Header & body fields
Each log message is comprised of several field-value pairs. The names may vary slightly between Raw versus Formatted views in the web UI.
ID (log_id
) header field and its value
All log messages’ fields belong to one of two parts:
- Header — Contains the time and date the log originated, a log identifier, a message identifier, the administrative domain (ADOM), the type of log, the severity level (priority) and where the log message originated. These fields exist in all logs.
- Body — Describes the reason why the log was created, plus any actions that the FortiWeb appliance took to respond to it. These fields vary by log type.
Log message header and body
For example, this is a raw-format event log message. Body fields are in bold
.
date=2013-10-07 time=11:30:53 log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)"
This attack log message contains the same header fields, but its body fields are different.
date=2016-02-19 time=11:23:45 log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"
Similarly, traffic log body fields are different.
date=2014-06-26 time=00:43:37 log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm"
The following table describes each possible header or body field, according to its name as it appears in the Formatted or Raw view.
Log message fields
Field name (Raw view name in parentheses) |
Description | Exists in log type |
Example field-value pair (Raw view) |
||
---|---|---|---|---|---|
Event | Attack | Traffic | |||
Header | |||||
Date ( |
The year, month, and day when the log message was recorded. | + | + | + |
date=2013-10-08
|
Time ( |
The hour (according to a 24-hour clock, where 15:00 is 3:00 PM), minute, and second that the log message was recorded. | + | + | + |
time=15:38:01
|
ID ( |
See Log ID numbers. | + | + | + |
log_id=00041101
|
MSG ID ( |
See Message IDs. | + | + | + |
msg_id=000000000153
|
Device ID ( |
The identifier, typically the serial number, of the appliance which originally recorded the log. | + | + | + |
device_id=FV-1KD2B34567890
|
ADOM ( |
The administrative domain (ADOM) in which the log message was recorded | + | + | + |
vd=”root”
|
Time Zone ( |
The name, geographical region, and Greenwich Mean Time (GMT) adjustment of the time zone in which the appliance is located. | + | + | + |
timezone="(GMT-5:00)Eastern Time(US & Canada)"
|
Type ( |
See Types. | + | + | + |
type=event
|
Sub Type ( |
See Subtypes. | + | + | + |
subtype=admin
|
Level ( |
See Priority level. | + | + | + |
pri=alert
|
Body | |||||
Protocol ( |
The protocol used by web traffic. By definition, for FortiWeb, this is always TCP. |
– | + | + |
proto=tcp
|
Service ( |
The name of the application-layer protocol used by the traffic. By definition, for FortiWeb, this is always HTTP or HTTPS. |
– | + | + |
service=http
|
Source ( |
The IP address of the traffic’s origin. The source varies by the direction:
|
– | + | + |
scr=10.0.0.0
|
Source Port ( |
The port number of the traffic’s origin. | – | + | + |
src_port=3471
|
Destination ( |
The IP address of the traffic’s destination. The source varies by the direction:
|
– | + | + |
dst=10.0.0.1
|
Destination Port ( |
The port number of the traffic’s destination. | – | + | + |
dst_port=8080
|
Policy ( |
The name of the server policy governing the traffic which caused the log message. | – | + | + |
policy="policy1"
|
User ( |
The daemon or name of the administrator account that performed the action that caused the log message. | + | – | – |
user=admin
|
( |
The type of management interface used by the administrative session which caused the log message. Either:
Unless the user is a daemon (which don’t have a user interface), logins from Logins from |
+ | – | – |
ui=GUI
|
Action ( |
The action associated with the log message or policy violation, such as:
or
|
+ | + | – |
action=Alert
|
Status ( |
The result of the action. | + | – | + |
status=failure
|
Reason ( |
The reason for the status, if any. | + | – | + |
reason=name_invalid
|
Return Code ( |
The HTTP return code. If FortiWeb is configured to redirect, this is the rewritten code, not the original one from the server. | – | – | + |
http_retcode=200
|
Request Time ( |
The amount of time it took FortiWeb to process the client request, in milliseconds (ms). | – | – | + |
http_request_time=10
|
Response Time ( |
The amount of processing time for the response in milliseconds (ms). This can be a useful measure of performance issues, especially if processing involves regular expressing matching. | – | – | + |
http_response_time=10
|
Request Bytes ( |
The size of the request in bytes. | – | – | + |
http_request_bytes=2
|
Response Bytes ( |
The size of the individual response in bytes (B). For chunked responses, this is for each reply; it does not aggregate all related chunks. | – | – | + |
http_response_bytes=136
|
Method ( |
The method, such as GET or POST , used by the HTTP request. |
– | + | + |
http_method=get
|
URL ( |
The URL in the HTTP header of the original HTTP request, such as:
This does not include the service (http://) nor host name (example.nl). If FortiWeb is configured to rewrite the URL, this is the original URL from the client, not the rewritten one. |
– | + | + |
http_url="/image/up.png"
|
Host ( |
The
or
This is typically a fully qualified domain name (FQDN) or IP address and port number that resolves or routes to the virtual server on the FortiWeb appliance. This may be different from your internal DNS name (if any) for the web server, or, if you are using HTTP |
– | + | + |
http_host="example.com"
|
User Agent ( |
The name and version of the HTTP client, usually a web browser. This is reported by the client itself in the User-Agent: HTTP header. In attacks, it is often fake. |
– | + | + |
http_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
|
FortiWeb Session ID ( |
The session identifier for a client’s related HTTP requests (if any). The ID may be |
– | + | – |
http_session_id=K8BXT3TNYUM710UEGWC8IQBTPX9PRWHB
|
( |
The severity that the administrator configured in the rule or policy governing the traffic which caused the log message. | – | + | – |
severity_level=High
|
Trigger Policy ( |
The name of the notification servers used to record and/or deliver this log message (if any). The trigger policy value may be an empty string if no trigger policy was selected. |
+ | + | – |
trigger_policy=notification-server-group1
|
Signature Subclass ( |
The name of the signature subclass. If the current signature has no subclass, the main class is displayed. |
– | + | – |
"Cross Site Scripting"
|
Signature ID ( |
The ID of the specific signature within the subclass that triggered the log message. | – | + | – |
"010000001"
|
Source Country ( |
The country that is the source of the traffic. | – | + | + |
"United States"
|
Message ( |
Details describing the reason why the log message was created. The message varies by the nature of the cause. The |
+ | + | + |
msg="User admin changed dns from GUI(172.20.120.47)"
|
HTTP Content Routing ( |
The name of the associated HTTP content routing policy. | – | + | + |
content_switch_name=
"httproutes1"
|
Server Pool ( |
The name of the server pool in the associated server policy. | – | + | + |
server_pool_name=
"Auto-ServerFarm"
|
False Positive Mitigation
|
For violations of SQL injection signatures, specifies whether FortiWeb identified the attack using the signature and additional SQL syntax validation (yes ) or the just the signature (no ). |
– | + | – |
|
Threat Scoring
|
Information about the threat score, which FortiWeb generates based on multiple signature violations by a client, instead of a single signature violation. For details, see Attack log fields. |
– | + | – |
log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"
|
(N/A) |
This column contains the entire log message in raw format. If your Column Settings show this column, the entire raw log message will be included in the row under this column, next to the formatted column view of the same log message. This way, if you want to view the entire raw log message, you can simply scroll the page, instead of switching the entire page back and forth from Raw to Formatted log views. This column appears only when using the Formatted log view. It does not actually exist as a field in the raw logs. |
+ | + | + |
date=2013-10-10 time=00:38:58 log_id=20000051 msg_id=000000000008...
|