_STARTING
Description: Module starting thread
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
threadName |
Thread Name |
string |
|
EventType: PH_UNABLE_ACCESS_DIR
Description: Unable to access archive directory
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
EventType: PH_UNABLE_ALLOC_MEMORY
Description: Unable to allocate memory
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UNABLE_CREATE_DIR
Description: Unable to create dir
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
errorNo |
Error Number Unsigned |
uint32 |
This is an unsigned integer error number |
EventType: PH_UNABLE_CREATE_FILE
Description: Unable to create file
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
fileName |
File Name |
string |
|
errorNo |
Error Number Unsigned |
uint32 |
This is an unsigned integer error number |
EventType: PH_UNABLE_CREATE_TIMER
Description: Unable to create timer
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UNABLE_OPEN_DIR
Description: Unable to open dir
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
errorNo |
Error Number Unsigned |
uint32 |
This is an unsigned integer error number |
EventType: PH_UNABLE_OPEN_FILE
Description: Unable to open file
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
fileName |
File Name |
string |
|
errorNo |
Error Number Unsigned |
uint32 |
This is an unsigned integer error number |
EventType: PH_UNABLE_PARSE_XML
Description: Unable to parse xml
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
fileName |
File Name |
string |
|
EventType: PH_UNABLE_RENAME_FILE
Description: Unable to rename file
Severity: 6 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
srcFilePath |
Source File Path |
string |
|
destFilePath |
Destination File Path |
string |
|
errorNo |
Error Number Unsigned |
uint32 |
This is an unsigned integer error number |
EventType: PH_UNRESOLVABLE_HOSTNAME
Description: FortiSIEM module failed to resolve host name
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_UPDATE_RULE_SUCCEED
Description: Rule update succeeded
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
opName |
Operation Name |
string |
|
ruleId |
Rule ID |
uint64 |
Unique ID of a FortiSIEM rule. |
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_USER_MON_SUDDEN_LOC_CHANGE
Description: User location anomaly detected
Notes: FortiSIEM Identity and Location Module keeps track of (Source IP, Longitude, Latitude, User, Last Seen Time). For every new Identity and Location event (See docs on Dashboard identity location), the Haversine distance ( https://en.wikipedia.org/wiki/Haversine_formula) between the new and existing Longitude and Latitudes is calculated. Then the speed required to attain this distance is calculated by dividing the Haversine distance by the elapsed time between current event and event stored in Identity and Location module. If this value exceeds 575 miles/hour, which is a reasonable limit on commercial Jetliners), then the event is generated. This event can indicate the specific user credential is likely shared or stolen, which can be a security violation.
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
user |
User |
string |
|
eventSource |
Event Source |
string |
|
srcIpAddr |
Source IP |
IP |
Source IP of a device as identified in the event. |
destIpAddr |
Destination IP |
IP |
Destination IP of a device as identified in the event. |
startTime |
Start Time |
Date |
This is the start time of a given item or task, and is stored in epoch milliseconds |
endTime |
End Time |
Date |
This is the end time of a given item or task, stored in epoch milliseconds. |
durationMSec |
Duration |
uint32 |
Duration of a connection (in msec) |
EventType: PH_USER_MON_SUDDEN_LOGIN_DISTRIBUTION_CHANGE
Description: Change in user login distribution pattern
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
profDateType |
Profile Date Type |
uchar |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
user |
User |
string |
|
computer |
Computer |
string |
|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
oldDistrib |
Old Distribution |
string |
|
newDistrib |
New Distribution |
string |
|
EventType: PH_USER_MON_SUDDEN_LOGIN_VOLUME_CHANGE
Description: Increase in User Login Volume
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
profDateType |
Profile Date Type |
uchar |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
user |
User |
string |
|
computer |
Computer |
string |
|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
oldValue |
Old Value |
uint64 |
|
newValue |
New Value |
uint64 |
|
EventType: PH_UTIL_BIZ_CHANGE_UPDATE_SPAWN_FAILURE
Description: phMonitor encountered error in spawning thread
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_UTIL_BIZ_HTTP_REQUEST_FAILURE
Description: HTTP Request Error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_CMD_FAILURE
Description: FortiSIEM system command execution failure
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
command |
Command |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_CONFIG_IP_MISSING
Description: Found empty IP address
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_CONFIG_LOAD_FAILURE
Description: Failed to load configuration type from the app server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
objType |
Object Type |
string |
|
EventType: PH_UTIL_CONFIG_LOAD_FILE_ACESS_FAILURE
Description: Failed to load configuration type from the app server - tmp file not accessible
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
