Fortinet white logo
Fortinet white logo

All Logs Page 1

All Logs Page 1

Every FortiSIEM internally generated event log regardless of category



EventType: JDBC_PULL_UNSUPP_DEV

Description: Unsupported device type for JDBC Pull

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: JMX_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: MSSQL_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: MYSQL_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: ORADB_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_ATTR_NOT_FOUND

Description: Agent Manager Cisco ACI monitoring module cannot find specific attribute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_CURL_HANDLE_GET_FAILED

Description: Agent Manager Cisco ACI monitoring module unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_FILE_WRITE_ERROR

Description: Agent Manager Cisco ACI monitoring module unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ACI_JSON_PARSE_FAILED

Description: Agent Manager Cisco ACI monitoring module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_SERVER_EMPTY

Description: Agent Manager Cisco ACI monitoring module found server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_TOKEN_GET_FAILED

Description: Agent Manager Cisco ACI monitoring module cannot get login token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_CURL_HANDLE_GET_FAILED

Description: Agent Manager Alert Logic log parsing module unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_FILE_LOAD_ERROR

Description: Agent Manager Alert Logic log parsing module failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_FILE_READ_ERROR

Description: Agent Manager Alert Logic log parsing module found wrong format in file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_FILE_WRITE_ERROR

Description: Agent Manager Alert Logic log parsing module unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_INVALID_DATA

Description: Agent Manager Alert Logic log parsing module found invalid data format

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_INVALID_PATH

Description: Agent Manager Alert Logic log parsing module found invalid incident path

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_QUERY_INTERVAL_TOO_LONG

Description: Agent Manager Alert Logic log parsing module found query interval is larger, it will be narrowed in one week

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_SERVER_EMPTY

Description: Agent Manager Alert Logic log parsing module found server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_CURL_CONNECT_FAILED

Description: Agent Manager AMP Cloud log parsing module unable to connect server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event

httpStatusCode

HTTP Status

string



EventType: PH_AGENTMGR_AMPCLOUD_CURL_HANDLE_GET_FAILED

Description: Agent Manager AMP Cloud log parsing module unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_FILE_LOAD_ERROR

Description: Agent Manager AMP Cloud log parsing module failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AMPCLOUD_FILE_READ_ERROR

Description: Agent Manager AMP Cloud log parsing module found wrong format in file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AMPCLOUD_INVALID_DATA

Description: Agent Manager AMP Cloud log parsing module found Invalid data format

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_JSON_PARSE_FAILED

Description: Agent Manager AMP Cloud log parsing module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_AMPCLOUD_NO_DEFINE_SEVERITY

Description: Agent Manager AMP Cloud log parsing module found event severity is not defined

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_SERVER_EMPTY

Description: Agent Manager AMP Cloud log parsing module found server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_API_PERMISSION_MISSING

Description: There is no permission

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWSCLOUDWATCH_GETLOGS

Description: Attempting to get cloudwatch logs from log group and stream

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

groupName

Group Name

string

streamName

AWS Stream Name

string

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_AGENTMGR_AWSFLOWLOG_EVENT_PULL_FAILED

Description: Agent Manager AWS module failed to get AWS Flow log after 5 tries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWSFLOWLOG_FILE_WRITE_ERROR

Description: Agent Manager AWS Flow log handling module unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AWSFLOWLOG_LOG_FORMAT_WRONG

Description: Agent Manager AWS Flow log handling module encountered wrong log format

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWSKINESIS_CONSUMER_START_FAILED

Description: Failed to start Kinesis consumer process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_CACHE_FILE_ERROR

Description: Agent Manager AWS Cache file is not available

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWS_DELETE_OJECTKEY_FAILED

Description: Failed to delete object key from SQS

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_DOWNLOAD_OJECT_FAILED

Description: Failed to download object from bucket

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_EVT_DOWNLOAD_FAILED

Description: Agent Manager AWS module failed to download event by do_system failed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_AGENTMGR_AWS_EVT_SEND_FAILED

Description: Agent Manager AWS module failed to send cloudtrail event to phParser after 5 tries

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWS_GET_OJECTKEY_FAILED

Description: Agent Manager AWS agent failed to get object key from SQS

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_GZ_FILE_OPEN_ERROR

Description: Agent Manager AWS module gailed to open gz file, or not enough memory to open it

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AWS_JSON_PARSE_FAILED

Description: Agent Manager AWS module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWS_SQSURL_FORMAT_ERROR

Description: Agent Manager AWS Sqs Url format is wrong

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_API_CALL_FAILED

Description: Agent Manager BOX module failed to call BOX API

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_ATTR_NOT_FOUND

Description: Agent Manager BOX module cannot find attribute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_EVENT_PULL_FAILED

Description: Agent Manager BOX module failed to pull BOX log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_BOX_FILE_ID_EMPTY

Description: Agent Manager BOX module found empty file ID

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_FILE_LIMIT_EXCEED

Description: Agent Manager BOX module found that the number of monitoring file exceeded limit

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_FILE_NOT_MONITORED_ERROR

Description: Agent Manager BOX module found that the file is not monitored before

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_BOX_FILE_PATH_PARSE_FAILED

Description: Agent Manager BOX module could not parse file path

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_BOX_FILE_TYPE_WRONG

Description: Agent Manager BOX module found wrong file type

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileType

File Type

string



EventType: PH_AGENTMGR_BOX_FOLDER_TYPE_WRONG

Description: Agent Manager BOX module found wrong folder type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_HTTP_NO_RESPONSE

Description: Agent Manager BOX module did not find response from App Server Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string



EventType: PH_AGENTMGR_BOX_JSON_PARSE_FAILED

Description: Agent Manager BOX module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_RESPONSE_NO_SPECIAL_ATTRIBUTE

Description: Agent Manager BOX module response doesn't have special node

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_TIME_CONVERT_FAILED

Description: Agent Manager BOX module could not convert time

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_BOX_XML_PARSE_FAILED

Description: Agent Manager BOX module failed to parse XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CISCOAMP_CONSUMER_START_FAILED

Description: Failed to start Cisco AMP consumer process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDPASSAGE_API_CALL_FAILED

Description: CloudPassage Halo REST API call api failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDPASSAGE_FILE_WRITE_ERROR

Description: Unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_CLOUDPASSAGE_GET_EVENT_FAILED

Description: Failed to get event from CloudPassage API

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDPASSAGE_JSON_EMPTY

Description: JSON is empty

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CLOUDPASSAGE_JSON_PARSE_FAILED

Description: Failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CLOUDPASSAGE_TOKEN_EMPTY

Description: Token is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDTRAIL_FILE_READ_FAILED

Description: Agent Manager AWS CloudTrail module encountered error while reading Cloudtrail queue cache file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_CONFIG_ERROR

Description: Agent Manager own configuration error

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CONFIG_VERSION_SEND_FAILED

Description: Agent Manager failed to send config version to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_AGENTMGR_CONFIG_WARNING

Description: FortiSIEM Agent Manager configuration warning

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_CREDENTIAL_GET_FAILED

Description: Agent Manager failed to get credentials

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CROWDSTRIKE_GET_DATAFEED_URL_FAILED

Description: Failed to get crowdstrike datafeed url

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CUST_RESULT_UPLOAD_FAILED

Description: Agent Manager failed to upload test custom performance monitor result xml to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_DIR_CREATE_FAILED

Description: Could not create dir

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_AGENTMGR_EVENT_PULL_FAILED

Description: Agent Manager Rapid7 InsightVM pulling engine failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_FALCONDATAREP_SCRIPT_FAILED

Description: Failed to run Falcon Data Replicator script

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_FILE_PARSE_ERROR

Description: Agent Manager/module failed to parse file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FILE_WRITE_ERROR

Description: Agent Manager Rapid7 InsightVM pulling engine failed to write file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_CERT_DOWNLOAD_FAILED

Description: Agent Manager/FireAMP Module cannot download certificate file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_DATA_FORMAT_SET_FAILED

Description: Agent Manager/FireAMP Module encountered missing event mapping configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_EVENT_PULL_FAILED

Description: Agent Manager/FireAMP Module failed to pull log from server!

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_FIREAMP_EVT_TYPE_LOAD_FAILED

Description: Agent Manager/FireAMP Module encountered empty event mapping configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_FILE_LOAD_ERROR

Description: Agent Manager/FireAMP Module failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_FILE_OPEN_ERROR

Description: Agent Manager/FireAMP Module failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_FIREAMP_INVALID_DATA

Description: Agent Manager/FireAMP Module found invalid response data

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_NEW_AGENT_FAILED

Description: Agent Manager/FireAMP Module - new agent failed

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_NO_ATTR

Description: No configuration event attribute

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_NO_PROTOCOL

Description: Can't find protocol number from IANA table

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FORTICASB_GET_SERVICE_ALERT_ERROR

Description: Failed to get sevices alerts

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serviceName

Service Name

string



EventType: PH_AGENTMGR_FORTICASB_GET_SERVICE_ERROR

Description: Failed to get sevices

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

unitId

Unit Id

string



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_FAILED

Description: FortiNDR cloud integration failed to call API URI

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_NEXT_PAGE

Description: FortiNDR paginated api call being made

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_NO_RESULTS

Description: API call to FortiNDR api returned no results, this is normal if no results in defined time interval

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_RESULTS

Description: FortiNDR cloud integration called API URI successfully

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_AGENTMGR_FORTINDR_GET_BUCKET_KEY

Description: FortiNDR integration is processing an s3 bucket key

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

bucketName

Bucket Name

string

userKey

User Key

string

categoryType

Category Type

string



EventType: PH_AGENTMGR_FORTINDR_GET_BUCKET_OBJ

Description: FortiNDR integration is downloading an object from s3 bucket

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

bucketName

Bucket Name

string

userKey

User Key

string

categoryType

Category Type

string



EventType: PH_AGENTMGR_GET_SCAN_RESULTS_FAILED

Description: Failed to get the scan result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_GITHUB_API_CALL_FAILED

Description: Agent Manager/GitHub module failed to call Github API

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_GITHUB_CREDENTIAL_GET_FAILED

Description: Agent Manager/GitHub module failed to get credential from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string



EventType: PH_AGENTMGR_GITHUB_EVENT_PULL_FAILED

Description: Agent Manager/GitHub module failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_GITHUB_FILE_OPEN_ERROR

Description: Agent Manager/GitHub module failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_GITHUB_JSON_PARSE_FAILED

Description: Agent Manager/GitHub module failed to parse JSON response from GitHub server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GITHUB_TIME_CONVERT_FAILED

Description: Agent Manager/GitHub module failed to convert time in JSON response from GitHub server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GIT_CLONE_REPO_FAILED

Description: Failed to git clone by do_system

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_AGENTMGR_GIT_HANDLE_ERR_FILE_FAILED

Description: Failed to handle error file

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GIT_PULL_EVT_FAILED

Description: Failed to get git log by do_system

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_AGENTMGR_GIT_SAVE_COMMITID_FAILED

Description: Failed to save CommitId of repository

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GZ_FILE_OPEN_ERROR

Description: Failed to open gz file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_INIT_AGENT

Description: Initialize agent

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_INIT_CACHE_FILE_FAILED

Description: FortiSIEM Agent Manager failed to initialize cache

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string



EventType: PH_AGENTMGR_INIT_NO_CRED

Description: Agent Manager/Cisco IPS log pulling module failed to initialize due to missing credentials

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string



EventType: PH_AGENTMGR_INVALID_MGR

Description: Invalid Agent Manager

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_IPS_AUTH_FAILED

Description: Agent Manager/Cisco IPS log pulling module found wrong user name, password for logging to IPS appliance

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_IPS_EVENT_PULL_FAILED

Description: Agent Manager/Cisco IPS log pulling module failed to pull Cisco IPS log from server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_AGENTMGR_IPS_FILE_OPEN_ERROR

Description: Agent Manager/Cisco IPS log pulling module failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_IPS_OBTAIN_SUBSCRIPTION_FAILED

Description: Agent Manager/Cisco IPS log pulling module failed to obtain subscription id

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_IPS_SET_SSL_FAILED

Description: SSL setting doesn't work

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_AGENT_PIPE_WRITE_FAILED

Description: Failed to write to java agent pipe

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_AGENT_START_FAILED

Description: Agent Manager failed to start Java agent, will retry

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_AGENT_TYPE_UNKNOWN

Description: Agent Manager encountered unknown java agent job type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_AGENT_USER_MISSING

Description: FortiSIEM Agent Manager found user name missing in java Agent configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_AGENTMGR_JAVA_AGENT_ZOMBIE

Description: Agent Manager found Java Agent is in zombie state

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_CMD_SEND_FAILED

Description: Agent Manager failed to send commands to java agent, need to be killed

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_FORK_FAILED

Description: Agent Manager failed to fork Java Agent

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_INCOMPLETE_DEV_INFO

Description: Agent Manager found incomplete device info for Java Agent

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_NO_DEV_TYPE_FOR_JDBC

Description: Agent Manager encountered missing device type for Java Agent JDBC monitoring

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_AGENTMGR_JAVA_NO_STATUS_FILE

Description: Agent Manager missing status file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_JAVA_PIPE_FAILED

Description: Agent Manager failed to Pipe command for Java Agent

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_PROCESS_STATE_GET_FAILED

Description: Agent Manager failed to get Java Agent process state

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_JAVA_SIGKILL_SEND_FAILED

Description: Agent Manager failed to send SIGKILL to java agent

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_UNSUPPORT_DEV_TYPE_FOR_JDBC

Description: Agent Manager encountered unsupported device type for Java Agent JDBC monitoring

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_AGENTMGR_JAVA_USER_PWD_GET_FAILED

Description: Agent Manager failed to get user name and password

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_JSON_PARSE_FAILED

Description: Agent Manager Rapid7 InsightVM monitoring module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_KAFKA_CONSUME_LOG_FAILED

Description: Agent Manager / Kafka Consumer failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_CREATE_CONSUMER

Description: phKafkaConsumer creates a consumer handle successfully

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

groupName

Group Name

string

user

User

string

topicName

Topic Name

string

Kafka Topic Name



EventType: PH_AGENTMGR_KAFKA_CREATE_CONSUMER_FAILED

Description: Agent Manager / Kafka Consumer failed to create consumer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_CREATE_PRODUCER_FAILED

Description: Agent Manager / Kafka Consumer failed to create producer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_CREATE_TOPIC_FAILED

Description: Agent Manager / Kafka Consumer failed to create topic

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

topicName

Topic Name

string

Kafka Topic Name

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_ERROR

Description: Agent Manager / Kafka Consumer encountered occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_AGENTMGR_KAFKA_METADATA_FAILED

