Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Header & body fields

Each log message is comprised of several field-value pairs. The names may vary slightly between Raw versus Formatted views in the web UI.

ID (log_id) header field and its value

All log messages’ fields belong to one of two parts:

  • Header — Contains the time and date the log originated, a log identifier, a message identifier, the administrative domain (ADOM), the type of log, the severity level (priority) and where the log message originated. These fields exist in all logs.
  • Body — Describes the reason why the log was created, plus any actions that the FortiWeb appliance took to respond to it. These fields vary by log type.
Log message header and body

For example, this is a raw-format event log message. Body fields are in bold.

date=2013-10-07 time=11:30:53 log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)"

This attack log message contains the same header fields, but its body fields are different.

date=2016-02-19 time=11:23:45 log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"

Similarly, traffic log body fields are different.

date=2014-06-26 time=00:43:37 log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm"

The following table describes each possible header or body field, according to its name as it appears in the Formatted or Raw view.

Log message fields

Field name

(Raw view name in parentheses)

Description Exists in log type

Example field-value pair

(Raw view)

Event Attack Traffic
Header

Date

(date)

The year, month, and day when the log message was recorded. + + + date=2013-10-08

Time

(time)

The hour (according to a 24-hour clock, where 15:00 is 3:00 PM), minute, and second that the log message was recorded. + + + time=15:38:01

ID

(log_id)

See Log ID numbers. + + + log_id=00041101

MSG ID

(msg_id)

See Message IDs. + + + msg_id=000000000153

Device ID

(device_id)

The identifier, typically the serial number, of the appliance which originally recorded the log. + + + device_id=FV-1KD2B34567890

ADOM

(vd)

The administrative domain (ADOM) in which the log message was recorded + + + vd=”root”

Time Zone

(timezone)

The name, geographical region, and Greenwich Mean Time (GMT) adjustment of the time zone in which the appliance is located. + + + timezone="(GMT-5:00)Eastern Time(US & Canada)"

Type

(type)

See Types. + + + type=event

Sub Type

(subtype)

See Subtypes. + + + subtype=admin

Level

(pri)

See Priority level. + + + pri=alert
Body

Protocol

(proto)

tcp

The protocol used by web traffic. By definition, for FortiWeb, this is always TCP.

+ + proto=tcp

Service

(service)

http or https

The name of the application-layer protocol used by the traffic. By definition, for FortiWeb, this is always HTTP or HTTPS.

+ + service=http

Source

(src)

The IP address of the traffic’s origin.

The source varies by the direction:

  • In HTTP requests, this is the web browser or other client.
  • In HTTP responses, this is the physical server.
+ + scr=10.0.0.0

Source Port

(src_port)

The port number of the traffic’s origin. + + src_port=3471

Destination

(dst)

The IP address of the traffic’s destination.

The source varies by the direction:

  • In HTTP requests, this is the physical server.
  • In HTTP responses, this is the web browser or other client.
+ + dst=10.0.0.1

Destination Port

(dst_port)

The port number of the traffic’s destination. + + dst_port=8080

Policy

(policy)

The name of the server policy governing the traffic which caused the log message. + + policy="policy1"

User

(user)

The daemon or name of the administrator account that performed the action that caused the log message. + user=admin

User Interface

(ui)

The type of management interface used by the administrative session which caused the log message. Either:

  • GUI
  • sshd
  • telnet
  • console
  • none

Unless the user is a daemon (which don’t have a user interface), logins from none indicate that an administrator used the JavaScript CLI Console widget on System > Status > Status in the web UI (GUI). The source IP address is the same as the one recorded in the corresponding log message for the GUI login.

Logins from console indicate use of CLI via the local serial console port.