objType |
Object Type |
string |
|
EventType: PH_UTIL_CONFIG_PARSE_FAILURE
Description: Failed to parse system/phoenixServer xml
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
xmlBody |
XML Body |
string |
|
EventType: PH_UTIL_CONFIG_UNKNOWN_SERVER_TYPE
Description: Found unknown server type in App server returned XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
objType |
Object Type |
string |
|
EventType: PH_UTIL_CSV_LINE_ILLEGAL
Description: Found illegal line in csv file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
lineContent |
Line Content |
string |
|
EventType: PH_UTIL_CSV_READ_FAILURE
Description: Failed to open CSV file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_CUSTOMER_COLLECTOR_MISSING
Description: Failed to parse collectors and no collector found
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_CUSTOMER_COLLECTOR_PARSE_FAILURE
Description: Failed to parsephCustomerDevice Collector info
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_CUSTOMER_DOMAIN_MISSING
Description: No domain item found in xml file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_CUSTOMER_INFO_PARSE_FAILURE
Description: Failed to parse value group xml
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
xmlBody |
XML Body |
string |
|
EventType: PH_UTIL_CUSTOMER_PARSE_FAILURE
Description: Failed to parse phCustomerDevice Customer info in XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_DASHBOARD_DUPLICATE_IP
Description: Encountered duplicate ip in device info for same customer Id
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
reptDevIpAddr |
Reporting IP |
IP |
This is the device that originated the log or event packet, also known as the reporting device. |
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_UTIL_DASHBOARD_DUPLICATE_ITEM
Description: Encountered duplicate item id in device info for same custId
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
item |
Item |
string |
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_UTIL_DASHBOARD_PARSE_FAILURE
Description: Failed to parse dashboard device info xml
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
xmlBody |
XML Body |
string |
|
EventType: PH_UTIL_DEVICE_MAP_PROP_ERROR
Description: Encountered device map property error in XML
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_DEVICE_PROP_ERROR
Description: Encountered device property error in XML
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_DEVICE_SIMPLE_PROP_PARSE_FAILURE
Description: Failed to parse NULL element for property in XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
propName |
Property Name |
string |
|
EventType: PH_UTIL_DGA_FREQ_FILE_OPEN_FAILURE
Description: Failed to open DGA freq file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_UTIL_DGA_WHITELIST_FILE_OPEN_FAILURE
Description: Failed to open DGA white list file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_UTIL_DIR_CREATE_FAILURE
Description: Failed to create directory after a few attempts
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_DIR_CREATE_RETRIED
Description: Retried to created dir
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
count |
Count |
uint32 |
A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also. |
EventType: PH_UTIL_DIR_OPEN_FAILURE
Description: Failed to open directory after a few attempts
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_DIR_PARENT_NOT_EXIST
Description: Failed to locate Parent directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
EventType: PH_UTIL_DIR_REMOVE_FAILURE
Description: Failed to remove directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_DISK_USAGE_INFO_GET_FAILURE
Description: Unable to get disk usage information
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dirName |
Directory Name |
string |
|
EventType: PH_UTIL_DISPATH_CMD_XML_ILLEGAL
Description: Encountered malformatted XML
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
xmlBody |
XML Body |
string |
|
EventType: PH_UTIL_DISPATH_CMD_XML_PARSE_FAILURE
Description: Encountered XML parsing failure
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
xmlBody |
XML Body |
string |
|
EventType: PH_UTIL_EMAIL_SEND_FAILURE
Description: Failed to send email to server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
EventType: PH_UTIL_EVENT_FILE_ERROR
Description: Encountered Event file error
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_EVENT_GROUP_ERROR
Description: Encountered Event Group error
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_EVENT_STATUS_REPORTER_SPAWN_FAILURE
Description: Failed to initialize external event status reporter thread
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_EVENT_STATUS_UPLOAD_FAILURE
Description: Failed to upload external event status xml after 3 retries
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_EVENT_TYPE_ERROR
Description: Encountered Event type error
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_FILE_NOT_EXIST
Description: File doesn't exsit
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_UTIL_FILE_OPEN_FAILURE
Description: Failed to open file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_FILE_READ_FAILURE
Description: Error reading file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_FILE_SIZE_MISMATCH
Description: File size mismatch
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_FILE_SIZE_TOO_SMALL
Description: File size too small
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