Description: Agent Manager / Kafka Consumer failed to get metadata

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_PRODUCER_ERROR

Description: Event Forwarder failed to write events into Kafka

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_AGENTMGR_KAFKA_PULL_JOB_FAILED

Description: Agent Manager / Kafka Consumer failed to Consume log

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_KAFKA_REBALANCE

Description: Kafka rebalanceCb

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_KAFKA_RELEASE_CONSUMER

Description: phKafkaConsumer releases a consumer handle

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

groupName

Group Name

string

user

User

string

topicName

Topic Name

string

Kafka Topic Name



EventType: PH_AGENTMGR_KAFKA_START_FAILED

Description: Agent Manager / Kafka Consumer failed to start

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_SUBSCRIBE_FAILED

Description: Agent Manager / Kafka Consumer failed to subscribe topic

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

topicName

Topic Name

string

Kafka Topic Name

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_UPDATE_CONFIG_FAILED

Description: Agent Manager / Kafka Consumer failed to update attribute in config

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_UPDATE_ERROR

Description: Agent Manager / Kafka Consumer failed to update failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KILL_PROCESS

Description: Try to kill process

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_CONFIG_ARM_FAILED

Description: Agent Manager / MS Azure config mode arm failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_MSAZURE_DOWNLOAD_FAILED

Description: Agent Manager / MS Azure failed to download Azure audit log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_MSAZURE_JSON_EMPTY

Description: Agent Manager / MS Azure found empty returned JSON from Azure

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_JSON_FILE_NAME_EMPTY

Description: Agent Manager / MS Azure JSON file name is empty from Azure

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_JSON_FILE_PARSE_FAILED

Description: Agent Manager / MS Azure found malformed JSON file from Azure

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_JSON_PARSE_FAILED

Description: Agent Manager / MS Azure found malformed JSON from Azure

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_LOGIN_FAILED

Description: Agent Manager / MS Azure failed to login to Azure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_MSG_QUEUE_ACCESS_FAILED

Description: Agent Manager failed to access message queue

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSG_RECV_FAILED

Description: Agent Manager failed to receive msg

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_OFFICE365_API_CALL_FAILED

Description: Agent Manager / Office365 log pulling engine failed to call api

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_EVENT_PULL_FAILED

Description: Agent Manager / Office365 log pulling engine failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_FILE_WRITE_ERROR

Description: Agent Manager / Office365 log pulling engine unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_OFFICE365_GET_SUBSCRIBE_FAILED

Description: FortiSIEM Agent Manager failed to get Office365 subscription

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_JSON_PARSE_FAILED

Description: Agent Manager / Office365 log pulling engine failed to parse Office365 JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OFFICE365_START_SUBSCRIBE_FAILED

Description: FortiSIEM Agent Manager failed to start Office365 subscription

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_SUBSCRIBE_EMPTY

Description: FortiSIEM Agent Manager found Office365 subscription to be empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OFFICE365_SUBSCRIBE_FAILED

Description: Agent Manager / Office365 log pulling engine failed to get subscription list

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OFFICE365_TOKEN_EMPTY

Description: Agent Manager / Office365 log pulling engine found empty Token

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OKTA_EVT_DOWNLOAD_FAILED

Description: Agent Manager / OKTA failed to download events

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OKTA_FILE_WRONG

Description: Agent Manager / OKTA encountered wrong Okta user list file. Please download again

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_OKTA_NO_USER_INFO

Description: Agent Manager / OKTA user list file doesn't contain any user info

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_OKTA_RESULT_UPLOAD_FAILED

Description: Agent Manager / OKTA failed to upload discovery result to App server

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OKTA_RESULT_UPLOAD_WARNING

Description: FortiSIEM Agent Manager failed to upload OKTA User list to App Server

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_PARSER_UNABLE_CONNECT

Description: Agent Manager unable to connect to parser host

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

ipPort

IP Port

uint16

IP port number



EventType: PH_AGENTMGR_PERF_OBJ_PARSE_FAILURE

Description: Agent Manager did not find any performance objects to monitor

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_PROCESS_INIT_FAILED

Description: Agent Manager failed to initialize

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_PULLING_JOB_OUTDATE

Description: FortiSIEM Agent Manager job pull error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string

serverIpAddr

Server IP

IP



EventType: PH_AGENTMGR_REST_API_CALL_FAILED

Description: Agent fails to call rest API

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

infoURL

Informational URL

string

This field captures an URL if present in an event

httpStatusCode

HTTP Status

string



EventType: PH_AGENTMGR_RSAS_XML_PARSE_FAILED

Description: AgentManager failed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_RUN_CMD_FAILED

Description: do_system failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_RUN_SCRIPT_FAILED

Description: AgentManager failed to run script

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_RUN_SCRIPT_WITHOUT_TASK_ID

Description: AgentManager found missing task id in run script notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_ATTR_NOT_FOUND

Description: Agent Manager / Salesforce log pulling engine cannot find attribute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_COLUMN_NOT_FOUND

Description: Agent Manager / Salesforce log pulling engine can not find a specific column in Saleforce Event Log File

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_CURL_EXECUTE_FAILED

Description: Agent Manager / Salesforce log pulling engine failed to execute curl to get Salesforce log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_AGENTMGR_SALESFORCE_CURL_HANDLE_GET_FAILED

Description: Agent Manager / Salesforce log pulling engine unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_FILE_LOAD_ERROR

Description: Agent Manager / Salesforce log pulling engine failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_SALESFORCE_FILE_WRITE_ERROR

Description: Agent Manager / Salesforce log pulling engine unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_SALESFORCE_INVALID_DATA

Description: Agent Manager / Salesforce log pulling engine received invalid response from Salesforce

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_INVALID_LOG_FILE

Description: Agent Manager / Salesforce log pulling engine received invalid Saleforce Event Log File csv

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_JSON_PARSE_FAILED

Description: Agent Manager / Salesforce log pulling engine received failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_LOGIN_FAILED

Description: Agent Manager / Salesforce log pulling engine failed to login to Salesforce

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

infoURL

Informational URL

string

This field captures an URL if present in an event



EventType: PH_AGENTMGR_SALESFORCE_SERVER_EMPTY

Description: Agent Manager / Salesforce log pulling engine found Server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_TOKEN_GET_FAILED

Description: Agent Manager / Salesforce log pulling engine can't get login token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_TOKEN_REGET_FAILED

Description: Agent Manager / Salesforce log pulling engine login session is expired and failed to re-get token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_VERSION_PATH_EMPTY

Description: Agent Manager / Salesforce log pulling engine found empty version path

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_XML_PARSE_FAILED

Description: Agent Manager / Salesforce log pulling engine failed to parse XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SCRIPT_NOTIFICATION_SPAWN_FAILED

Description: Agent Manager encountered error in spawning run script notification thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SERVER_HOST_NAME_RESOLVE_FAILED

Description: Agent Manager could not resolve server host name

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SERVER_HOST_NAME_RESOLVE_WARNING

Description: FortiSIEM Agent Manager failed to resolve Host Name to IP

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

jobName

Job Name

string



EventType: PH_AGENTMGR_SERVER_IP_RESOLVE_FAILED

Description: Agent Manager could not resolve server IP

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SERVER_IP_RESOLVE_WARNING

Description: FortiSIEM Agent Manager failed to resolve IP to Host Name

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

jobName

Job Name

string



EventType: PH_AGENTMGR_SETUP_STREAM_FAILED

Description: Failed to setup stream connection

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_START_THREAD_FAILED

Description: Failed to start thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_STATUS_REPORT_FAILED

Description: Agent Manager failed to report task status to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_STATUS_REPORT_INIT_FAILED

Description: Agent Manager failed to initialize job status reporter

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_STOP_STREAM_FAILED

Description: Failed to stop stream connection

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_TENABLE_EXPORT_SCAN_FAILED

Description: Exported scan failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_GET_DOWNLOAD_FAILED

Description: Download exported scan failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_GET_SCANS_FAILED

Description: Get the scan list failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_GET_STATUS_FAILED

Description: Check the file status of exported scan failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_PULL_FAILED

Description: Failed to pull Tenable.io data

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TIME_CONVERTION_FAILED

Description: Agent Manager/module failed to convert time

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_TOKEN_GET_FAILED

Description: Agent Manager monitoring module cannot get login token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_UNPACK_FILE_FAILED

Description: Agent Manager unpack file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string



EventType: PH_AGENTMGR_UPDATE_AGENT

Description: Update agent

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_UPDATE_BOOKMARK_FAILED

Description: Failed to update bookmark

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_UPDATE_WEBHOOK_CRED_FAILED

Description: Failed to update Webhook credential

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_UPDATE_WEBHOOK_CRED_SUCCESS

Description: Update Webhook credential successfully

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WINDEFATP_API_CALL_FAILED

Description: Windows Defender ATP REST API call api failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WINDEFATP_FILE_WRITE_ERROR

Description: Unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_WINDEFATP_GET_ALERT_FAILED

Description: Failed to get alert from Windows Defender ATP

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WINDEFATP_JSON_EMPTY

Description: JSON is empty

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WINDEFATP_JSON_PARSE_FAILED

Description: Failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WINDEFATP_TOKEN_EMPTY

Description: Token is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WMI_EVENT_PULL_ERROR

Description: Agent Manager / Windows WMI event log pulling engine encountered error

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WMI_EVENT_PULL_WARNING

Description: FortiSIEM Agent Manager WMI event pull warning

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WMI_FILE_OPEN_ERROR

Description: Agent Manager / Windows WMI event log pulling engineailed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_WMI_LOG_PULL_ERROR

Description: Faild to pull logs by WMI

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

errorString

Error String

string

This is the error message, synonymous to attribute errReason

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_WMI_MISSING_LOG

Description: Some logs are missing

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_WMI_STATUS_REPORT_FAILED

Description: Agent Manager / Windows WMI event log pulling engineailed to report task status to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WMI_USER_PWD_GET_FAILED

Description: Agent Manager / Windows WMI event log pulling engine failed to get WMI user name and password

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WVSS_XML_PARSE_FAILED

Description: Agent Manager / Windows WMI event log pulling engineailed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_XML_PARSE_FAILED

Description: Agent Manager / Windows WMI event log pulling engineailed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_ANOMALY_CONFIG

Description: Anomaly Detection System Config Event

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_ANOMALY_LATERAL_MOVEMENT_ANALYZE

Description: FSM Anomaly engine: Lateral Movement Module in analyze mode

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_ANOMALY_LATERAL_MOVEMENT_DETECT

Description: FSM Anomaly engine detected Lateral Movement

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

srcIpAddrList

Source IP List

string

Comma separated list of source IP addresses as identified in a log message

destIpAddrList

Destination IP List

string

Comma separated list of destination IP addresses as identified in a log message

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_ANOMALY_LATERAL_MOVEMENT_TRAIN

Description: FSM Anomaly engine: Lateral Movement Module in training mode

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_ANOMALY_SYSTEM

Description: Anomaly Detection System Event

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_ANOMALY_TIMER

Description: Anomaly Detection System Timer Event

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_APPSERVER_ADMIN_AGENT_GET_UPDATE_FAILED_ERROR

Description: App Server failed to get update

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_AGENT_UNKOWN_TASK_ID_ERROR

Description: App Server detects unkown Admin Agent task ID

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_CUST_GENERATE_KEY_ERROR

Description: App Server failed to generate organization key

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_GET_RESOURCE_FAILED

Description: App Server failed to get resource for admin tab

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_LOCATE_KEY_FAILED

Description: App Server failed to locate resource for admin tab

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_RESET_FIELD_FAILED_ERROR

Description: App Server failed to reset resource for admin tab

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_AUDIT_REPORT_EXPORT_ERROR

Description: Audit Data Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_LIB_ERROR

Description: App Server Beaconing library error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_REGISTER_ERROR

Description: App Server Beaconing Register error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_SERVER_ERROR

Description: App Server Beaconing Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_WEB_SERVER_ERROR

Description: App Server Beaconing Web Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_REF_CHECK_WARN

Description: App Server check entity bean reference warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_SYNC_PROPERTIES_ERROR

Description: App Server entity bean sync properties error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_TO_VALUE_ERROR

Description: App Server entity bean to property value map error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_TO_XML_ERROR

Description: App Server entity to XML generation error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_VALUE_TO_BEAN_ERROR

Description: App Server set value for Entity bean error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_DATA_ERROR

Description: CMDB Report Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_EXPORT_ERROR

Description: CMDB Report export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_IMPORT_ERROR

Description: CMDB Report import error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_QUERY_ERROR

Description: CMDB Report query error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_TYPE_ERROR

Description: CMDB Report Type error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COLLECTOR_INFO_ERROR

Description: Collector information error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COLLECTOR_LICENSE_ERROR

Description: Collector license error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COLLECTOR_STATUS_ERROR

Description: Collector status error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COMMONPWD_EXPORT_ERROR

Description: Common password data export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DASHBOARD_DATA_ERROR

Description: Dashbaord Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DASHBOARD_HTML_BUILD_XML_ERROR

Description: App Server failed to build dashboard XML content

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DASHBOARD_WIDGET_ERROR

Description: Dashbaord Widget error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DATA_IMPORT_ERROR

Description: App Server failed to import data during initialization

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DATA_ROBUST_INFO_ERROR

Description: Data Robust Info error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_CONNECTION_CLOSE_ERROR

Description: PostGreSQL database connection close error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_DATA_ERROR

Description: PostGreSQL database data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_DELETE_ERROR

Description: PostGreSQL database data delete error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_QUERY_ERROR

Description: PostGreSQL database query error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_UPDATE_ERROR

Description: PostGreSQL database data update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_CREDENTIAL_DECRYPT_PASSWORD_WARN

Description: App Server discovery result credential decrypt error

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_RESULT_ENCRYPT_XML_ELEMENT_ERROR

Description: App Server discovery result credential encrypt error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_RESULT_ERROR

Description: App Server failed to process discovery result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_RESULT_UNKOWN_TASK_ID_ERROR

Description: App Server detects unknown Discovery Result task ID

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EAMIL_GENERATE_EVENT_ERROR

Description: App Server failed to generate raw event for email notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ELASTIC_UPDATE_ERROR

Description: App Server failed to update Elasticsearch configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EMAIL_PREPARE_DATA_ERROR

Description: App Server failed to prepare email body for email notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EVENTDB_EXPORT_ERROR

Description: Event DB data export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EVENT_ATTRIBUTE_BUILD_XML_ERROR

