Report Logs
This section provides logs related to generating reports for dashboards in EventDB/Elasticsearch and for Profile/baselining
EventType: PH_REPORT_ACTION_STATUS
Description: Record action result for report notification
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ACT_FAILED
Description: Query Master/Query Worker/Report Worker/Report Loader failed to perform requested ACTION from App Server, i.e. UPDATE, REMOVE. Event Role will not be updated.
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
roleId |
Role ID |
uint32 |
|
EventType: PH_REPORT_AGGR_FIELDS_EMPTY
Description: Report Master/Report Worker encountered empty aggregate fields. Report file will be incomplete
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_AGGR_FIELD_NOT_ADDED
Description: Query Master/Report Master/Report Worker failed to add certain aggregate field to report schema. The schema will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_AGGR_FUNC_EMPTY
Description: Report Master/Report Worker encountered empty aggregate function. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_AGGR_TYPE_ERROR
Description: Report Master/Report Worker encountered aggregate type error. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_AGGR_TYPE_UNDEFINED
Description: Report Master/Report Worker encountered undefined aggregate type. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ATTR_ID_UNSUPPORTED
Description: Report Master/Report Worker encountered unsupported attribute ID. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ATTR_MISSING
Description: Report Master/Report Worker failed to locate certain attribute. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ATTR_UNDEFINED
Description: Report Master/Report Worker encountered undefined attribute. Report file will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_BUFFER_OVERFLOW
Description: Report buffer overflow
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
size |
Size |
uint32 |
|
EventType: PH_REPORT_CHECKSUM_MISMATCH
Description: Query Master encountered checksum mismatch in report results. The inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_CONFIG_UPDATE_NULL
Description: Report Worker/Report Loader encountered NULL object in config update. Config update will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_CONVERT_FAILED
Description: FortiSIEM internal error used for testing
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
queryId |
Query Id |
string |
|
EventType: PH_REPORT_DATA_INIT_FAILED
Description: Query Master/Report Master failed to initialize report results block data. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_SIZE_MISMATCH
Description: Query Master/Report Master/Report Worker/Report Loader encountered size mismatch between two pieces of data. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_DATA_SIZE_OVERFLOW
Description: Query Master/Report Master/Report Worker/Report Loader encountered data size overflow. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_SIZE_UNEXPECTED
Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_SIZE_UNKNOWN
Description: Query Master/Report Master/Report Worker/Report Loader encountered unknown data size. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DATA_TYPE_UNEXPECTED
Description: Query Master/Report Master/Report Worker/Report Loader encountered unexpected data type. The affected operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_DIR_CREATE_FAILED
Description: FortiSIEM Report Engine failed to create directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_DIR_OPEN_FAILED
Description: FortiSIEM Report Engine failed to open directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_DIR_REMOVE_FAILED
Description: FortiSIEM Report Engine failed to remove directory
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_ES_BUCKETS_EMPTY
Description: Data Manager encountered empty Elastic Search buckets. Report data will not be written to disk
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ES_POST_FAILED
Description: Report Master/Report Worker failed to POST Elastic Search data to App Server. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_REPORT_ES_PROFILE_EMPTY
Description: Report Master encountered empty Elastic Search profile. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_REPORT_ES_PROFILE_TIMEOUT
Description: Report Master encountered timeout in Elastic Search profile response. This profile will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_ES_PURGE_INDEX_FAILED
Description: Elastic Search Purge Inline Report Index Failed
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ES_TIME_RANGE_INVALID
Description: Report Master encountered invalid time range in Elastic Search profile query. This query will failed to be built
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_EXPR_PARSE_FAILED
Description: Query Master failed to parse schema expression. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
EventType: PH_REPORT_FILE_CONTENT_MISSING
Description: Report Master failed to locate certain content in report file. Report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_COPY_FAILED
Description: Report Master/Report Worker failed to copy report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
srcFilePath |
Source File Path |
string |
|
|
destFilePath |
Destination File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_HEADER_BAD
Description: Query Master/Report Master/Report Worker encountered bad report file header. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_INIT_FAILED