fileSize64 |
File Size64 Bytes |
uint64 |
|
EventType: PH_UTIL_FILE_STATFS_FAILURE
Description: Failed to run statfs() command
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_FILE_STAT_FAILURE
Description: Failed to stat file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_FILE_WRITE_FAILURE
Description: Error writing file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_FORK_FAILURE
Description: System fork failed - likely system highly utilized
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_GET_ADDR_FAILURE
Description: Failed to run Getaddrinfo command
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
EventType: PH_UTIL_GET_JOB_STATUS_FAILURE
Description: Failed to get job status to status file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
fileName |
File Name |
string |
|
paraName |
Param Name |
string |
|
EventType: PH_UTIL_HOSTNAME_GET_FAILURE
Description: Failed to look up Host name
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_INET_PTON_FAILURE
Description: Failed to run inet_ntop command
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_INODE_INFO_GET_FAILURE
Description: Unable to get inode information
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
osObjName |
Object Name |
string |
|
EventType: PH_UTIL_IOCTL_FAILURE
Description: Failed to run ioctl commands
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_IOCTL_SIOCGIFADDR_FAILURE
Description: Failed to run ioctl SIOCGIFADDR command
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_IP_TYPE_INVALID
Description: Invalid IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_IP_TYPE_MISMATCH
Description: Mismatch IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_JOB_STATUS_REPORTER_SPAWN_FAILURE
Description: Failed to initialize job status reporter thread
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_JOB_STATUS_UPLOAD_FAILURE
Description: Failed to upload job status xml after 3 retries
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_JSON_GET_NODE_FAILURE
Description: Failed to get JSON node value from App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
jsonBody |
JSON Body |
string |
|
EventType: PH_UTIL_JSON_GET_TOTAL_COUNT_FAILURE
Description: Failed to fetch total_count
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_JSON_OBJ_EMPTY
Description: JSON object empty
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_JSON_PARSE_FAILURE
Description: Failed to parse JSON
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
jsonBody |
JSON Body |
string |
|
EventType: PH_UTIL_KILLPG_FAILURE
Description: Failed to send SIGKILL to child process
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_LOAD_EXT_FUNC_FILE_OPEN_FAILUE
Description: Dynamic loaded function load failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_LOAD_EXT_FUNC_FORMAT_INVALID
Description: Dynamic loaded function name should be fileName.functionName format
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
propValue |
Property Value |
string |
|
EventType: PH_UTIL_LOAD_EXT_FUNC_GET_NAME_FAILUE
Description: Dynamic loaded function in file failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
funName |
Function Name |
string |
|
filePath |
File Path |
string |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_LOCAL_IP_MISSING
Description: Failed to get ip address of this machine
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE
Description: Duplicate lookup table found
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbTable |
Database Table |
string |
|
EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE_COLUMN
Description: Duplicate lookup table column found
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbTable |
Database Table |
string |
|
dbColumn |
Database Column |
string |
|
EventType: PH_UTIL_LOOKUP_TABLES_DUPLICATE_KEY
Description: Duplicate lookup table key found
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
dbTable |
Database Table |
string |
|
dbId |
DB ID |
uint32 |
|
EventType: PH_UTIL_MAIL_CMD_RUN_FAILURE
Description: Failed to send email to server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destName |
Destination Host Name |
string |
Destination device's hostname as identified in the log, can also be enriched using reverse lookup of the destination IP address. |
EventType: PH_UTIL_MAIL_SMTP_INIT_FAILURE
Description: Fail to initialize SMTP server problem
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_MD5_ERROR
Description: Failed to calculate MD5
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_MEM_ALLOC_FAILURE
Description: Could not allocate memory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
fileSize64 |
File Size64 Bytes |
uint64 |
|
EventType: PH_UTIL_MKDTEMP_FAILURE
Description: Failed to create directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
filePath |
File Path |
string |
|
EventType: PH_UTIL_MKSTEMP_FAILURE
Description: Failed to create temporary filename
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
filePath |
File Path |
string |
|
EventType: PH_UTIL_MMAP_FAILURE
Description: Failed to mmap file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
fileSize64 |
File Size64 Bytes |
uint64 |
|
errorNoInt |
Error Number Int |
int32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_MOVE_FILE_FAILURE
Description: Failed to rename file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_NOTIFICATION_SENDER_SPAWN_FAILURE
Description: Failed to initialize notification sender thread