Description: App Server failed to build Event Attribute XML content

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXPORT_ERROR

Description: App Server Generic Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXT_THREAT_INTEL_DOWNLOAD_ERROR

Description: External Threat Intelligence download error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXT_THREAT_INTEL_PARSE_ERROR

Description: External Threat Intelligence parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR

Description: External Threat Intelligence update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_NOT_FOUND

Description: App Server cannot find specified file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_READ_ERROR

Description: App Server cannot read from specified file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_SYSTEM_ERROR

Description: App Server encountered file system error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_WRITE_ERROR

Description: App Server cannot write to specified file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FLEX_INTERCEPTOR_NO_LOGIN_EXCEPTION_ERROR

Description: App Server encountered Flex API exception

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR

Description: FortiGuard IOC data download/parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_REGISTER_ERROR

Description: App Server Registration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_RUN_THREAD_ERROR

Description: App Server run thread error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_CHECK_LICENSE_WARN

Description: App Server Check license warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_GET_ENTITY_MANAGER_ERROR

Description: App Server cannot get EntityManager

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_GET_RS_EXPIRATION_ERROR

Description: App Server Get Report Server expiration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR

Description: App Server Phoenix Caching system initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SERVICE_MISSED_WARN

Description: App Server can not find service

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SHUTDOWN_SERVICE_STARTER_WARN

Description: App Server cannot shutdown service starter

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GENERIC_ERROR

Description: Unknown Application Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GENERIC_INFO

Description: Generic Application Server Informational log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GENERIC_WARN

Description: Generic Application Server Warn

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GET_MAX_CONFIG_ITEM_COUNT_ERROR

Description: App Server encountered error while getting max system configuration iten count

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GROUP_DATA_ERROR

Description: Group Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IDENTIYLOCATION_EXPORT_ERROR

Description: Identity location export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INCIDENT_NOTIFY_ERROR

Description: App Server failed to notify Incident via email or other methods

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INCIDENT_UPDATE_ERROR

Description: App Server failed to update Incident in PostGreSQL database

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_ERROR

Description: External ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_UPDATE_POLICY_ERROR

Description: App Server encountered error while updating Ticketing system integration policy

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_UPDATE_POLICY_WARN

Description: App Server encountered warning while updating Ticketing system integration policy

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_WARN

Description: External ticketing system integration warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IN_INTEGRATION_ERROR

Description: Inbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IOC_LICENSE_CHECK_FAILED_WARN

Description: App Server failed to check External Threat Intelligence License

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR

Description: App Server failed to create External Threat Intelligence Update task

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_JOB_DISTRIBUTE_ERROR

Description: Application Server monitoring job distribution error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LICENSE_EXPIRY_ERROR

Description: License Expiration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LICENSE_VALIDATION_ERROR

Description: License Validation error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LOGIN_ERROR

Description: App Server Login exception

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LOG_INTEGRITY_ERROR

Description: App Server failed to update log integrity hashes

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_MONITOR_AUDIT_PERF_ERROR

Description: App Server encountered exception while updating performance monitor job status

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_MONITOR_HEALTH_CONFIG_SET_ERROR

Description: App Server failed to update CMDB Device Monitor Health

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NETSEGMENT_EXPORT_ERROR

Description: Network Segment Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_EMAIL_GET_RESOURCE_FAILED

Description: App Server failed to get resource for email notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_ERROR

Description: App Server notification error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_JMS_CONNECTION_ERROR

Description: App Server create JMS connection error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_UPDATE_ERROR

Description: App Server notification Update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFIER_ERROR

Description: App Server Notifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NO_WATCHLIST_SELECTED_WARN

Description: No watch list selected for entry warn

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_OPENPROXY_EXPORT_ERROR

Description: Open proxy data export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_OUT_INTEGRATION_ERROR

Description: Outbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PARSER_IMPORT_ERROR

Description: Custom parser import error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PARSER_UPDATE_ERROR

Description: Custom parser update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PARSING_CONSTRAINT_ERROR

Description: Rule/Report constraint parsing error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PDF_BUILDER_ERROR

Description: App Server failed to build PDF during report export

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PERFMON_TASK_ERROR

Description: App Server failed to create Performance Monitoring Task

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_CHECK_POLICY_ACTION_WARN

Description: App Server failed to validate Incident notification policy action

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_EXPORT_ERROR

Description: App Server failed to export historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_RESULT_PARSER_ERROR

Description: App Server failed to parse historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR

Description: App Server failed to retrieve historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_RUN_ERROR

Description: App Server failed to run historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_STOP_ERROR

Description: App Server failed to stop historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_STRING_ESCAPE_ERROR

Description: App Server can't find close escape string

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RBAC_ERROR

Description: App Server encountered error while setting RBAC policies

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RBAC_NO_PERMISSION_WARN

Description: App Server enforced user RBAC

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REALTIME_QUERY_ERROR

Description: App Server failed to start real time query

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REMEDY_ERROR

Description: App Server failed to create tickets in Remedy

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR

Description: Print report bundle error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_COMPILE_ERROR

Description: Compile report to file error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_COMPONENT_SN_ERROR

Description: CMDB device serial number report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_DETAIL_ERROR

Description: CMDB detail report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_SN_ERROR

Description: CMDB server serial number report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_SUMMARY_ERROR

Description: CMDB summary report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_EXPORT_ERROR

Description: Report Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_FAILED_BLOCK_SUMMARY_ERROR

Description: Get failed blocks error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_FIRE_TRIGGER_EVENT_ERROR

Description: App Server incident trigger events report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_GET_PH_CONFIG_ERROR

Description: App Server get phoenix configuration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_IDENTITY_AND_LOCATION_ERROR

Description: Identity and location report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_LOG_FILE_SUMMARY_ERROR

Description: App Server get log files error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_GENERATE_PDF_ERROR

Description: App Server Report template generate PDF error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_INIT_IMAGE_ERROR

Description: App Server Report template init image error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_INIT_PARM_ERROR

Description: App Server Report template init parameter error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_PDF_SUMMARY_ERROR

Description: App Server Report template create PDF summary error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TICKET_SUMMARY_ERROR

Description: App Server get tickets error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_UPDATE_ERROR

Description: User defined report update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_USER_SUMMARY_ERROR

Description: App Server get users error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REST_ERROR

Description: App Server REST error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REST_H5_ERROR

Description: App Server HTML5 REST error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RISKSCORE_CALCULATE_ERROR

Description: Risk score calculation error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_ACTIVE_ERROR

Description: App Server failed to activate rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_CLONE_ERROR

Description: App Server failed to clone rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_DEBUG_INVALID_EVENT_DB_ID_ERROR

Description: App Server found invalid event id during rule testing

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_DEBUG_WORKERS_SETTING_ERROR

Description: App Server detected Worker Settings error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_TEST_ERROR

Description: App Server encountered error while testing rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_UPDATE_ERROR

Description: App Server failed to update rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SCHEDULE_ERROR

Description: App Server job schedule error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SCHEDULE_UPDATE_ERROR

Description: App Server job schedule Update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SECURITY_ERROR

Description: Application Server System Security Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SERVLET_ERROR

Description: App Server Servlet error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SERVLET_NO_ACCESS_TO_URI_WARN

Description: App Server Servlet has no access to URI

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SOCKET_COMM_ERROR

Description: App Server Socket communication error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SVN_ERROR

Description: App Server SVN Repository error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYNC_UPDATE_CONFIG_ERROR

Description: App Server encountered error on syncing update config for performance monitoring jobs

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYSCONFIG_GET_ERROR

Description: App Server failed to get system configuration from PostGreSQL database

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYSTEM_WINAGENT_REGISTER_WARN

Description: Windows Agent Manager not found or not registered

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYS_APPLICATION_ERROR

Description: Application Server System error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYS_DATA_UPDATE_ERROR

Description: Application Server Data Update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_CREATE_ERROR

Description: App Server create task error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_FLEX_RESULT_BUILD_XML_ERROR

Description: App Server failed to build Flex XML content

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_GET_ERROR

Description: App Server get task error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_UPDATE_ERROR

Description: App Server update task error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TICKET_EXPORT_ERROR

Description: Incident ticket export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_UPDATER_FIND_EXIST_USER_BY_NOTHING_ERROR

Description: App Server failed to locate existing user in CMDB

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_USERAGENT_EXPORT_ERROR

Description: User agent export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_VULNERABILITY_IGNORE_WARN

Description: App Server ignored host Vulnerability result

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_ADD_TO_DISTIRBUTED_QUEUE

Description: App Server failed to add incident attribute to watch list

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_EXPORT_ERROR

Description: Watch List export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_IMPORT_ERROR

Description: Watch List import error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_IMPORT_WARN

Description: Watch List import warnings

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_UPDATE_ERROR

Description: Watch List update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WEBSERVICE_UPDATE_TASK_ERROR

Description: App Server encountered error while updating task

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WORKER_PROVISION_FAILED

Description: App Server failed to provision Worker

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WS_COMM_ERROR

Description: App Server Web service communication error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_XML_PARSE_ERROR

Description: App Server failed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ACCOUNT_LOCKED

Description: System user account locked due to excessive login failures

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

reason

Reason

string

targetUser

Target User

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.



EventType: PH_AUDIT_AGENT_DISABLED

Description: FortiSIEM Windows/Linux Agent disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_INSTALLED

Description: FortiSIEM Windows/Linux Agent installed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_NOTRESPONDING

Description: FortiSIEM Windows/Linux Agent not responding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_RUNNING

Description: FortiSIEM Windows/Linux Agent is running and sending events

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_STARTED

Description: FortiSIEM Windows/Linux Agent started

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_STOPPED

Description: FortiSIEM Windows/Linux Agent stopped

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_UNINSTALLED

Description: FortiSIEM Windows/Linux Agent uninstalled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_CASE_ASSIGNED

Description: FortiSIEM Case Assigned to a User

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

targetUser

Target User

string



EventType: PH_AUDIT_CASE_CLOSED

Description: FortiSIEM Case Closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

comment

Comment

string



EventType: PH_AUDIT_CASE_CREATED

Description: FortiSIEM Case Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_EVIDENCE_ADDED

Description: FortiSIEM Case Evidence Added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

type

Type

string

fileName

File Name

string



EventType: PH_AUDIT_CASE_EVIDENCE_DELETED

Description: FortiSIEM Case Evidence Deleted

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

type

Type

string

fileName

File Name

string



EventType: PH_AUDIT_CASE_INCIDENT_ADDED

Description: FortiSIEM Incident added to a Case

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_MERGED

Description: FortiSIEM Case Merged

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case



EventType: PH_AUDIT_CASE_NOTE_ADDED

Description: FortiSIEM Case Note Added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

comment

Comment

string



EventType: PH_AUDIT_CASE_NOTE_DELETED

Description: FortiSIEM Case Note Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_NOTE_MODIFIED

Description: FortiSIEM Case Note Modified

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

comment

Comment

string



EventType: PH_AUDIT_CASE_PRIORITY_CHANGED

Description: FortiSIEM Case Priority Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

oldSeverity

Old Severity

string

newSeverity

New Severity

string



EventType: PH_AUDIT_CASE_REASSIGNED

Description: FortiSIEM Case Reassigned

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

targetUser

Target User

string



EventType: PH_AUDIT_CASE_STAGE_CHANGED

Description: FortiSIEM Case Stage Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_STAT

Description: FortiSIEM Case Closed Statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

user

User

string

newDuration

New Duration

uint64

Duration of a case in the new status

assignedDuration

Assigned Duration

uint64

Duration of a case in the assigned status

inProgressDuration

In-Progress Duration

uint64

Duration of a case in the in-progress status

pendCustFeedbackDuration

Pending Customer Feedback Duration

uint64

Duration of a case in the pending feedback status

recvCustFeedbackDuration

Received Customer Feedback Duration

uint64

Duration of a case in the received feedback status

timeToClose

Time to Close

uint64

Total duration that a case was open



EventType: PH_AUDIT_CASE_STATUS_CHANGED

Description: FortiSIEM Case Status Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_SUMMARY_CHANGED

Description: FortiSIEM Case Summary Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

oldTitle

Old Title

string



EventType: PH_AUDIT_CASE_UPDATED

Description: FortiSIEM Case Updated

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_CI_QUOTE_EXCEEDED

Description: System CI Quote Exceeded

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_CMDB_DISK_PRUNE_FAILED

Description: CMDB Disk Prune Failed

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32



EventType: PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS

Description: CMDB Disk Prune Success

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32



EventType: PH_AUDIT_DASHBOARD_SHARED

Description: FortiSIEM dashboard folder shared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

targetUserGrp

Target User Group

string



EventType: PH_AUDIT_DATA_PURGE

Description: System data has been purged

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_DEFAULT_PWD_MATCH

Description: Default password match

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

reptVendor

Reporting Vendor

string

This field captures the vendor of the reported event

reptModel

Reporting Model

string

This field captures the model of the reported event

appTransportProto

Application Protocol

string

user

User

string



EventType: PH_AUDIT_DEVICE_ADDED

Description: System CMDB device added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_AUDIT_DEVICE_DELETED

Description: System CMDB device deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED

Description: System CMDB device changed by discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

objType

Object Type

string

addedItem

Added Item

string



EventType: PH_AUDIT_DEVICE_MAINTENANCE_ENDED

Description: System device maintenance ended

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

maintScheduleName

Maintenance Schedule Name

string

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_AUDIT_DEVICE_MAINTENANCE_STARTED

Description: System device maintenance started

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

maintScheduleName

Maintenance Schedule Name

string

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds



EventType: PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

Description: Two devices with different hostname merged becsuase of overlapping IP addresses

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

targetHostName

Target Host Name

string

overlapIp

Overlapping IP

string

This field repsents the list of IP addresses of a just discovered device that overlaps with an existing device in CMDB.



