Log message fields
Each log message consists of several sections of fields. In the FortiOS GUI, you can view the logs in the Log & Report pane, which displays the formatted view. If you want to view logs in raw format, you must download the log and view it in a text editor.
Following is an example of a traffic log message in raw format:
date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586
The following table provides an example of the log field information in the FortiOS GUI in the detailed view of the Log & Report pane and in the downloaded, raw log file.
GUI Field Name (Raw Field Name) |
Field Description |
Example Field Value in Raw Format |
---|---|---|
General |
||
Date (date) |
Day, month, and year when the log message was recorded. |
date=2017-11-15 |
Direction (direction) |
Indicates message/packets direction. |
direction=incoming |
Time (time) |
Hour clock when the log message was recorded. |
time=11:44:16 |
Duration (duration) |
Duration of the session. |
duration=2 |
Session ID (sessionid) |
ID for the session. |
sessionid=8058 |
Virtual Domain (vd) |
Name of the virtual domain in which the log message was recorded. |
vd="vdom1" |
NAT Translation (transport) |
NAT source port. |
transport=40772 |
Source |
||
IP (srcip) |
IP address of the traffic’s origin. The source varies by the direction:
|
srcip=10.1.100.155 |
NAT IP (transip) |
NAT source IP. |
transip=172.16.200.2 |
Source Port (srcport) |
Port number of the traffic's origin. |
srcport=40772 |
Country (srccountry) |
Name of the source country. |
srccountry="Reserved" |
Source Interface(srcintf) |
Interface name of the traffic's origin. |
srcintf="port12" |
Source Name (srcname) |
Name of the source. |
srcname="pc1" |
Source Interface Name (srcintfrole) |
Name of the source interface. |
srcintfrole="undefined" |
Device Type (devtype) |
Device type of the source. |
devtype="Linux PC" |
OS Name (osname) |
OS of the source. |
osname="Linux" |
Master Source MAC (mastersrcmac) |
The master MAC address for a host that has multiple network interfaces. |
mastersrcmac="a2:e9:00:ec:40:01" |
Source MAC (srcmac) |
MAC address associated with the source IP address. |
srcmac="a2:e9:00:ec:40:01" |
Source Server (srcserver) |
Server of the source. |
srcserver=0 |
Device ID (devid) |
Serial number of the device for the traffic's origin. |
devid="FGVM02Q105060010" |
Destination |
||
IP (dstip) |
Destination IP address for the web. |
dstip=35.197.51.42 |
Port (dstport) |
Port number of the traffic's destination. |
dstport=443 |
Country (dstcountry) |
Name of the destination country. |
dstcountry="United States" |
Destination Interface (dstintf) |
Interface of the traffic's destination. |
dstintf="port11" |
Destination Name (dstname) |
Name of the destination. |
dstname="fortiguard.com" |
Destination Interface Name (dstinfrole) |
Name of the destination interface. |
dstintfrole="undefined" |
Application |
||
Application Name (app) |
Name of the application. |
app="HTTPS.BROWSER" |
Category (appcat) |
Category of the application. |
appcat="Web.Client" |
Service (service) |
Name of the service. |
service="HTTPS" |
Application ID (appid) |
ID of the application. |
appid=40568 |
Application Risk (apprisk) |
Risk level of the application. |
apprisk="medium" |
countapp |
Number of App Ctrl logs associated with the session. |
countapp=1 |
Data |
||
Received bytes (rcvdbyte) |
Number of bytes received. |
rcvdbyte=39898 |
Received packets (rcvdpkt) |
Number of packets received. |
rcvdpkt=37 |
Sent bytes (sentbyte) |
Number of bytes sent. |
sentbyte=1850 |
Sent packets (sentpkt) |
Number of packets sent. |
sentpkt=25 |
Action |
||
Action (action) |
Status of the session. Uses following definitions:
|
action=close |
Policy (policyid) |
Name of the firewall policy governing the traffic which caused the log message. |
policyid=1 |
Policy UUID (poluuid) |
UUID for the firewall policy. |
poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" |
Policy Type (policytype) |
|
policytype="policy" |
Policy Mode (policymode) |
Firewall policy mode. |
policymode="learn" |
Security |
||
Level (level) |
Security level rating. |
level="notice" |
Other |
||
Event Time (eventtime) |
Epoch time the log was triggered by FortiGate. If you convert the epoch time to human readable time, it might not match the Date and Time in the header owing to a small delay between the time the log was triggered and recorded. The Log Time field is the same for the same log among all log devices, but the Date and Time might differ. |
eventtime=1510775056 |
Protocol Number (proto) |
tcp: The protocol used by web traffic (tcp by default) |
proto=6 |
Type (type) |
Log type. See Type |
type="traffic" |
Log ID (logid) |
Log ID. See Log ID definitions |
logid="0000000013" |
Sub Type(subtype) |
Subtype of the traffic. See Subtype. |
subtype="forward" |
trandisp |
NAT translation type. |
trandisp="snat" |
UTM Action (utmaction) |
Security action performed by UTM. |
utmaction="allow" |
UTM Reference (utmref) |
UTM reference number. |
utmref=0-220586 |
UTM Reference (utmref) |
UTM reference number. |
utmref=0-220586 |