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_NOTIFICATION_SERVER_INIT_FAILURE
Description: Failed to initialize notification reporter
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_NOTIFICATION_UPLOAD_FAILURE
Description: Failed to Send Notification
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
msg |
Message |
string |
|
EventType: PH_UTIL_PHOENIX_CONFIG_ITEM_MISSING
Description: Could not find specific item in phoenix_config.txt
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
propName |
Property Name |
string |
|
EventType: PH_UTIL_PIPE_FAILURE
Description: The command pipe() returned error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_PROP_DEF_SET_PARSE_FAILURE
Description: Failed to parse propertyDefs xml
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
xmlBody |
XML Body |
string |
|
EventType: PH_UTIL_REDIS_CONNECTION_ERROR
Description: redis connection error
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_REGEX_PATTERN_EMPTY
Description: Regex Pattern is NULL
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_REGEX_PATTERN_TOO_LONG
Description: Regex Pattern too long
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
msgLen |
Message Length |
uint64 |
|
EventType: PH_UTIL_SEND_TO_UDP_PORT_FAILURE
Description: Failed to send message to udp port
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
destIpPort |
Destination TCP/UDP Port |
uint16 |
This is the destination TCP or UDP port as identified in the event |
EventType: PH_UTIL_SETPGRP_FAILURE
Description: Failed to run system comand setpgrp()
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_SET_JOB_STATUS_FAILURE
Description: Failed to set job status to status file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
fileName |
File Name |
string |
|
paraName |
Param Name |
string |
|
EventType: PH_UTIL_SOCKET_FAILURE
Description: Failed to run system command socket()
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_UTIL_STR_TO_IP_FAILURE
Description: Failed to run system call inet_pton
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
propValue |
Property Value |
string |
|
EventType: PH_UTIL_SVN_DIFF_FAILURE
Description: Failed to execute system command svn diff
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_SYS_ERROR_REPORTER_INIT_FAILURE
Description: Failed to initialize system error reporter thread
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_UTIL_TIME_RANGE_INVALID
Description: Found Invalid time range
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
propValue |
Property Value |
string |
|
EventType: PH_UTIL_TIME_STR_FORMAT_INVALID
Description: Found incorrect time string parameters
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
paraName |
Param Name |
string |
|
EventType: PH_UTIL_UNKNOWN_PHOENIX_ERROR_NUMBER
Description: Found incorrect PH error number
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_UTIL_VALUE_GROUP_ERROR
Description: Encountered Value group error
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_WAITPID_FAILURE
Description: Failed to run system command waitpid on child process
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_WAITPID_LAST_TRY_FAILUE
Description: Failed to run system command waitpid on child process after several tries
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_WINDOWS_BID_LOAD_FAILURE
Description: Failed to load Windows Built In SID file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_UTIL_WRITE_BIN_FILE_OPEN_FAILURE
Description: Failed to open binary file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
EventType: PH_UTIL_WRITE_FILE_OPEN_FAILURE
Description: Failed to open file for write
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
filePath |
File Path |
string |
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_UTIL_XML_HANDLING_ERROR
Description: Found Invalid xml from App Server
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_UTIL_ZIP_DECOMPRESS_FAILED
Description: Failed to decompress zip string
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_VA_EVENTS_PER_SEC
Description: Total event rate to an FortiSIEM VA
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
peakEventsPerSec |
Peak Event Rate |
double |
|
EventType: PH_VA_LICENSE_UPDATE
Description: License on VA has been updated
Severity: 5 (Medium)
Event Category: 3 (System Logs)
EventType: PH_VULN_LOAD_ERROR
Description: Parser module failed to load external scanner-found vulnerabilities from App server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_VULN_UPDATE_ERROR
Description: Parser module failed to upload external scanner-found vulnerabilities to App server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
Id |
Display name |
Type |
Description |
---|---|---|---|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_WORKER_DOWN
Description: Worker down
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_WORKER_PROVISION_FAILED
Description: Phoenix worker provision failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_WORKER_UP
Description: Worker up
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_WS_COMM_ERROR
Description: Web service communication error
Severity: 6 (Medium)
Event Category: 3 (System Logs)
EventType: WEBSENSE_MAIL_JDBC_PULL_STAT
Description: JDBC Event pull statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: WEBSENSE_WEB_JDBC_PULL_STAT
Description: JDBC Event pull statistics
Severity: 1 (Low)
Event Category: 3 (System Logs)