Description: Report Master/Report Worker failed to initialize report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_LINK_FAILED
Description: Report Master failed to link report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
srcFilePath |
Source File Path |
string |
|
|
destFilePath |
Destination File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_MAGIC_BAD
Description: Query Master/Report Master/Report Worker encountered bad report file magic. Inline query or report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_MMAP_FAILED
Description: Query Master/Report Master failed to memory-map report file. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_NAME_BAD
Description: Report Master/Report Loader encountered bad report file name. This report rolling or loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_OPEN_FAILED
Description: Query Master/Report Master/Report Worker/Report Loader failed to open report file. Related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_PARSE_FAILED
Description: FortiSIEM Report Engine failed to parse file
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_READ_FAILED
Description: Identity Master/Identity Worker failed to read entry IDs file. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_REMOVE_FAILED
Description: Report Master failed to remove report file. Disk will eventually be full
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_RENAME_FAILED
Description: Report Master failed to rename report file. This report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
srcFilePath |
Source File Path |
string |
|
|
destFilePath |
Destination File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_RSYNC_FAILED
Description: Report Master failed to rsync report file to remote super
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
srcFilePath |
Source File Path |
string |
|
|
targetHostName |
Target Host Name |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_STAT_FAILED
Description: Report Worker/Report Loader failed to stat report file. This report writing or loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FILE_TYPE_UNKNOWN
Description: Report Worker/Report Loader encountered unknown report file type. This report writing or loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
EventType: PH_REPORT_FILE_UNSPECIFIED
Description: Report Master/Report Worker encountered unspecified report file. Report data will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_FILE_WRITE_FAILED
Description: Identity Master/Identity Worker failed to write entry IDs to file. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
filePath |
File Path |
string |
|
|
errorNoInt |
Error Number Int |
int32 |
|
EventType: PH_REPORT_FUNC_OBJ_DEF_ERROR
Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_FUNC_OBJ_DEF_GET_FAILED
Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_FUNC_OBJ_DEF_UNKNOWN
Description: Internal error and highly generic. Refer to [procName] and [phLogDetail] tags in the actual log
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ID_LOC_DEVICE_EXCLUDED_INVALID
Description: FortiSIEM Identity and location module encountered invalid excluded device
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ID_LOC_EVENT_SEND_FAILED
Description: FortiSIEM Identity and location module failed to upload events
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_ID_LOC_RESULT_UPLOAD_FAILED
Description: FortiSIEM Identity and location module failed to upload results to App Server
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
httpStatusCode |
HTTP Status |
string |
|
EventType: PH_REPORT_ID_LOC_SYNCH_DATA_UPLOAD_FAILED
Description: FortiSIEM Identity and location module failed to upload Synch Data (Worker to Master)
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_ID_LOC_USER_ALREADY_EXCLUDED
Description: FortiSIEM Identity and location module found already excluded user
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
EventType: PH_REPORT_ID_LOC_USER_EXCLUDE_FAILED
Description: FortiSIEM Identity and location module failed to exclude user
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
user |
User |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_REPORT_INDEX_OVERFLOW
Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered index out of bound. Related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
seqNum |
Sequence Number |
uint64 |
TCP Sequence number field in TCP header. |
|
size |
Size |
uint32 |
|
EventType: PH_REPORT_IP_GET_FAILED
Description: Failed to get host IP
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
hostName |
Host Name |
string |
This is the hostname of the device of interest in the event |
EventType: PH_REPORT_IP_TYPE_INVALID
Description: Invalid IP type
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_KEY_LOAD_FAILED
Description: FortiSIEM Report module failed to load event attribute keys
Severity: 1 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_MODULE_INIT_FAILED
Description: Report Master/Report Worker/Report Loader/Identity Master/Identity Worker failed to initialize certain module. Related operation will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
module |
Module Name |
string |
|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_REPORT_MODULE_UNCONFIGURED
Description: Report Worker encountered unconfigured item. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
module |
Module Name |
string |
|