EventType: PH_AUDIT_DEVICE_STATUS_CHANGED

Description: CMDB Device audit status changed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

user

User

string

origStatus

Original Status

string

newStatus

New Status

string

eventSource

Event Source

string



EventType: PH_AUDIT_DEVICE_UNMANAGED

Description: license exceeded - newly discovered device set to Unmanaged

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

status

Status

string

eventSource

Event Source

string

details

Details

string



EventType: PH_AUDIT_DEV_MON_JOB_NOT_STARTED

Description: Performance monitoring Job is not picked up for execution for a long time

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE

Description: Performance monitoring job status changed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_DISCOVERY

Description: Audit discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

type

Type

string

task

Task

string

osObjName

Object Name

string



EventType: PH_AUDIT_EXPORT_REPORT_END

Description: User exported FortiSIEM Report result via GUI or Scheduled Report

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_GENAI_USER_QUERY

Description: FortiSIEM sent Generative AI Query to ChatGPT

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_GENERIC

Description: System generic audit message

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_GROUP_CREATED

Description: FortiSIEM GUI Group Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string



EventType: PH_AUDIT_GROUP_DELETED

Description: FortiSIEM GUI Group Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string



EventType: PH_AUDIT_INACTIVE_USER_LOGIN

Description: A system inactive user tried to login

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_INCIDENT_SYS_CLEAR

Description: FortiSIEM Incident System Auto-Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string



EventType: PH_AUDIT_INCIDENT_USER_CLEAR

Description: FortiSIEM Incident User Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string



EventType: PH_AUDIT_INTEGRATION_POLICY_EXECUTED

Description: FortiSIEM Integration Policy Executed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_MALWARE_DATA_DELETED

Description: Malware data deleted by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string



EventType: PH_AUDIT_MALWARE_DATA_UPDATED

Description: Malware data updated by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string



EventType: PH_AUDIT_ML_GENERIC_ERROR

Description: Machine Learning generic error log

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_GENERIC_INFO

Description: Machine Learning generic info log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_INFERENCE_COMPLETED

Description: Machine Learning audit inference completed log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_INFERENCE_RESULT

Description: Machine Learning audit inference result log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_INFERENCE_STARTED

Description: Machine Learning audit inference started log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_TRAINING_COMPLETED

Description: Machine Learning audit training completed log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_TRAINING_STARTED

Description: Machine Learning audit training started log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_NOTIF_POLICY_EXECUTED

Description: FortiSIEM Incident Notification Policy Executed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjHandleID

Object Handle

string



EventType: PH_AUDIT_OBJECT_CREATED

Description: System data object created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

osObjName

Object Name

string



EventType: PH_AUDIT_OBJECT_DELETED

Description: System data object deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string



EventType: PH_AUDIT_OBJECT_UPDATED

Description: System data object updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

objType

Object Type

string

osObjName

Object Name

string

osObjAction

Object Action

string

targetCustomer

Target Organization Name

string

oldSettingsValue

Old Settings Value

string

newSettingsValue

New Settings Value

string



EventType: PH_AUDIT_ONDEMAND_REMEDIATION_EXECUTED

Description: FortiSIEM Ondemand Remediation Executed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_PASSWORD_CHANGED

Description: System user password changed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string



EventType: PH_AUDIT_QUERY_COMPLETED

Description: Audit query completed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

durationMSec

Duration

uint32

Duration of a connection (in msec)

queryFilter

Query Filter

string

queryDisplay

Query Display

string

queryId

Query Id

string

usageType

Usage Type

string



EventType: PH_AUDIT_QUERY_SCHEDULED

Description: System scheduled a query

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.



EventType: PH_AUDIT_QUERY_START

Description: System started a query

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

osObjName

Object Name

string



EventType: PH_AUDIT_QUERY_STOP

Description: System stopped a query

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

osObjName

Object Name

string

durationMSec

Duration

uint32

Duration of a connection (in msec)

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_AUDIT_REPORT_SCHEDULED

Description: FortiSIEM Report Scheduled

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_REPORT_SCHEDULE_APPROVE

Description: FortiSIEM Report schedule approval

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

reportId

Report ID

uint32

reportName

Report Name

string

FortiSIEM report name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AUDIT_REPORT_SCHEDULE_REQUEST

Description: FortiSIEM Report schedule request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

reportId

Report ID

uint32

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_AUDIT_REPORT_SERVER_LICENSE_EXPIRED

Description: FortiSIEM Report Server license expired

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_REPORT_SERVER_LICENSE_REMOVED

Description: FortiSIEM Report Server Removed After License Expiry

Severity: 8 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_REPORT_SERVER_LICENSE_TO_EXPIRE

Description: FortiSIEM Report Server license about to expire

Severity: 8 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_DECREASE_LOW

Description: Device Risk Score decreased to LOW level

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_DECREASE_MED

Description: Device Risk Score decreased to MEDIUM level

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_INCREASE_HIGH

Description: Device Risk Score increased to HIGH level

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_INCREASE_MED

Description: Device Risk Score increased to MEDIUM level

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RULE_ACTIVATED

Description: FortiSIEM Rule activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_RULE_ACTIVATION_APPROVE

Description: FortiSIEM Rule activation approval

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AUDIT_RULE_ACTIVATION_REQUEST

Description: FortiSIEM Rule activation request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_AUDIT_RULE_DEACTIVATED

Description: FortiSIEM Rule de-activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_RULE_DEACTIVATION_APPROVE

Description: FortiSIEM Rule de-activation approval

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AUDIT_RULE_DEACTIVATION_REQUEST

Description: FortiSIEM Rule de-activation request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_AUDIT_SVC_LOGIN_FAILURE

Description: System service user failed to login

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_SVC_LOGIN_SUCCESS

Description: System service user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_SVC_LOGOFF

Description: System Service user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_SVC_SESSION_TIMEOUT

Description: System service user session timeout

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_TUNNEL_CLOSE

Description: Collector to Super Reverse SSH Tunnel closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

appTransportProto

Application Protocol

string

srcIpPort

Source TCP/UDP Port

uint16

This is the source TCP or UDP port as identified in the event

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

collectorIp

Collector IP

IP

This field captures the IP address of a FortiSIEM Collector

tunnelUpTime

Tunnel Uptime

uint64

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.



EventType: PH_AUDIT_TUNNEL_OPEN

Description: Collector to Super Reverse SSH Tunnel opened

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

appTransportProto

Application Protocol

string

srcIpPort

Source TCP/UDP Port

uint16

This is the source TCP or UDP port as identified in the event

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

collectorIp

Collector IP

IP

This field captures the IP address of a FortiSIEM Collector

tunnelUpTime

Tunnel Uptime

uint64

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.



EventType: PH_AUDIT_USER_ADDED

Description: System user added

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string



EventType: PH_AUDIT_USER_CHANGE_ORG_SCOPE

Description: FortiSIEM user changed organization scope

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

userFullName

User Full Name

string

targetCustomer

Target Organization Name

string



EventType: PH_AUDIT_USER_DEFAULT_ROLE_CHANGED

Description: FortiSIEM Admin User Default Role Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string



EventType: PH_AUDIT_USER_DELETED

Description: System user deleted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

user

User

string

targetUser

Target User

string

details

Details

string



EventType: PH_AUDIT_USER_LOGIN_FAILURE

Description: System user failed to login

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

domain

Domain

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_AUDIT_USER_LOGIN_SUCCESS

Description: System user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

userFullName

User Full Name

string



EventType: PH_AUDIT_USER_LOGOFF

Description: System user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

userFullName

User Full Name

string



EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED

Description: FortiSIEM Admin User Organization Role changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string



EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED

Description: FortiSIEM Admin User Organization Role enabled

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED

Description: FortiSIEM Admin User Organization Role disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string



EventType: PH_AUDIT_USER_SESSION_TIMEOUT

Description: System user session timeout

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

userFullName

User Full Name

string



EventType: PH_AUDIT_WS_COMM

Description: System web service communication

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_BAD_NETFLOW_PACKET

Description: Bad netflow packet

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BAD_NETFLOW_VER

Description: Unsupported netflow version

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BAD_ROUTE_OUTPUT

Description: FortiSIEM encountered bad route output

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_BASE_AGENT_JOB_NO_THREAD_NUM_ASSIGNED

Description: FortiSIEM module error - no thread count assigned

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_DUMP_STACK_TRACE_FAILURE

Description: FortiSIEM module error - stack trace failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

filePath

File Path

string



EventType: PH_BASE_PROC_GET_PID_FILE_FAILED

Description: FortiSIEM module error - failed to get process id

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_BASE_PROC_HANDLE_NOTIFICATION_ERROR

Description: FortiSIEM module error - notification error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_KILL_PROC_ERROR

Description: FortiSIEM module error - failed to kill process

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_BASE_PROC_NOTIFICATION_HANDLE_CONN_ERROR

Description: FortiSIEM module error - no notification connection

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_NO_CONN_TO_HEARTBEAT_SERVER

Description: FortiSIEM module error - no connection to heartbeat

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_RENAME_MINI_DUMP_FILE_FAILURE

Description: FortiSIEM module error - minidump error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_REST_CACHE_CHECKOUT_STATUS_WARNING

Description: FortiSIEM module error - REST cache access error

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event



EventType: PH_BASE_PROC_SEND_HEARTBEAT_FAILURE

Description: FortiSIEM module error - failed to send heartbeat

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

procName

Process Name

string



EventType: PH_BASE_PROC_SEND_USER_DEFINED_SIG_FAILED

Description: FortiSIEM module error - user defined sig failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SET_PID_FILE_FAILED

Description: FortiSIEM module error - setpid failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_BASE_PROC_STACK_TRACE

Description: FortiSIEM module stack trace

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_STACK_TRACK_TOO_LONG

Description: FortiSIEM module erro - stack trace too large

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SYS_INFO_CALC_CPU_ERROR

Description: FortiSIEM module error - failed to calculate CPU

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

procName

Process Name

string



EventType: PH_BASE_PROC_SYS_PROC_INFO_GET_FAILURE

Description: FortiSIEM module error - failed to get proc info

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SYS_PROC_INFO_INIT_ERROR

Description: FortiSIEM module error - proc info get error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SYS_PROC_INFO_UNABLE_OPEN_PROC_PID_FILE

Description: FortiSIEM module error - unable to open proc pid file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_BASE_PROC_SYS_PROC_INFO_UNABLE_OPEN_PROC_STAT_FILE

Description: FortiSIEM module error - unable to open proc stat file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

procName

Process Name

string



EventType: PH_BASE_PROC_THREAD_SPAWN_FAILED

Description: FortiSIEM module error - failed to spawn thread

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_THREAD_WRONG_PARAM

Description: FortiSIEM module error - wrong paremeters to thread span function

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_UPLOAD_FILE_FAILURE

Description: FortiSIEM module error - file upload failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string



EventType: PH_BASE_PROC_VALUE_GROUP_UPDATE_FAILURE

Description: FortiSIEM module error - value group update failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PRO_AQUIRE_SHARED_STORE_FAILED

Description: Unable to aquire shared store instance

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_CHECKPOINT_CERTHANDLER_ERROR

Description: Checkpoint failed to parse device certificate received from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_CERTPULL_ERROR

Description: Checkpoint failed to obtain certificate from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_CMD_USAGE_ERROR

Description: Checkpoint command usage error

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_CPMI_FETCH_ERROR

Description: Checkpoint CPMI fetch error. Events may miss some metadata

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errReason

Reason for Error

string

This is the reason for an error if given.

errorString

Error String

string

This is the error message, synonymous to attribute errReason

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_CHECKPOINT_DEV_INIT_ERROR

Description: Checkpoint device initialization error. Checkpoint device can not be monitored

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_FILE_RENAME_FAILURE

Description: FortiSIEM Checkpoint module failed to rename file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_CHECKPOINT_FWLOGHANDLER_ERROR

Description: Checkpoint LEA handler protocol error. Checkpoint device can not be monitored

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_FWLOGHANDLER_INIT_ERROR

Description: Checkpoint OPSEC log handler initialization error. Checkpoint device can not be monitored

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

fileName

File Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_HTTP_ERROR

Description: Checkpoint module failed to connect to App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_CHECKPOINT_LOGHANDLER_ERROR

Description: Checkpoint OPSEC log handler internal error

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_PROCESS_GET_FAILED

Description: Checkpoint module failed to get its parent process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_CHECKPOINT_TESTCONN_ERROR

Description: Checkpoint test connectivity error. Checkpoint device can not be discovered

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_CHECKPOINT_UNABLE_PARSE_XML

Description: Checkpoint module unable to parse device credential XML received from App Server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.


All Logs Page 1

All Logs Page 1

Every FortiSIEM internally generated event log regardless of category



EventType: JDBC_PULL_UNSUPP_DEV

Description: Unsupported device type for JDBC Pull

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: JMX_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: MSSQL_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: MYSQL_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: ORADB_JDBC_PULL_STAT

Description: JDBC Event pull statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_ATTR_NOT_FOUND

Description: Agent Manager Cisco ACI monitoring module cannot find specific attribute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_CURL_HANDLE_GET_FAILED

Description: Agent Manager Cisco ACI monitoring module unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_FILE_WRITE_ERROR

Description: Agent Manager Cisco ACI monitoring module unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ACI_JSON_PARSE_FAILED

Description: Agent Manager Cisco ACI monitoring module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_SERVER_EMPTY

Description: Agent Manager Cisco ACI monitoring module found server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ACI_TOKEN_GET_FAILED

Description: Agent Manager Cisco ACI monitoring module cannot get login token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_CURL_HANDLE_GET_FAILED

Description: Agent Manager Alert Logic log parsing module unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_FILE_LOAD_ERROR

Description: Agent Manager Alert Logic log parsing module failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_FILE_READ_ERROR

Description: Agent Manager Alert Logic log parsing module found wrong format in file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_FILE_WRITE_ERROR

Description: Agent Manager Alert Logic log parsing module unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_INVALID_DATA

Description: Agent Manager Alert Logic log parsing module found invalid data format

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_INVALID_PATH

Description: Agent Manager Alert Logic log parsing module found invalid incident path

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_ALERTLOGIC_QUERY_INTERVAL_TOO_LONG

Description: Agent Manager Alert Logic log parsing module found query interval is larger, it will be narrowed in one week

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_ALERTLOGIC_SERVER_EMPTY

Description: Agent Manager Alert Logic log parsing module found server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_CURL_CONNECT_FAILED

Description: Agent Manager AMP Cloud log parsing module unable to connect server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event

httpStatusCode

HTTP Status

string



EventType: PH_AGENTMGR_AMPCLOUD_CURL_HANDLE_GET_FAILED

Description: Agent Manager AMP Cloud log parsing module unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_FILE_LOAD_ERROR

Description: Agent Manager AMP Cloud log parsing module failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AMPCLOUD_FILE_READ_ERROR

Description: Agent Manager AMP Cloud log parsing module found wrong format in file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AMPCLOUD_INVALID_DATA

Description: Agent Manager AMP Cloud log parsing module found Invalid data format

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_JSON_PARSE_FAILED

Description: Agent Manager AMP Cloud log parsing module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_AMPCLOUD_NO_DEFINE_SEVERITY

Description: Agent Manager AMP Cloud log parsing module found event severity is not defined