+ ui=GUI

Action

(action)

The action associated with the log message or policy violation, such as:

login

or

Alert

+ + action=Alert

Status

(status)

The result of the action. + + status=failure

Reason

(reason)

The reason for the status, if any. + + reason=name_invalid

Return Code

(http_retcode)

The HTTP return code. If FortiWeb is configured to redirect, this is the rewritten code, not the original one from the server. + http_retcode=200

Request Time

(http_request_time)

The amount of time it took FortiWeb to process the client request, in milliseconds (ms). + http_request_time=10

Response Time

(http_response_time)

The amount of processing time for the response in milliseconds (ms). This can be a useful measure of performance issues, especially if processing involves regular expressing matching. + http_response_time=10

Request Bytes

(http_request_bytes)

The size of the request in bytes. + http_request_bytes=2

Response Bytes

(http_response_bytes)

The size of the individual response in bytes (B). For chunked responses, this is for each reply; it does not aggregate all related chunks. + http_response_bytes=136

Method

(http_method)

The method, such as GET or POST, used by the HTTP request. + + http_method=get

URL

(http_url)

The URL in the HTTP header of the original HTTP request, such as:

/images/buttons/hintOver.png

This does not include the service (http://) nor host name (example.nl). If FortiWeb is configured to rewrite the URL, this is the original URL from the client, not the rewritten one.

+ + http_url="/image/up.png"

Host

(http_host)

The Host: field in the HTTP header of the HTTP request, such as:

www.example.com

or

10.0.0.1:8080

This is typically a fully qualified domain name (FQDN) or IP address and port number that resolves or routes to the virtual server on the FortiWeb appliance.

This may be different from your internal DNS name (if any) for the web server, or, if you are using HTTP Host: rewrites, different from the virtual host on the web server. For example, this might be www.example.co.jp instead of www1.local or the virtual host that serves responses for all DNS names, www.example.com.

+ + http_host="example.com"

User Agent

(http_agent)

The name and version of the HTTP client, usually a web browser. This is reported by the client itself in the User-Agent: HTTP header. In attacks, it is often fake. + + http_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

FortiWeb Session ID

(http_session_id)

The session identifier for a client’s related HTTP requests (if any).

The ID may be unknown if the Session Management option is not enabled in the applied protection profile, and therefore FortiWeb has not injected a session cookie nor inferred a session ID from the protected web application.

+ http_session_id=K8BXT3TNYUM710UEGWC8IQBTPX9PRWHB

Severity Level

(severity_level)

The severity that the administrator configured in the rule or policy governing the traffic which caused the log message. + severity_level=High

Trigger Policy

(trigger_policy)

The name of the notification servers used to record and/or deliver this log message (if any).

The trigger policy value may be an empty string if no trigger policy was selected.

+ + trigger_policy=notification-server-group1

Signature Subclass

(signature_subclass)

The name of the signature subclass.

If the current signature has no subclass, the main class is displayed.

+ "Cross Site Scripting"

Signature ID

(signature_id)

The ID of the specific signature within the subclass that triggered the log message. + "010000001"

Source Country

(srccountry)

The country that is the source of the traffic. + + "United States"

Message

(msg)

Details describing the reason why the log message was created.

The message varies by the nature of the cause.

The msg log field has the lowest priority in the disk log. When the total size of all the log fields exceeds the disk log size limit, FortiWeb truncates the msg field, which helps preserve other log information.

+ + + msg="User admin changed dns from GUI(172.20.120.47)"

HTTP Content Routing

(content_switch_name)

The name of the associated HTTP content routing policy. + + content_switch_name=
"httproutes1"

Server Pool

(server_pool_name)

The name of the server pool in the associated server policy. + + server_pool_name=
"Auto-ServerFarm"

False Positive Mitigation

false_positive_mitigation

For violations of SQL injection signatures, specifies whether FortiWeb identified the attack using the signature and additional SQL syntax validation (yes) or the just the signature (no). +

false_positive_mitigation="yes"

Threat Scoring

log_type

event_score

score_message

entry_sequence

Information about the threat score, which FortiWeb generates based on multiple signature violations by a client, instead of a single signature violation.

For details, see Attack log fields.

+ log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"

Detailed Information

(N/A)

This column contains the entire log message in raw format.

If your Column Settings show this column, the entire raw log message will be included in the row under this column, next to the formatted column view of the same log message. This way, if you want to view the entire raw log message, you can simply scroll the page, instead of switching the entire page back and forth from Raw to Formatted log views.

This column appears only when using the Formatted log view. It does not actually exist as a field in the raw logs.

+ + + date=2013-10-10 time=00:38:58 log_id=20000051 msg_id=000000000008...