EventType: PH_REPORT_OLD_REPORT_DATA
Description: Report Master encountered older report data from Worker, might enlarge block_collection_window
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_OP_UNEXPECTED
Description: Query Master/Report Master/Report Worker encountered unexpected operator type. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ORDER_BY_ATTR_EMPTY
Description: Query Master/phRuleMaster/Report Master encountered empty order-by attributes in report. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_ORDER_BY_INVALID
Description: Query Master/phRuleMaster/Report Master encountered invalid order-by attributes in report. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_PACK_FAILED
Description: Failed to pack data
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_REPORT_PACK_FAILED_COUNT
Description: Failed to pack or unpack data
Severity: 3 (Low)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PARSED_EVENT_LOAD_FAILED
Description: FortiSIEM Report module failed to load event
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PGDB_CONNECT_FAILED
Description: Report Loader failed to connect to Postgres DB. Report loading will fail
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PGDB_EXEC_FAILED
Description: Report Loader failed to execute SQL statement in Postgres DB. This report loading will fail
Severity: 1 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbQuery |
Database Query |
string |
|
EventType: PH_REPORT_PGDB_NOT_CONNECTED
Description: Query Master/Report Loader encountered disconnected Postgres DB while executing SQL statement. This incident query or report loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbQuery |
Database Query |
string |
|
EventType: PH_REPORT_PGDB_NOT_INIT
Description: Query Master/Report Loader encountered uninitialized Postgres DB connection manager. The process will terminate
Severity: 10 (High)
Event Category: 3 (System Logs)
EventType: PH_REPORT_POINTER_NULL
Description: Query Master/phRuleMaster/Report Master/Report Worker/Report Loader/Data Manager/Identity Master/Identity Worker encountered NULL pointer. Related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_POINTER_NULL_WARNING
Description: NULL pointer detected
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_POSITIVE_INTEGER_EXPECTED
Description: Query Master/Data Manager expected positive integer in performance data but got other value. Default value will be set instead
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_REPORT_PQ_ERROR
Description: Query Master/Report Loader encountered PQ function error in Postgres DB. This incident query or report loading will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
funName |
Function Name |
string |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_PROFILE_TYPE_BAD
Description: FortiSIEM Report module encountered bad profile
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_PROFILE_TYPE_WRONG_FORMAT
Description: Query Master encountered wrong format of profile. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_PROFILE_UPDATE_FAILED
Description: FortiSIEM Report module failed to upload profile
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
profDateType |
Profile Date Type |
uchar |
|
EventType: PH_REPORT_ROW_LENGTH_ZERO
Description: Query Master encountered empty row for given report ID. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_RULE_ATTR_MISSING
Description: Query Master failed to locate certain rule attribute in profile. This profile query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
ruleName |
Rule Name |
string |
FortiSIEM rule name. |
EventType: PH_REPORT_SCHEMA_INCOMPATIBLE
Description: Query Master/Report Master encountered incompatible report schema. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_SCHEMA_INVALID
Description: Query Master/Report Master encountered invalid report schema. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_SCHEMA_LOAD_FAILED
Description: Query Master/Report Master failed to load report schema. This inline query or report rolling will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_SQLITE3_BATCH_BEGIN_FAILED
Description: Report Master failed to begin SQLite3 batch transaction. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
profDateType |
Profile Date Type |
uchar |
|
|
hourOfDay |
Hour Of Day |
uint16 |
This attribute is not used |
EventType: PH_REPORT_SQLITE3_BATCH_COMMIT_FAILED
Description: Report Master failed to commit SQLite3 batch transaction. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
profDateType |
Profile Date Type |
uchar |
|
|
hourOfDay |
Hour Of Day |
uint16 |
This attribute is not used |
EventType: PH_REPORT_SQLITE3_BIND_VALUE_FAILED
Description: Report Master failed to bind certain value to SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
tablespaceName |
DB Tablespace Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_BUSY
Description: Report Master encountered SQLite3 busy state. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_BUSY_TIMEOUT_ERROR
Description: Report Master encountered SQLite3 busy timeout. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
EventType: PH_REPORT_SQLITE3_CHECKPOINT_FAILED
Description: FortiSIEM Report module failed to checkpoint profile
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_COMMIT_ERROR
Description: Report Master encountered commit error in SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
tablespaceName |
DB Tablespace Name |
string |
|