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AMPCLOUD_SERVER_EMPTY

Description: Agent Manager AMP Cloud log parsing module found server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_API_PERMISSION_MISSING

Description: There is no permission

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWSCLOUDWATCH_GETLOGS

Description: Attempting to get cloudwatch logs from log group and stream

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

groupName

Group Name

string

streamName

AWS Stream Name

string

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_AGENTMGR_AWSFLOWLOG_EVENT_PULL_FAILED

Description: Agent Manager AWS module failed to get AWS Flow log after 5 tries

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWSFLOWLOG_FILE_WRITE_ERROR

Description: Agent Manager AWS Flow log handling module unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AWSFLOWLOG_LOG_FORMAT_WRONG

Description: Agent Manager AWS Flow log handling module encountered wrong log format

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWSKINESIS_CONSUMER_START_FAILED

Description: Failed to start Kinesis consumer process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_CACHE_FILE_ERROR

Description: Agent Manager AWS Cache file is not available

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWS_DELETE_OJECTKEY_FAILED

Description: Failed to delete object key from SQS

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_DOWNLOAD_OJECT_FAILED

Description: Failed to download object from bucket

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_EVT_DOWNLOAD_FAILED

Description: Agent Manager AWS module failed to download event by do_system failed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_AGENTMGR_AWS_EVT_SEND_FAILED

Description: Agent Manager AWS module failed to send cloudtrail event to phParser after 5 tries

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWS_GET_OJECTKEY_FAILED

Description: Agent Manager AWS agent failed to get object key from SQS

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_AWS_GZ_FILE_OPEN_ERROR

Description: Agent Manager AWS module gailed to open gz file, or not enough memory to open it

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_AWS_JSON_PARSE_FAILED

Description: Agent Manager AWS module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_AWS_SQSURL_FORMAT_ERROR

Description: Agent Manager AWS Sqs Url format is wrong

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_API_CALL_FAILED

Description: Agent Manager BOX module failed to call BOX API

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_ATTR_NOT_FOUND

Description: Agent Manager BOX module cannot find attribute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_EVENT_PULL_FAILED

Description: Agent Manager BOX module failed to pull BOX log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_BOX_FILE_ID_EMPTY

Description: Agent Manager BOX module found empty file ID

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_FILE_LIMIT_EXCEED

Description: Agent Manager BOX module found that the number of monitoring file exceeded limit

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_FILE_NOT_MONITORED_ERROR

Description: Agent Manager BOX module found that the file is not monitored before

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_BOX_FILE_PATH_PARSE_FAILED

Description: Agent Manager BOX module could not parse file path

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_BOX_FILE_TYPE_WRONG

Description: Agent Manager BOX module found wrong file type

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileType

File Type

string



EventType: PH_AGENTMGR_BOX_FOLDER_TYPE_WRONG

Description: Agent Manager BOX module found wrong folder type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_HTTP_NO_RESPONSE

Description: Agent Manager BOX module did not find response from App Server Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string



EventType: PH_AGENTMGR_BOX_JSON_PARSE_FAILED

Description: Agent Manager BOX module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_RESPONSE_NO_SPECIAL_ATTRIBUTE

Description: Agent Manager BOX module response doesn't have special node

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_BOX_TIME_CONVERT_FAILED

Description: Agent Manager BOX module could not convert time

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_BOX_XML_PARSE_FAILED

Description: Agent Manager BOX module failed to parse XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CISCOAMP_CONSUMER_START_FAILED

Description: Failed to start Cisco AMP consumer process

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDPASSAGE_API_CALL_FAILED

Description: CloudPassage Halo REST API call api failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDPASSAGE_FILE_WRITE_ERROR

Description: Unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_CLOUDPASSAGE_GET_EVENT_FAILED

Description: Failed to get event from CloudPassage API

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDPASSAGE_JSON_EMPTY

Description: JSON is empty

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CLOUDPASSAGE_JSON_PARSE_FAILED

Description: Failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CLOUDPASSAGE_TOKEN_EMPTY

Description: Token is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CLOUDTRAIL_FILE_READ_FAILED

Description: Agent Manager AWS CloudTrail module encountered error while reading Cloudtrail queue cache file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_CONFIG_ERROR

Description: Agent Manager own configuration error

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_CONFIG_VERSION_SEND_FAILED

Description: Agent Manager failed to send config version to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_AGENTMGR_CONFIG_WARNING

Description: FortiSIEM Agent Manager configuration warning

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_CREDENTIAL_GET_FAILED

Description: Agent Manager failed to get credentials

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CROWDSTRIKE_GET_DATAFEED_URL_FAILED

Description: Failed to get crowdstrike datafeed url

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_CUST_RESULT_UPLOAD_FAILED

Description: Agent Manager failed to upload test custom performance monitor result xml to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_DIR_CREATE_FAILED

Description: Could not create dir

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

dirName

Directory Name

string



EventType: PH_AGENTMGR_EVENT_PULL_FAILED

Description: Agent Manager Rapid7 InsightVM pulling engine failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_FALCONDATAREP_SCRIPT_FAILED

Description: Failed to run Falcon Data Replicator script

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_FILE_PARSE_ERROR

Description: Agent Manager/module failed to parse file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FILE_WRITE_ERROR

Description: Agent Manager Rapid7 InsightVM pulling engine failed to write file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_CERT_DOWNLOAD_FAILED

Description: Agent Manager/FireAMP Module cannot download certificate file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_DATA_FORMAT_SET_FAILED

Description: Agent Manager/FireAMP Module encountered missing event mapping configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_EVENT_PULL_FAILED

Description: Agent Manager/FireAMP Module failed to pull log from server!

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_FIREAMP_EVT_TYPE_LOAD_FAILED

Description: Agent Manager/FireAMP Module encountered empty event mapping configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_FILE_LOAD_ERROR

Description: Agent Manager/FireAMP Module failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_FIREAMP_FILE_OPEN_ERROR

Description: Agent Manager/FireAMP Module failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_FIREAMP_INVALID_DATA

Description: Agent Manager/FireAMP Module found invalid response data

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_NEW_AGENT_FAILED

Description: Agent Manager/FireAMP Module - new agent failed

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_NO_ATTR

Description: No configuration event attribute

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FIREAMP_NO_PROTOCOL

Description: Can't find protocol number from IANA table

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_FORTICASB_GET_SERVICE_ALERT_ERROR

Description: Failed to get sevices alerts

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serviceName

Service Name

string



EventType: PH_AGENTMGR_FORTICASB_GET_SERVICE_ERROR

Description: Failed to get sevices

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

unitId

Unit Id

string



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_FAILED

Description: FortiNDR cloud integration failed to call API URI

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_NEXT_PAGE

Description: FortiNDR paginated api call being made

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_NO_RESULTS

Description: API call to FortiNDR api returned no results, this is normal if no results in defined time interval

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_AGENTMGR_FORTINDR_GET_API_CALL_RESULTS

Description: FortiNDR cloud integration called API URI successfully

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

msg

Message

string



EventType: PH_AGENTMGR_FORTINDR_GET_BUCKET_KEY

Description: FortiNDR integration is processing an s3 bucket key

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

bucketName

Bucket Name

string

userKey

User Key

string

categoryType

Category Type

string



EventType: PH_AGENTMGR_FORTINDR_GET_BUCKET_OBJ

Description: FortiNDR integration is downloading an object from s3 bucket

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

bucketName

Bucket Name

string

userKey

User Key

string

categoryType

Category Type

string



EventType: PH_AGENTMGR_GET_SCAN_RESULTS_FAILED

Description: Failed to get the scan result

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_GITHUB_API_CALL_FAILED

Description: Agent Manager/GitHub module failed to call Github API

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_GITHUB_CREDENTIAL_GET_FAILED

Description: Agent Manager/GitHub module failed to get credential from App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string



EventType: PH_AGENTMGR_GITHUB_EVENT_PULL_FAILED

Description: Agent Manager/GitHub module failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_GITHUB_FILE_OPEN_ERROR

Description: Agent Manager/GitHub module failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_GITHUB_JSON_PARSE_FAILED

Description: Agent Manager/GitHub module failed to parse JSON response from GitHub server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GITHUB_TIME_CONVERT_FAILED

Description: Agent Manager/GitHub module failed to convert time in JSON response from GitHub server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GIT_CLONE_REPO_FAILED

Description: Failed to git clone by do_system

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_AGENTMGR_GIT_HANDLE_ERR_FILE_FAILED

Description: Failed to handle error file

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GIT_PULL_EVT_FAILED

Description: Failed to get git log by do_system

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string



EventType: PH_AGENTMGR_GIT_SAVE_COMMITID_FAILED

Description: Failed to save CommitId of repository

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_GZ_FILE_OPEN_ERROR

Description: Failed to open gz file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_INIT_AGENT

Description: Initialize agent

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_INIT_CACHE_FILE_FAILED

Description: FortiSIEM Agent Manager failed to initialize cache

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string



EventType: PH_AGENTMGR_INIT_NO_CRED

Description: Agent Manager/Cisco IPS log pulling module failed to initialize due to missing credentials

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string



EventType: PH_AGENTMGR_INVALID_MGR

Description: Invalid Agent Manager

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_IPS_AUTH_FAILED

Description: Agent Manager/Cisco IPS log pulling module found wrong user name, password for logging to IPS appliance

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_IPS_EVENT_PULL_FAILED

Description: Agent Manager/Cisco IPS log pulling module failed to pull Cisco IPS log from server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_AGENTMGR_IPS_FILE_OPEN_ERROR

Description: Agent Manager/Cisco IPS log pulling module failed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_IPS_OBTAIN_SUBSCRIPTION_FAILED

Description: Agent Manager/Cisco IPS log pulling module failed to obtain subscription id

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_IPS_SET_SSL_FAILED

Description: SSL setting doesn't work

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_AGENT_PIPE_WRITE_FAILED

Description: Failed to write to java agent pipe

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_AGENT_START_FAILED

Description: Agent Manager failed to start Java agent, will retry

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_AGENT_TYPE_UNKNOWN

Description: Agent Manager encountered unknown java agent job type

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_AGENT_USER_MISSING

Description: FortiSIEM Agent Manager found user name missing in java Agent configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_AGENTMGR_JAVA_AGENT_ZOMBIE

Description: Agent Manager found Java Agent is in zombie state

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_CMD_SEND_FAILED

Description: Agent Manager failed to send commands to java agent, need to be killed

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_FORK_FAILED

Description: Agent Manager failed to fork Java Agent

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_INCOMPLETE_DEV_INFO

Description: Agent Manager found incomplete device info for Java Agent

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_JAVA_NO_DEV_TYPE_FOR_JDBC

Description: Agent Manager encountered missing device type for Java Agent JDBC monitoring

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_AGENTMGR_JAVA_NO_STATUS_FILE

Description: Agent Manager missing status file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_JAVA_PIPE_FAILED

Description: Agent Manager failed to Pipe command for Java Agent

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_PROCESS_STATE_GET_FAILED

Description: Agent Manager failed to get Java Agent process state

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_JAVA_SIGKILL_SEND_FAILED

Description: Agent Manager failed to send SIGKILL to java agent

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_JAVA_UNSUPPORT_DEV_TYPE_FOR_JDBC

Description: Agent Manager encountered unsupported device type for Java Agent JDBC monitoring

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP



EventType: PH_AGENTMGR_JAVA_USER_PWD_GET_FAILED

Description: Agent Manager failed to get user name and password

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_JSON_PARSE_FAILED

Description: Agent Manager Rapid7 InsightVM monitoring module failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_KAFKA_CONSUME_LOG_FAILED

Description: Agent Manager / Kafka Consumer failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_CREATE_CONSUMER

Description: phKafkaConsumer creates a consumer handle successfully

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

groupName

Group Name

string

user

User

string

topicName

Topic Name

string

Kafka Topic Name



EventType: PH_AGENTMGR_KAFKA_CREATE_CONSUMER_FAILED

Description: Agent Manager / Kafka Consumer failed to create consumer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_CREATE_PRODUCER_FAILED

Description: Agent Manager / Kafka Consumer failed to create producer

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_CREATE_TOPIC_FAILED

Description: Agent Manager / Kafka Consumer failed to create topic

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

topicName

Topic Name

string

Kafka Topic Name

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_ERROR

Description: Agent Manager / Kafka Consumer encountered occur

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_AGENTMGR_KAFKA_METADATA_FAILED

Description: Agent Manager / Kafka Consumer failed to get metadata

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_PRODUCER_ERROR

Description: Event Forwarder failed to write events into Kafka

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.