Header & body fields

Each log message is comprised of several field-value pairs. The names may vary slightly between Raw versus Formatted views in the web UI.

ID (log_id) header field and its value

All log messages’ fields belong to one of two parts:

  • Header — Contains the time and date the log originated, a log identifier, a message identifier, the administrative domain (ADOM), the type of log, the severity level (priority) and where the log message originated. These fields exist in all logs.
  • Body — Describes the reason why the log was created, plus any actions that the FortiWeb appliance took to respond to it. These fields vary by log type.
Log message header and body

For example, this is a raw-format event log message. Body fields are in bold.

date=2013-10-07 time=11:30:53 log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)"

This attack log message contains the same header fields, but its body fields are different.

date=2016-02-19 time=11:23:45 log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"

Similarly, traffic log body fields are different.

date=2014-06-26 time=00:43:37 log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm"

The following table describes each possible header or body field, according to its name as it appears in the Formatted or Raw view.

Log message fields

Field name

(Raw view name in parentheses)

Description Exists in log type

Example field-value pair

(Raw view)

Event Attack Traffic
Header

Date

(date)

The year, month, and day when the log message was recorded. + + + date=2013-10-08

Time

(time)

The hour (according to a 24-hour clock, where 15:00 is 3:00 PM), minute, and second that the log message was recorded. + + + time=15:38:01

ID

(log_id)

See Log ID numbers. + + + log_id=00041101

MSG ID

(msg_id)

See Message IDs. + + + msg_id=000000000153

Device ID

(device_id)

The identifier, typically the serial number, of the appliance which originally recorded the log. + + + device_id=FV-1KD2B34567890

ADOM

(vd)

The administrative domain (ADOM) in which the log message was recorded + + + vd=”root”

Time Zone

(timezone)

The name, geographical region, and Greenwich Mean Time (GMT) adjustment of the time zone in which the appliance is located. + + + timezone="(GMT-5:00)Eastern Time(US & Canada)"

Type

(type)

See Types. + + + type=event

Sub Type

(subtype)

See Subtypes. + + + subtype=admin

Level

(pri)

See Priority level. + + + pri=alert
Body

Protocol

(proto)

tcp

The protocol used by web traffic. By definition, for FortiWeb, this is always TCP.

+ + proto=tcp

Service

(service)

http or https

The name of the application-layer protocol used by the traffic. By definition, for FortiWeb, this is always HTTP or HTTPS.

+ + service=http

Source

(src)

The IP address of the traffic’s origin.

The source varies by the direction:

  • In HTTP requests, this is the web browser or other client.
  • In HTTP responses, this is the physical server.
+ + scr=10.0.0.0

Source Port

(src_port)

The port number of the traffic’s origin. + + src_port=3471

Destination

(dst)

The IP address of the traffic’s destination.

The source varies by the direction:

  • In HTTP requests, this is the physical server.
  • In HTTP responses, this is the web browser or other client.
+ + dst=10.0.0.1

Destination Port

(dst_port)

The port number of the traffic’s destination. + + dst_port=8080

Policy

(policy)

The name of the server policy governing the traffic which caused the log message. + + policy="policy1"

User

(user)

The daemon or name of the administrator account that performed the action that caused the log message. + user=admin

User Interface

(ui)

The type of management interface used by the administrative session which caused the log message. Either:

  • GUI
  • sshd
  • telnet
  • console
  • none

Unless the user is a daemon (which don’t have a user interface), logins from none indicate that an administrator used the JavaScript CLI Console widget on System > Status > Status in the web UI (GUI). The source IP address is the same as the one recorded in the corresponding log message for the GUI login.

Logins from console indicate use of CLI via the local serial console port.