EventType: PH_REPORT_SQLITE3_CONFIG_FAILED
Description: Report Master failed to configurate SQLite3 with multi-thread mode. Performance will degrade
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_ENABLE_SHARED_CACHE_FAILED
Description: Report Master failed to enable shared cache for SQLite3. Performance will degrade
Severity: 5 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
EventType: PH_REPORT_SQLITE3_EXEC_FAILED
Description: Report Master failed to execute SQLite3 statement. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbQuery |
Database Query |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
|
tablespaceName |
DB Tablespace Name |
string |
|
EventType: PH_REPORT_SQLITE3_EXTENDED_RESULT_CODES_ERROR
Description: Report Master failed to enable extended result codes for SQLite3. Maintainability will degrade
Severity: 3 (Low)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
EventType: PH_REPORT_SQLITE3_OPEN_FAILED
Description: Report Master failed to open SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_PREPARE_ERROR
Description: Report Master failed to prepare SQLite3 statement. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
tablespaceName |
DB Tablespace Name |
string |
|
|
dbQuery |
Database Query |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_SQLITE3_PROFILE_ENTRY_DELETE_FAILED
Description: Report Master failed to delete profile entry from SQLite3. Profile or Daily DB will contain redundant data
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
reportId |
Report ID |
uint32 |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
|
profDateType |
Profile Date Type |
uchar |
|
|
hourOfDay |
Hour Of Day |
uint16 |
This attribute is not used |
EventType: PH_REPORT_SQLITE3_PROFILE_NOT_FOUND
Description: Report Master failed to find profile ID in SQLite3. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
dbName |
DB Name |
string |
|
|
reportId |
Report ID |
uint32 |
|
EventType: PH_REPORT_SQLITE3_STEP_ERROR
Description: Report Master failed to step SQLite3 statement. Profile or Daily DB will not be updated
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
tablespaceName |
DB Tablespace Name |
string |
|
|
dbRetCode |
DB Return Code |
uint32 |
|
|
errorString |
Error String |
string |
This is the error message, synonymous to attribute errReason |
EventType: PH_REPORT_UNPACK_FAILED
Description: Rule Master failed to unpack rule data from Rule Workers, causing potential incident loss.
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
errReason |
Reason for Error |
string |
This is the reason for an error if given. |
EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_ID_FAILED
Description: Report-related process failed to lookup value type by attribute ID. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_LOOKUP_BY_NAME_FAILED
Description: Report-related process failed to lookup value type by attribute name. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_OF_ID_UNEXPECTED
Description: Report-related process encountered unexpected value type of certain attribute ID. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_OF_NAME_UNEXPECTED
Description: Report-related process encountered unexpected value type of certain attribute name. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_OF_STAT_UNEXPECTED
Description: Report-related process encountered unexpected value type of stat item. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_VALUE_TYPE_UNSUPPORTED
Description: Report-related process encountered unsupported value type. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_WORKER_UPLOAD_FAILED
Description: Failed to upload a data block buffer
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
reportId |
Report ID |
uint32 |
|
|
phCustId |
Organization ID |
uint32 |
This is the FortiSIEM organization ID unique to each tenant |
EventType: PH_REPORT_XML_ELEMENT_DUPLICATE
Description: Query Master encountered duplicate XML element. This performance metrics update will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_REPORT_XML_ELEMENT_MISSING
Description: Report Master failed to locate certain XML element. This report rolling will be incomplete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_XML_ELEMENT_PARSE_FAILED
Description: Query Master failed to parse certain XML element. This performance metrics update will not be complete
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
|
compEventType |
Component Event Type |
string |
This is the event type in the Incident event. Since Incident itself is an event with its own event type, this variable is needed to capture the event type of the triggering events in the IncidentDetail attribute. |
EventType: PH_REPORT_XML_PARSE_FAILED
Description: Report-related process failed to parse certain XML. The related operation will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
task |
Task |
string |
|
|
totBytes64 |
Total Bytes64 |
uint64 |
Total number of sent and received bytes by a host. This has 64bit resolution. |
EventType: PH_REPORT_ZLIB_COMPRESSION_TYPE_UNKNOWN
Description: Query Master encountered unknown Zlib compression type for report results file. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
EventType: PH_REPORT_ZLIB_UNCOMPRESS_FAILED
Description: Query Master failed to uncompress Zlib report results file. This inline query will fail
Severity: 7 (Medium)
Event Category: 3 (System Logs)
Attributes:
|
Id |
Display name |
Type |
Description |
|---|---|---|---|
|
exitValue |
Command exit value |
int32 |
|