EventType: PH_AGENTMGR_KAFKA_PULL_JOB_FAILED

Description: Agent Manager / Kafka Consumer failed to Consume log

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_KAFKA_REBALANCE

Description: Kafka rebalanceCb

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_KAFKA_RELEASE_CONSUMER

Description: phKafkaConsumer releases a consumer handle

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

groupName

Group Name

string

user

User

string

topicName

Topic Name

string

Kafka Topic Name



EventType: PH_AGENTMGR_KAFKA_START_FAILED

Description: Agent Manager / Kafka Consumer failed to start

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_SUBSCRIBE_FAILED

Description: Agent Manager / Kafka Consumer failed to subscribe topic

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

topicName

Topic Name

string

Kafka Topic Name

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_UPDATE_CONFIG_FAILED

Description: Agent Manager / Kafka Consumer failed to update attribute in config

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KAFKA_UPDATE_ERROR

Description: Agent Manager / Kafka Consumer failed to update failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_KILL_PROCESS

Description: Try to kill process

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_CONFIG_ARM_FAILED

Description: Agent Manager / MS Azure config mode arm failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_MSAZURE_DOWNLOAD_FAILED

Description: Agent Manager / MS Azure failed to download Azure audit log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_MSAZURE_JSON_EMPTY

Description: Agent Manager / MS Azure found empty returned JSON from Azure

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_JSON_FILE_NAME_EMPTY

Description: Agent Manager / MS Azure JSON file name is empty from Azure

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_JSON_FILE_PARSE_FAILED

Description: Agent Manager / MS Azure found malformed JSON file from Azure

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_JSON_PARSE_FAILED

Description: Agent Manager / MS Azure found malformed JSON from Azure

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSAZURE_LOGIN_FAILED

Description: Agent Manager / MS Azure failed to login to Azure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_MSG_QUEUE_ACCESS_FAILED

Description: Agent Manager failed to access message queue

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_MSG_RECV_FAILED

Description: Agent Manager failed to receive msg

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_OFFICE365_API_CALL_FAILED

Description: Agent Manager / Office365 log pulling engine failed to call api

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_EVENT_PULL_FAILED

Description: Agent Manager / Office365 log pulling engine failed to pull log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

accountName

Account Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_FILE_WRITE_ERROR

Description: Agent Manager / Office365 log pulling engine unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_OFFICE365_GET_SUBSCRIBE_FAILED

Description: FortiSIEM Agent Manager failed to get Office365 subscription

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_JSON_PARSE_FAILED

Description: Agent Manager / Office365 log pulling engine failed to parse Office365 JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OFFICE365_START_SUBSCRIBE_FAILED

Description: FortiSIEM Agent Manager failed to start Office365 subscription

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OFFICE365_SUBSCRIBE_EMPTY

Description: FortiSIEM Agent Manager found Office365 subscription to be empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OFFICE365_SUBSCRIBE_FAILED

Description: Agent Manager / Office365 log pulling engine failed to get subscription list

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OFFICE365_TOKEN_EMPTY

Description: Agent Manager / Office365 log pulling engine found empty Token

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_OKTA_EVT_DOWNLOAD_FAILED

Description: Agent Manager / OKTA failed to download events

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OKTA_FILE_WRONG

Description: Agent Manager / OKTA encountered wrong Okta user list file. Please download again

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_OKTA_NO_USER_INFO

Description: Agent Manager / OKTA user list file doesn't contain any user info

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_OKTA_RESULT_UPLOAD_FAILED

Description: Agent Manager / OKTA failed to upload discovery result to App server

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_OKTA_RESULT_UPLOAD_WARNING

Description: FortiSIEM Agent Manager failed to upload OKTA User list to App Server

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_PARSER_UNABLE_CONNECT

Description: Agent Manager unable to connect to parser host

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

ipPort

IP Port

uint16

IP port number



EventType: PH_AGENTMGR_PERF_OBJ_PARSE_FAILURE

Description: Agent Manager did not find any performance objects to monitor

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_PROCESS_INIT_FAILED

Description: Agent Manager failed to initialize

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_PULLING_JOB_OUTDATE

Description: FortiSIEM Agent Manager job pull error

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

jobName

Job Name

string

serverIpAddr

Server IP

IP



EventType: PH_AGENTMGR_REST_API_CALL_FAILED

Description: Agent fails to call rest API

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

infoURL

Informational URL

string

This field captures an URL if present in an event

httpStatusCode

HTTP Status

string



EventType: PH_AGENTMGR_RSAS_XML_PARSE_FAILED

Description: AgentManager failed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_RUN_CMD_FAILED

Description: do_system failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_RUN_SCRIPT_FAILED

Description: AgentManager failed to run script

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_RUN_SCRIPT_WITHOUT_TASK_ID

Description: AgentManager found missing task id in run script notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_ATTR_NOT_FOUND

Description: Agent Manager / Salesforce log pulling engine cannot find attribute

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_COLUMN_NOT_FOUND

Description: Agent Manager / Salesforce log pulling engine can not find a specific column in Saleforce Event Log File

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_CURL_EXECUTE_FAILED

Description: Agent Manager / Salesforce log pulling engine failed to execute curl to get Salesforce log

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_AGENTMGR_SALESFORCE_CURL_HANDLE_GET_FAILED

Description: Agent Manager / Salesforce log pulling engine unable to get curl handle

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_FILE_LOAD_ERROR

Description: Agent Manager / Salesforce log pulling engine failed to load file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_SALESFORCE_FILE_WRITE_ERROR

Description: Agent Manager / Salesforce log pulling engine unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_SALESFORCE_INVALID_DATA

Description: Agent Manager / Salesforce log pulling engine received invalid response from Salesforce

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_INVALID_LOG_FILE

Description: Agent Manager / Salesforce log pulling engine received invalid Saleforce Event Log File csv

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_JSON_PARSE_FAILED

Description: Agent Manager / Salesforce log pulling engine received failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_LOGIN_FAILED

Description: Agent Manager / Salesforce log pulling engine failed to login to Salesforce

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason

infoURL

Informational URL

string

This field captures an URL if present in an event



EventType: PH_AGENTMGR_SALESFORCE_SERVER_EMPTY

Description: Agent Manager / Salesforce log pulling engine found Server is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_TOKEN_GET_FAILED

Description: Agent Manager / Salesforce log pulling engine can't get login token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_TOKEN_REGET_FAILED

Description: Agent Manager / Salesforce log pulling engine login session is expired and failed to re-get token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_VERSION_PATH_EMPTY

Description: Agent Manager / Salesforce log pulling engine found empty version path

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SALESFORCE_XML_PARSE_FAILED

Description: Agent Manager / Salesforce log pulling engine failed to parse XML from App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SCRIPT_NOTIFICATION_SPAWN_FAILED

Description: Agent Manager encountered error in spawning run script notification thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SERVER_HOST_NAME_RESOLVE_FAILED

Description: Agent Manager could not resolve server host name

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SERVER_HOST_NAME_RESOLVE_WARNING

Description: FortiSIEM Agent Manager failed to resolve Host Name to IP

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

jobName

Job Name

string



EventType: PH_AGENTMGR_SERVER_IP_RESOLVE_FAILED

Description: Agent Manager could not resolve server IP

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_SERVER_IP_RESOLVE_WARNING

Description: FortiSIEM Agent Manager failed to resolve IP to Host Name

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

jobName

Job Name

string



EventType: PH_AGENTMGR_SETUP_STREAM_FAILED

Description: Failed to setup stream connection

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_START_THREAD_FAILED

Description: Failed to start thread

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_STATUS_REPORT_FAILED

Description: Agent Manager failed to report task status to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_STATUS_REPORT_INIT_FAILED

Description: Agent Manager failed to initialize job status reporter

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_STOP_STREAM_FAILED

Description: Failed to stop stream connection

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_TENABLE_EXPORT_SCAN_FAILED

Description: Exported scan failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_GET_DOWNLOAD_FAILED

Description: Download exported scan failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_GET_SCANS_FAILED

Description: Get the scan list failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_GET_STATUS_FAILED

Description: Check the file status of exported scan failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TENABLE_PULL_FAILED

Description: Failed to pull Tenable.io data

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_TIME_CONVERTION_FAILED

Description: Agent Manager/module failed to convert time

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_TOKEN_GET_FAILED

Description: Agent Manager monitoring module cannot get login token

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_UNPACK_FILE_FAILED

Description: Agent Manager unpack file failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

fileName

File Name

string



EventType: PH_AGENTMGR_UPDATE_AGENT

Description: Update agent

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_UPDATE_BOOKMARK_FAILED

Description: Failed to update bookmark

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_UPDATE_WEBHOOK_CRED_FAILED

Description: Failed to update Webhook credential

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_UPDATE_WEBHOOK_CRED_SUCCESS

Description: Update Webhook credential successfully

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WINDEFATP_API_CALL_FAILED

Description: Windows Defender ATP REST API call api failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WINDEFATP_FILE_WRITE_ERROR

Description: Unable to write timestamp file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_AGENTMGR_WINDEFATP_GET_ALERT_FAILED

Description: Failed to get alert from Windows Defender ATP

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WINDEFATP_JSON_EMPTY

Description: JSON is empty

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WINDEFATP_JSON_PARSE_FAILED

Description: Failed to parse JSON

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WINDEFATP_TOKEN_EMPTY

Description: Token is empty

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WMI_EVENT_PULL_ERROR

Description: Agent Manager / Windows WMI event log pulling engine encountered error

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WMI_EVENT_PULL_WARNING

Description: FortiSIEM Agent Manager WMI event pull warning

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WMI_FILE_OPEN_ERROR

Description: Agent Manager / Windows WMI event log pulling engineailed to open file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

exitValue

Command exit value

int32



EventType: PH_AGENTMGR_WMI_LOG_PULL_ERROR

Description: Faild to pull logs by WMI

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

errorString

Error String

string

This is the error message, synonymous to attribute errReason

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_WMI_MISSING_LOG

Description: Some logs are missing

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AGENTMGR_WMI_STATUS_REPORT_FAILED

Description: Agent Manager / Windows WMI event log pulling engineailed to report task status to App Server

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_WMI_USER_PWD_GET_FAILED

Description: Agent Manager / Windows WMI event log pulling engine failed to get WMI user name and password

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_AGENTMGR_WVSS_XML_PARSE_FAILED

Description: Agent Manager / Windows WMI event log pulling engineailed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AGENTMGR_XML_PARSE_FAILED

Description: Agent Manager / Windows WMI event log pulling engineailed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_ANOMALY_CONFIG

Description: Anomaly Detection System Config Event

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_ANOMALY_LATERAL_MOVEMENT_ANALYZE

Description: FSM Anomaly engine: Lateral Movement Module in analyze mode

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_ANOMALY_LATERAL_MOVEMENT_DETECT

Description: FSM Anomaly engine detected Lateral Movement

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.

srcIpAddrList

Source IP List

string

Comma separated list of source IP addresses as identified in a log message

destIpAddrList

Destination IP List

string

Comma separated list of destination IP addresses as identified in a log message

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_ANOMALY_LATERAL_MOVEMENT_TRAIN

Description: FSM Anomaly engine: Lateral Movement Module in training mode

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_ANOMALY_SYSTEM

Description: Anomaly Detection System Event

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_ANOMALY_TIMER

Description: Anomaly Detection System Timer Event

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

profDateType

Profile Date Type

uchar

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_APPSERVER_ADMIN_AGENT_GET_UPDATE_FAILED_ERROR

Description: App Server failed to get update

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_AGENT_UNKOWN_TASK_ID_ERROR

Description: App Server detects unkown Admin Agent task ID

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_CUST_GENERATE_KEY_ERROR

Description: App Server failed to generate organization key

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_GET_RESOURCE_FAILED

Description: App Server failed to get resource for admin tab

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_LOCATE_KEY_FAILED

Description: App Server failed to locate resource for admin tab

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ADMIN_RESET_FIELD_FAILED_ERROR

Description: App Server failed to reset resource for admin tab

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_AUDIT_REPORT_EXPORT_ERROR

Description: Audit Data Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_LIB_ERROR

Description: App Server Beaconing library error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_REGISTER_ERROR

Description: App Server Beaconing Register error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_SERVER_ERROR

Description: App Server Beaconing Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEACON_WEB_SERVER_ERROR

Description: App Server Beaconing Web Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_REF_CHECK_WARN

Description: App Server check entity bean reference warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_SYNC_PROPERTIES_ERROR

Description: App Server entity bean sync properties error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_TO_VALUE_ERROR

Description: App Server entity bean to property value map error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_TO_XML_ERROR

Description: App Server entity to XML generation error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_BEAN_VALUE_TO_BEAN_ERROR

Description: App Server set value for Entity bean error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_DATA_ERROR

Description: CMDB Report Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_EXPORT_ERROR

Description: CMDB Report export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_IMPORT_ERROR

Description: CMDB Report import error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_QUERY_ERROR

Description: CMDB Report query error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_CMDB_REPORT_TYPE_ERROR

Description: CMDB Report Type error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COLLECTOR_INFO_ERROR

Description: Collector information error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COLLECTOR_LICENSE_ERROR

Description: Collector license error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COLLECTOR_STATUS_ERROR

Description: Collector status error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_COMMONPWD_EXPORT_ERROR

Description: Common password data export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DASHBOARD_DATA_ERROR

Description: Dashbaord Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DASHBOARD_HTML_BUILD_XML_ERROR

Description: App Server failed to build dashboard XML content

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DASHBOARD_WIDGET_ERROR

Description: Dashbaord Widget error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DATA_IMPORT_ERROR

Description: App Server failed to import data during initialization

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DATA_ROBUST_INFO_ERROR

Description: Data Robust Info error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_CONNECTION_CLOSE_ERROR

Description: PostGreSQL database connection close error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_DATA_ERROR

Description: PostGreSQL database data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_DELETE_ERROR

Description: PostGreSQL database data delete error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_QUERY_ERROR

Description: PostGreSQL database query error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DB_UPDATE_ERROR

Description: PostGreSQL database data update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_CREDENTIAL_DECRYPT_PASSWORD_WARN

Description: App Server discovery result credential decrypt error

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_RESULT_ENCRYPT_XML_ELEMENT_ERROR

Description: App Server discovery result credential encrypt error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_RESULT_ERROR

Description: App Server failed to process discovery result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_DISCOVERY_RESULT_UNKOWN_TASK_ID_ERROR

Description: App Server detects unknown Discovery Result task ID

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EAMIL_GENERATE_EVENT_ERROR

Description: App Server failed to generate raw event for email notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_ELASTIC_UPDATE_ERROR

Description: App Server failed to update Elasticsearch configuration

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EMAIL_PREPARE_DATA_ERROR

Description: App Server failed to prepare email body for email notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EVENTDB_EXPORT_ERROR

Description: Event DB data export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EVENT_ATTRIBUTE_BUILD_XML_ERROR

Description: App Server failed to build Event Attribute XML content

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXPORT_ERROR

Description: App Server Generic Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXT_THREAT_INTEL_DOWNLOAD_ERROR

Description: External Threat Intelligence download error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXT_THREAT_INTEL_PARSE_ERROR

Description: External Threat Intelligence parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_EXT_THREAT_INTEL_UPDATE_ERROR

Description: External Threat Intelligence update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_NOT_FOUND

Description: App Server cannot find specified file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_READ_ERROR

Description: App Server cannot read from specified file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_SYSTEM_ERROR

Description: App Server encountered file system error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FILE_WRITE_ERROR

Description: App Server cannot write to specified file

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FLEX_INTERCEPTOR_NO_LOGIN_EXCEPTION_ERROR

Description: App Server encountered Flex API exception

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FORTIGUARD_IOC_INTEGRATION_ERROR

Description: FortiGuard IOC data download/parse error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_REGISTER_ERROR

Description: App Server Registration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_RUN_THREAD_ERROR

Description: App Server run thread error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_CHECK_LICENSE_WARN

Description: App Server Check license warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_GET_ENTITY_MANAGER_ERROR

Description: App Server cannot get EntityManager

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_GET_RS_EXPIRATION_ERROR

Description: App Server Get Report Server expiration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SECURITY_INIT_SYSTEM_ERROR

Description: App Server Phoenix Caching system initialization failed

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SERVICE_MISSED_WARN

Description: App Server can not find service

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_FRAMEWORK_SHUTDOWN_SERVICE_STARTER_WARN

Description: App Server cannot shutdown service starter

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GENERIC_ERROR

Description: Unknown Application Server error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GENERIC_INFO

Description: Generic Application Server Informational log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GENERIC_WARN