+ ui=GUI

Action

(action)

The action associated with the log message or policy violation, such as:

login

or

Alert

+ + action=Alert

Status

(status)

The result of the action. + + status=failure

Reason

(reason)

The reason for the status, if any. + + reason=name_invalid

Return Code

(http_retcode)

The HTTP return code. If FortiWeb is configured to redirect, this is the rewritten code, not the original one from the server. + http_retcode=200

Request Time

(http_request_time)

The amount of time it took FortiWeb to process the client request, in milliseconds (ms). + http_request_time=10

Response Time

(http_response_time)

The amount of processing time for the response in milliseconds (ms). This can be a useful measure of performance issues, especially if processing involves regular expressing matching. + http_response_time=10

Request Bytes

(http_request_bytes)

The size of the request in bytes. + http_request_bytes=2

Response Bytes

(http_response_bytes)

The size of the individual response in bytes (B). For chunked responses, this is for each reply; it does not aggregate all related chunks. + http_response_bytes=136

Method

(http_method)

The method, such as GET or POST, used by the HTTP request. + + http_method=get

URL

(http_url)

The URL in the HTTP header of the original HTTP request, such as:

/images/buttons/hintOver.png

This does not include the service (http://) nor host name (example.nl). If FortiWeb is configured to rewrite the URL, this is the original URL from the client, not the rewritten one.

+ + http_url="/image/up.png"

Host

(http_host)

The Host: field in the HTTP header of the HTTP request, such as:

www.example.com

or

10.0.0.1:8080

This is typically a fully qualified domain name (FQDN) or IP address and port number that resolves or routes to the virtual server on the FortiWeb appliance.

This may be different from your internal DNS name (if any) for the web server, or, if you are using HTTP Host: rewrites, different from the virtual host on the web server. For example, this might be www.example.co.jp instead of www1.local or the virtual host that serves responses for all DNS names, www.example.com.

+ + http_host="example.com"

User Agent

(http_agent)

The name and version of the HTTP client, usually a web browser. This is reported by the client itself in the User-Agent: HTTP header. In attacks, it is often fake. + + http_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

FortiWeb Session ID

(http_session_id)

The session identifier for a client’s related HTTP requests (if any).

The ID may be unknown if the Session Management option is not enabled in the applied protection profile, and therefore FortiWeb has not injected a session cookie nor inferred a session ID from the protected web application.

+ http_session_id=K8BXT3TNYUM710UEGWC8IQBTPX9PRWHB

Severity Level

(severity_level)

The severity that the administrator configured in the rule or policy governing the traffic which caused the log message. + severity_level=High

Trigger Policy

(trigger_policy)

The name of the notification servers used to record and/or deliver this log message (if any).

The trigger policy value may be an empty string if no trigger policy was selected.

+ + trigger_policy=notification-server-group1

Signature Subclass

(signature_subclass)

The name of the signature subclass.

If the current signature has no subclass, the main class is displayed.

+ "Cross Site Scripting"

Signature ID

(signature_id)

The ID of the specific signature within the subclass that triggered the log message. + "010000001"

Source Country

(srccountry)

The country that is the source of the traffic. + + "United States"

Message

(msg)

Details describing the reason why the log message was created.

The message varies by the nature of the cause.

The msg log field has the lowest priority in the disk log. When the total size of all the log fields exceeds the disk log size limit, FortiWeb truncates the msg field, which helps preserve other log information.

+ + + msg="User admin changed dns from GUI(172.20.120.47)"

HTTP Content Routing

(content_switch_name)

The name of the associated HTTP content routing policy. + + content_switch_name=
"httproutes1"

Server Pool

(server_pool_name)

The name of the server pool in the associated server policy. + + server_pool_name=
"Auto-ServerFarm"

False Positive Mitigation

false_positive_mitigation

For violations of SQL injection signatures, specifies whether FortiWeb identified the attack using the signature and additional SQL syntax validation (yes) or the just the signature (no). +

false_positive_mitigation="yes"

Threat Scoring

log_type

event_score

score_message

entry_sequence

Information about the threat score, which FortiWeb generates based on multiple signature violations by a client, instead of a single signature violation.

For details, see Attack log fields.

+ log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"

Detailed Information

(N/A)

This column contains the entire log message in raw format.

If your Column Settings show this column, the entire raw log message will be included in the row under this column, next to the formatted column view of the same log message. This way, if you want to view the entire raw log message, you can simply scroll the page, instead of switching the entire page back and forth from Raw to Formatted log views.

This column appears only when using the Formatted log view. It does not actually exist as a field in the raw logs.

+ + + date=2013-10-10 time=00:38:58 log_id=20000051 msg_id=000000000008...