Description: Generic Application Server Warn

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GET_MAX_CONFIG_ITEM_COUNT_ERROR

Description: App Server encountered error while getting max system configuration iten count

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_GROUP_DATA_ERROR

Description: Group Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IDENTIYLOCATION_EXPORT_ERROR

Description: Identity location export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INCIDENT_NOTIFY_ERROR

Description: App Server failed to notify Incident via email or other methods

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INCIDENT_UPDATE_ERROR

Description: App Server failed to update Incident in PostGreSQL database

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_ERROR

Description: External ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_UPDATE_POLICY_ERROR

Description: App Server encountered error while updating Ticketing system integration policy

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_UPDATE_POLICY_WARN

Description: App Server encountered warning while updating Ticketing system integration policy

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_INTEGRATION_WARN

Description: External ticketing system integration warning

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IN_INTEGRATION_ERROR

Description: Inbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IOC_LICENSE_CHECK_FAILED_WARN

Description: App Server failed to check External Threat Intelligence License

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_IOC_TASK_CREATE_FAILED_ERROR

Description: App Server failed to create External Threat Intelligence Update task

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_JOB_DISTRIBUTE_ERROR

Description: Application Server monitoring job distribution error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LICENSE_EXPIRY_ERROR

Description: License Expiration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LICENSE_VALIDATION_ERROR

Description: License Validation error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LOGIN_ERROR

Description: App Server Login exception

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_LOG_INTEGRITY_ERROR

Description: App Server failed to update log integrity hashes

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_MONITOR_AUDIT_PERF_ERROR

Description: App Server encountered exception while updating performance monitor job status

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_MONITOR_HEALTH_CONFIG_SET_ERROR

Description: App Server failed to update CMDB Device Monitor Health

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NETSEGMENT_EXPORT_ERROR

Description: Network Segment Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_EMAIL_GET_RESOURCE_FAILED

Description: App Server failed to get resource for email notification

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_ERROR

Description: App Server notification error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_JMS_CONNECTION_ERROR

Description: App Server create JMS connection error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFICATION_UPDATE_ERROR

Description: App Server notification Update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NOTIFIER_ERROR

Description: App Server Notifier error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_NO_WATCHLIST_SELECTED_WARN

Description: No watch list selected for entry warn

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_OPENPROXY_EXPORT_ERROR

Description: Open proxy data export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_OUT_INTEGRATION_ERROR

Description: Outbound external ticketing system integration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PARSER_IMPORT_ERROR

Description: Custom parser import error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PARSER_UPDATE_ERROR

Description: Custom parser update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PARSING_CONSTRAINT_ERROR

Description: Rule/Report constraint parsing error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PDF_BUILDER_ERROR

Description: App Server failed to build PDF during report export

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_PERFMON_TASK_ERROR

Description: App Server failed to create Performance Monitoring Task

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_CHECK_POLICY_ACTION_WARN

Description: App Server failed to validate Incident notification policy action

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_EXPORT_ERROR

Description: App Server failed to export historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_RESULT_PARSER_ERROR

Description: App Server failed to parse historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_RESULT_RETRIEVE_ERROR

Description: App Server failed to retrieve historical query result

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_RUN_ERROR

Description: App Server failed to run historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_STOP_ERROR

Description: App Server failed to stop historical query

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_QUERY_STRING_ESCAPE_ERROR

Description: App Server can't find close escape string

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RBAC_ERROR

Description: App Server encountered error while setting RBAC policies

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RBAC_NO_PERMISSION_WARN

Description: App Server enforced user RBAC

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REALTIME_QUERY_ERROR

Description: App Server failed to start real time query

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REMEDY_ERROR

Description: App Server failed to create tickets in Remedy

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_BUNDLE_PRINT_ERROR

Description: Print report bundle error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_COMPILE_ERROR

Description: Compile report to file error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_COMPONENT_SN_ERROR

Description: CMDB device serial number report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_DETAIL_ERROR

Description: CMDB detail report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_SN_ERROR

Description: CMDB server serial number report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_DEVICE_SUMMARY_ERROR

Description: CMDB summary report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_EXPORT_ERROR

Description: Report Export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_FAILED_BLOCK_SUMMARY_ERROR

Description: Get failed blocks error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_FIRE_TRIGGER_EVENT_ERROR

Description: App Server incident trigger events report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_GET_PH_CONFIG_ERROR

Description: App Server get phoenix configuration error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_IDENTITY_AND_LOCATION_ERROR

Description: Identity and location report error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_LOG_FILE_SUMMARY_ERROR

Description: App Server get log files error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_GENERATE_PDF_ERROR

Description: App Server Report template generate PDF error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_INIT_IMAGE_ERROR

Description: App Server Report template init image error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_INIT_PARM_ERROR

Description: App Server Report template init parameter error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TEMPLATE_PDF_SUMMARY_ERROR

Description: App Server Report template create PDF summary error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_TICKET_SUMMARY_ERROR

Description: App Server get tickets error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_UPDATE_ERROR

Description: User defined report update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REPORT_USER_SUMMARY_ERROR

Description: App Server get users error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REST_ERROR

Description: App Server REST error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_REST_H5_ERROR

Description: App Server HTML5 REST error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RISKSCORE_CALCULATE_ERROR

Description: Risk score calculation error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_ACTIVE_ERROR

Description: App Server failed to activate rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_CLONE_ERROR

Description: App Server failed to clone rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_DEBUG_INVALID_EVENT_DB_ID_ERROR

Description: App Server found invalid event id during rule testing

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_DEBUG_WORKERS_SETTING_ERROR

Description: App Server detected Worker Settings error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_TEST_ERROR

Description: App Server encountered error while testing rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_RULE_UPDATE_ERROR

Description: App Server failed to update rule

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SCHEDULE_ERROR

Description: App Server job schedule error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SCHEDULE_UPDATE_ERROR

Description: App Server job schedule Update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SECURITY_ERROR

Description: Application Server System Security Data error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SERVLET_ERROR

Description: App Server Servlet error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SERVLET_NO_ACCESS_TO_URI_WARN

Description: App Server Servlet has no access to URI

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SOCKET_COMM_ERROR

Description: App Server Socket communication error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SVN_ERROR

Description: App Server SVN Repository error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYNC_UPDATE_CONFIG_ERROR

Description: App Server encountered error on syncing update config for performance monitoring jobs

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYSCONFIG_GET_ERROR

Description: App Server failed to get system configuration from PostGreSQL database

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYSTEM_WINAGENT_REGISTER_WARN

Description: Windows Agent Manager not found or not registered

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYS_APPLICATION_ERROR

Description: Application Server System error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_SYS_DATA_UPDATE_ERROR

Description: Application Server Data Update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_CREATE_ERROR

Description: App Server create task error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_FLEX_RESULT_BUILD_XML_ERROR

Description: App Server failed to build Flex XML content

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_GET_ERROR

Description: App Server get task error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TASK_UPDATE_ERROR

Description: App Server update task error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_TICKET_EXPORT_ERROR

Description: Incident ticket export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_UPDATER_FIND_EXIST_USER_BY_NOTHING_ERROR

Description: App Server failed to locate existing user in CMDB

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_USERAGENT_EXPORT_ERROR

Description: User agent export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_VULNERABILITY_IGNORE_WARN

Description: App Server ignored host Vulnerability result

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_ADD_TO_DISTIRBUTED_QUEUE

Description: App Server failed to add incident attribute to watch list

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_EXPORT_ERROR

Description: Watch List export error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_IMPORT_ERROR

Description: Watch List import error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_IMPORT_WARN

Description: Watch List import warnings

Severity: 3 (Low)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WATCHLIST_UPDATE_ERROR

Description: Watch List update error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WEBSERVICE_UPDATE_TASK_ERROR

Description: App Server encountered error while updating task

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WORKER_PROVISION_FAILED

Description: App Server failed to provision Worker

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_WS_COMM_ERROR

Description: App Server Web service communication error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_APPSERVER_XML_PARSE_ERROR

Description: App Server failed to parse XML

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ACCOUNT_LOCKED

Description: System user account locked due to excessive login failures

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

reason

Reason

string

targetUser

Target User

string

srcIpAddr

Source IP

IP

Source IP of a device as identified in the event.



EventType: PH_AUDIT_AGENT_DISABLED

Description: FortiSIEM Windows/Linux Agent disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_INSTALLED

Description: FortiSIEM Windows/Linux Agent installed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_NOTRESPONDING

Description: FortiSIEM Windows/Linux Agent not responding

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_RUNNING

Description: FortiSIEM Windows/Linux Agent is running and sending events

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_STARTED

Description: FortiSIEM Windows/Linux Agent started

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_STOPPED

Description: FortiSIEM Windows/Linux Agent stopped

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_AGENT_UNINSTALLED

Description: FortiSIEM Windows/Linux Agent uninstalled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

monitorState

Monitor State

string

type

Type

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.

hostName

Host Name

string

This is the hostname of the device of interest in the event



EventType: PH_AUDIT_CASE_ASSIGNED

Description: FortiSIEM Case Assigned to a User

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

targetUser

Target User

string



EventType: PH_AUDIT_CASE_CLOSED

Description: FortiSIEM Case Closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

comment

Comment

string



EventType: PH_AUDIT_CASE_CREATED

Description: FortiSIEM Case Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_EVIDENCE_ADDED

Description: FortiSIEM Case Evidence Added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

type

Type

string

fileName

File Name

string



EventType: PH_AUDIT_CASE_EVIDENCE_DELETED

Description: FortiSIEM Case Evidence Deleted

Severity: 8 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

type

Type

string

fileName

File Name

string



EventType: PH_AUDIT_CASE_INCIDENT_ADDED

Description: FortiSIEM Incident added to a Case

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_MERGED

Description: FortiSIEM Case Merged

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case



EventType: PH_AUDIT_CASE_NOTE_ADDED

Description: FortiSIEM Case Note Added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

comment

Comment

string



EventType: PH_AUDIT_CASE_NOTE_DELETED

Description: FortiSIEM Case Note Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_NOTE_MODIFIED

Description: FortiSIEM Case Note Modified

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

comment

Comment

string



EventType: PH_AUDIT_CASE_PRIORITY_CHANGED

Description: FortiSIEM Case Priority Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

oldSeverity

Old Severity

string

newSeverity

New Severity

string



EventType: PH_AUDIT_CASE_REASSIGNED

Description: FortiSIEM Case Reassigned

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

targetUser

Target User

string



EventType: PH_AUDIT_CASE_STAGE_CHANGED

Description: FortiSIEM Case Stage Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_STAT

Description: FortiSIEM Case Closed Statistics

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

user

User

string

newDuration

New Duration

uint64

Duration of a case in the new status

assignedDuration

Assigned Duration

uint64

Duration of a case in the assigned status

inProgressDuration

In-Progress Duration

uint64

Duration of a case in the in-progress status

pendCustFeedbackDuration

Pending Customer Feedback Duration

uint64

Duration of a case in the pending feedback status

recvCustFeedbackDuration

Received Customer Feedback Duration

uint64

Duration of a case in the received feedback status

timeToClose

Time to Close

uint64

Total duration that a case was open



EventType: PH_AUDIT_CASE_STATUS_CHANGED

Description: FortiSIEM Case Status Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string



EventType: PH_AUDIT_CASE_SUMMARY_CHANGED

Description: FortiSIEM Case Summary Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

caseId

Case ID

uint64

Unique ID of a FortiSIEM Case

title

Title

string

oldTitle

Old Title

string



EventType: PH_AUDIT_CASE_UPDATED

Description: FortiSIEM Case Updated

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_CI_QUOTE_EXCEEDED

Description: System CI Quote Exceeded

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_CMDB_DISK_PRUNE_FAILED

Description: CMDB Disk Prune Failed

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32



EventType: PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS

Description: CMDB Disk Prune Success

Severity: 4 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

freeDiskMB

Free Disk MB

uint32



EventType: PH_AUDIT_DASHBOARD_SHARED

Description: FortiSIEM dashboard folder shared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

targetUserGrp

Target User Group

string



EventType: PH_AUDIT_DATA_PURGE

Description: System data has been purged

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_DEFAULT_PWD_MATCH

Description: Default password match

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

reptVendor

Reporting Vendor

string

This field captures the vendor of the reported event

reptModel

Reporting Model

string

This field captures the model of the reported event

appTransportProto

Application Protocol

string

user

User

string



EventType: PH_AUDIT_DEVICE_ADDED

Description: System CMDB device added

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_AUDIT_DEVICE_DELETED

Description: System CMDB device deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.



EventType: PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED

Description: System CMDB device changed by discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

objType

Object Type

string

addedItem

Added Item

string



EventType: PH_AUDIT_DEVICE_MAINTENANCE_ENDED

Description: System device maintenance ended

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

maintScheduleName

Maintenance Schedule Name

string

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

endTime

End Time

Date

This is the end time of a given item or task, stored in epoch milliseconds.



EventType: PH_AUDIT_DEVICE_MAINTENANCE_STARTED

Description: System device maintenance started

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

maintScheduleName

Maintenance Schedule Name

string

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds



EventType: PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

Description: Two devices with different hostname merged becsuase of overlapping IP addresses

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

targetHostName

Target Host Name

string

overlapIp

Overlapping IP

string

This field repsents the list of IP addresses of a just discovered device that overlaps with an existing device in CMDB.



EventType: PH_AUDIT_DEVICE_STATUS_CHANGED

Description: CMDB Device audit status changed

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostName

Host Name

string

This is the hostname of the device of interest in the event

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

user

User

string

origStatus

Original Status

string

newStatus

New Status

string

eventSource

Event Source

string



EventType: PH_AUDIT_DEVICE_UNMANAGED

Description: license exceeded - newly discovered device set to Unmanaged

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

hostIpAddr

Host IP

IP

This is the IP of the device of interest in the event.

hostName

Host Name

string

This is the hostname of the device of interest in the event

status

Status

string

eventSource

Event Source

string

details

Details

string



EventType: PH_AUDIT_DEV_MON_JOB_NOT_STARTED

Description: Performance monitoring Job is not picked up for execution for a long time

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE

Description: Performance monitoring job status changed

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_DISCOVERY

Description: Audit discovery

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

startTime

Start Time

Date

This is the start time of a given item or task, and is stored in epoch milliseconds

type

Type

string

task

Task

string

osObjName

Object Name

string



EventType: PH_AUDIT_EXPORT_REPORT_END

Description: User exported FortiSIEM Report result via GUI or Scheduled Report

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_GENAI_USER_QUERY

Description: FortiSIEM sent Generative AI Query to ChatGPT

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_GENERIC

Description: System generic audit message

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_GROUP_CREATED

Description: FortiSIEM GUI Group Created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string



EventType: PH_AUDIT_GROUP_DELETED

Description: FortiSIEM GUI Group Deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjName

Object Name

string

osObjType

OS Object Type

string



EventType: PH_AUDIT_INACTIVE_USER_LOGIN

Description: A system inactive user tried to login

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_INCIDENT_SYS_CLEAR

Description: FortiSIEM Incident System Auto-Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string



EventType: PH_AUDIT_INCIDENT_USER_CLEAR

Description: FortiSIEM Incident User Cleared

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

osObjHandleID

Object Handle

string



EventType: PH_AUDIT_INTEGRATION_POLICY_EXECUTED

Description: FortiSIEM Integration Policy Executed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_MALWARE_DATA_DELETED

Description: Malware data deleted by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string



EventType: PH_AUDIT_MALWARE_DATA_UPDATED

Description: Malware data updated by scheduled update

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

updateTime

Update Time

Date

count

Count

uint32

A general count variable. A common use case is for incidents. Count represents how many times an Incident occurred in a time interval. When an Incident with the same group by parameters occurs again. The count is incremented and the Last Seen time is advanced. Count can be used for other events also.

folder

Folder

string



EventType: PH_AUDIT_ML_GENERIC_ERROR

Description: Machine Learning generic error log

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_GENERIC_INFO

Description: Machine Learning generic info log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_INFERENCE_COMPLETED

Description: Machine Learning audit inference completed log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_INFERENCE_RESULT

Description: Machine Learning audit inference result log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_INFERENCE_STARTED

Description: Machine Learning audit inference started log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_TRAINING_COMPLETED

Description: Machine Learning audit training completed log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_ML_TRAINING_STARTED

Description: Machine Learning audit training started log

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_NOTIF_POLICY_EXECUTED

Description: FortiSIEM Incident Notification Policy Executed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

osObjHandleID

Object Handle

string



EventType: PH_AUDIT_OBJECT_CREATED

Description: System data object created

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

osObjName

Object Name

string



EventType: PH_AUDIT_OBJECT_DELETED

Description: System data object deleted

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string



EventType: PH_AUDIT_OBJECT_UPDATED

Description: System data object updated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjType

OS Object Type

string

objType

Object Type

string

osObjName

Object Name

string

osObjAction

Object Action

string

targetCustomer

Target Organization Name

string

oldSettingsValue

Old Settings Value

string

newSettingsValue

New Settings Value

string



EventType: PH_AUDIT_ONDEMAND_REMEDIATION_EXECUTED

Description: FortiSIEM Ondemand Remediation Executed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_PASSWORD_CHANGED

Description: System user password changed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string



EventType: PH_AUDIT_QUERY_COMPLETED

Description: Audit query completed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

durationMSec

Duration

uint32

Duration of a connection (in msec)

queryFilter

Query Filter

string

queryDisplay

Query Display

string

queryId

Query Id

string

usageType

Usage Type

string



EventType: PH_AUDIT_QUERY_SCHEDULED

Description: System scheduled a query

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.



EventType: PH_AUDIT_QUERY_START

Description: System started a query

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

osObjName

Object Name

string



EventType: PH_AUDIT_QUERY_STOP

Description: System stopped a query

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

queryId

Query Id

string

osObjName

Object Name

string

durationMSec

Duration

uint32

Duration of a connection (in msec)

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.



EventType: PH_AUDIT_REPORT_SCHEDULED

Description: FortiSIEM Report Scheduled

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_REPORT_SCHEDULE_APPROVE

Description: FortiSIEM Report schedule approval

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

reportId

Report ID

uint32

reportName

Report Name

string

FortiSIEM report name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AUDIT_REPORT_SCHEDULE_REQUEST

Description: FortiSIEM Report schedule request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

reportId

Report ID

uint32

reportName

Report Name

string

FortiSIEM report name.



EventType: PH_AUDIT_REPORT_SERVER_LICENSE_EXPIRED

Description: FortiSIEM Report Server license expired

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_REPORT_SERVER_LICENSE_REMOVED

Description: FortiSIEM Report Server Removed After License Expiry

Severity: 8 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_REPORT_SERVER_LICENSE_TO_EXPIRE

Description: FortiSIEM Report Server license about to expire

Severity: 8 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_DECREASE_LOW

Description: Device Risk Score decreased to LOW level

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_DECREASE_MED

Description: Device Risk Score decreased to MEDIUM level

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_INCREASE_HIGH

Description: Device Risk Score increased to HIGH level

Severity: 9 (High)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RISK_INCREASE_MED

Description: Device Risk Score increased to MEDIUM level

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_RULE_ACTIVATED

Description: FortiSIEM Rule activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_RULE_ACTIVATION_APPROVE

Description: FortiSIEM Rule activation approval

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AUDIT_RULE_ACTIVATION_REQUEST

Description: FortiSIEM Rule activation request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.



EventType: PH_AUDIT_RULE_DEACTIVATED

Description: FortiSIEM Rule de-activated

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

osObjName

Object Name

string



EventType: PH_AUDIT_RULE_DEACTIVATION_APPROVE

Description: FortiSIEM Rule de-activation approval

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_AUDIT_RULE_DEACTIVATION_REQUEST

Description: FortiSIEM Rule de-activation request

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

objId

DB Object Id

string

status

Status

string

targetUser

Target User

string

ruleId

Rule ID

uint64

Unique ID of a FortiSIEM rule.

ruleName

Rule Name

string

FortiSIEM rule name.



EventType: PH_AUDIT_SVC_LOGIN_FAILURE

Description: System service user failed to login

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_SVC_LOGIN_SUCCESS

Description: System service user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_SVC_LOGOFF

Description: System Service user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_SVC_SESSION_TIMEOUT

Description: System service user session timeout

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_TUNNEL_CLOSE

Description: Collector to Super Reverse SSH Tunnel closed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

appTransportProto

Application Protocol

string

srcIpPort

Source TCP/UDP Port

uint16

This is the source TCP or UDP port as identified in the event

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

collectorIp

Collector IP

IP

This field captures the IP address of a FortiSIEM Collector

tunnelUpTime

Tunnel Uptime

uint64

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.



EventType: PH_AUDIT_TUNNEL_OPEN

Description: Collector to Super Reverse SSH Tunnel opened

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

appTransportProto

Application Protocol

string

srcIpPort

Source TCP/UDP Port

uint16

This is the source TCP or UDP port as identified in the event

destIpPort

Destination TCP/UDP Port

uint16

This is the destination TCP or UDP port as identified in the event

destIpAddr

Destination IP

IP

Destination IP of a device as identified in the event.

collectorIp

Collector IP

IP

This field captures the IP address of a FortiSIEM Collector

tunnelUpTime

Tunnel Uptime

uint64

phAgentId

Agent ID

string

Unique ID of Linux or Windows Agents in FortiSIEM. This is assigned by App Server when an agent registers.



EventType: PH_AUDIT_USER_ADDED

Description: System user added

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

user

User

string

domain

Domain

string



EventType: PH_AUDIT_USER_CHANGE_ORG_SCOPE

Description: FortiSIEM user changed organization scope

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

userFullName

User Full Name

string

targetCustomer

Target Organization Name

string



EventType: PH_AUDIT_USER_DEFAULT_ROLE_CHANGED

Description: FortiSIEM Admin User Default Role Changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string



EventType: PH_AUDIT_USER_DELETED

Description: System user deleted

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

user

User

string

targetUser

Target User

string

details

Details

string



EventType: PH_AUDIT_USER_LOGIN_FAILURE

Description: System user failed to login

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

domain

Domain

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant



EventType: PH_AUDIT_USER_LOGIN_SUCCESS

Description: System user login success

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

user

User

string

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

userFullName

User Full Name

string



EventType: PH_AUDIT_USER_LOGOFF

Description: System user logoff

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

userFullName

User Full Name

string



EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_CHANGED

Description: FortiSIEM Admin User Organization Role changed

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string



EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_ENABLED

Description: FortiSIEM Admin User Organization Role enabled

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_AUDIT_USER_ORGANIZATION_ROLE_REMOVED

Description: FortiSIEM Admin User Organization Role disabled

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

phCustId

Organization ID

uint32

This is the FortiSIEM organization ID unique to each tenant

user

User

string

customer

Organization Name

string

This is the FortiSIEM Organization Name, which is unique to each tenant. It identifies the tenant this event belongs to.

targetUser

Target User

string

targetCustomer

Target Organization Name

string

role

Role

string



EventType: PH_AUDIT_USER_SESSION_TIMEOUT

Description: System user session timeout

Severity: 1 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

userFullName

User Full Name

string



EventType: PH_AUDIT_WS_COMM

Description: System web service communication

Severity: 1 (Low)

Event Category: 3 (System Logs)


EventType: PH_BAD_NETFLOW_PACKET

Description: Bad netflow packet

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BAD_NETFLOW_VER

Description: Unsupported netflow version

Severity: 6 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BAD_ROUTE_OUTPUT

Description: FortiSIEM encountered bad route output

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_BASE_AGENT_JOB_NO_THREAD_NUM_ASSIGNED

Description: FortiSIEM module error - no thread count assigned

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_DUMP_STACK_TRACE_FAILURE

Description: FortiSIEM module error - stack trace failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

filePath

File Path

string



EventType: PH_BASE_PROC_GET_PID_FILE_FAILED

Description: FortiSIEM module error - failed to get process id

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_BASE_PROC_HANDLE_NOTIFICATION_ERROR

Description: FortiSIEM module error - notification error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_KILL_PROC_ERROR

Description: FortiSIEM module error - failed to kill process

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_BASE_PROC_NOTIFICATION_HANDLE_CONN_ERROR

Description: FortiSIEM module error - no notification connection

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_NO_CONN_TO_HEARTBEAT_SERVER

Description: FortiSIEM module error - no connection to heartbeat

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_RENAME_MINI_DUMP_FILE_FAILURE

Description: FortiSIEM module error - minidump error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_REST_CACHE_CHECKOUT_STATUS_WARNING

Description: FortiSIEM module error - REST cache access error

Severity: 3 (Low)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

infoURL

Informational URL

string

This field captures an URL if present in an event



EventType: PH_BASE_PROC_SEND_HEARTBEAT_FAILURE

Description: FortiSIEM module error - failed to send heartbeat

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

procName

Process Name

string



EventType: PH_BASE_PROC_SEND_USER_DEFINED_SIG_FAILED

Description: FortiSIEM module error - user defined sig failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SET_PID_FILE_FAILED

Description: FortiSIEM module error - setpid failed

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

errorString

Error String

string

This is the error message, synonymous to attribute errReason



EventType: PH_BASE_PROC_STACK_TRACE

Description: FortiSIEM module stack trace

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_STACK_TRACK_TOO_LONG

Description: FortiSIEM module erro - stack trace too large

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SYS_INFO_CALC_CPU_ERROR

Description: FortiSIEM module error - failed to calculate CPU

Severity: 5 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

procName

Process Name

string



EventType: PH_BASE_PROC_SYS_PROC_INFO_GET_FAILURE

Description: FortiSIEM module error - failed to get proc info

Severity: 5 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SYS_PROC_INFO_INIT_ERROR

Description: FortiSIEM module error - proc info get error

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_SYS_PROC_INFO_UNABLE_OPEN_PROC_PID_FILE

Description: FortiSIEM module error - unable to open proc pid file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string



EventType: PH_BASE_PROC_SYS_PROC_INFO_UNABLE_OPEN_PROC_STAT_FILE

Description: FortiSIEM module error - unable to open proc stat file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

filePath

File Path

string

procName

Process Name

string



EventType: PH_BASE_PROC_THREAD_SPAWN_FAILED

Description: FortiSIEM module error - failed to spawn thread

Severity: 10 (High)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_THREAD_WRONG_PARAM

Description: FortiSIEM module error - wrong paremeters to thread span function

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PROC_UPLOAD_FILE_FAILURE

Description: FortiSIEM module error - file upload failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverName

Server Name

string



EventType: PH_BASE_PROC_VALUE_GROUP_UPDATE_FAILURE

Description: FortiSIEM module error - value group update failure

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_BASE_PRO_AQUIRE_SHARED_STORE_FAILED

Description: Unable to aquire shared store instance

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_CHECKPOINT_CERTHANDLER_ERROR

Description: Checkpoint failed to parse device certificate received from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_CERTPULL_ERROR

Description: Checkpoint failed to obtain certificate from App Server

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_CMD_USAGE_ERROR

Description: Checkpoint command usage error

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

command

Command

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_CPMI_FETCH_ERROR

Description: Checkpoint CPMI fetch error. Events may miss some metadata

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errReason

Reason for Error

string

This is the reason for an error if given.

errorString

Error String

string

This is the error message, synonymous to attribute errReason

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_CHECKPOINT_DEV_INIT_ERROR

Description: Checkpoint device initialization error. Checkpoint device can not be monitored

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_FILE_RENAME_FAILURE

Description: FortiSIEM Checkpoint module failed to rename file

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

srcFilePath

Source File Path

string

destFilePath

Destination File Path

string

errorNoInt

Error Number Int

int32



EventType: PH_CHECKPOINT_FWLOGHANDLER_ERROR

Description: Checkpoint LEA handler protocol error. Checkpoint device can not be monitored

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_FWLOGHANDLER_INIT_ERROR

Description: Checkpoint OPSEC log handler initialization error. Checkpoint device can not be monitored

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

fileName

File Name

string

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_HTTP_ERROR

Description: Checkpoint module failed to connect to App server

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_CHECKPOINT_LOGHANDLER_ERROR

Description: Checkpoint OPSEC log handler internal error

Severity: 9 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.



EventType: PH_CHECKPOINT_PROCESS_GET_FAILED

Description: Checkpoint module failed to get its parent process

Severity: 7 (Medium)

Event Category: 3 (System Logs)


EventType: PH_CHECKPOINT_TESTCONN_ERROR

Description: Checkpoint test connectivity error. Checkpoint device can not be discovered

Severity: 7 (Medium)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

serverIpAddr

Server IP

IP

errReason

Reason for Error

string

This is the reason for an error if given.

errorNo

Error Number Unsigned

uint32

This is an unsigned integer error number



EventType: PH_CHECKPOINT_UNABLE_PARSE_XML

Description: Checkpoint module unable to parse device credential XML received from App Server

Severity: 10 (High)

Event Category: 3 (System Logs)

Attributes:

Id

Display name

Type

Description

errReason

Reason for Error

string

This is the reason for an error if given.