Log fields by type
securityevent
Log Field Name |
Description |
Data Type |
Length |
---|---|---|---|
action |
block or monitor |
string |
32 |
action |
action taken for the infected item |
enumeration string |
32 |
activity |
activity |
enumeration string |
64 |
ae_api |
API used of the violation |
string |
64 |
ae_reason |
reason of the violation |
string |
64 |
app |
application |
string |
96 |
appname |
application name |
string |
260 |
cat |
category id |
int |
20 |
category |
category name |
string |
260 |
channelurl |
channelurl |
string |
260 |
checksum |
file crc32 checksum |
int |
20 |
checksum |
file SHA256 checksum |
string |
16 |
date |
date |
string |
260 |
default_used |
if process is handled by default action |
int |
20 |
description |
description |
string |
260 |
detectedby |
the security feature that detected virus |
enumeration string |
64 |
detectedin |
where the virus is detected |
enumeration string |
64 |
detectedpath |
detected path(s) |
string |
260 |
deviceip |
device IP address |
string |
20 |
devicemac |
device MAC address |
string |
17 |
devid |
device ID |
string |
16 |
domain |
domain of user |
string |
256 |
emsserial |
EMS serial number |
string |
16 |
error_code |
reason of the failure |
int |
20 |
eventtype |
type of event |
enumeration string |
32 |
failed_reason |
reason of the failure |
string |
260 |
fctver |
FCT version |
string |
16 |
fgtserial |
FGT serial number |
string |
16 |
file |
file location |
string |
256 |
filesize |
file size |
int |
20 |
from |
email from |
string |
128 |
hostname |
host name of local machine |
string |
256 |
httpport |
http port number |
int |
20 |
id |
log id |
int |
20 |
ip |
IP address |
string |
260 |
level |
log level |
enumeration string |
20 |
locip |
local ip |
string |
20 |
locport |
local port |
int |
20 |
logver |
log protocol version |
int |
20 |
maxduration |
max-duration for secret |
int |
20 |
msg |
description of this log |
string |
512 |
os |
operating system |
string |
96 |
pamsessionid |
pam session-id |
int |
20 |
path |
path of process |
string |
260 |
payload_process |
payload process |
string |
260 |
pcdomain |
domain name of local machine |
string |
128 |
PID |
ID of the malicious process |
int |
20 |
processname |
process name |
string |
128 |
proxymode |
proxy mode enabled |
int |
20 |
recording |
video recording enabled |
int |
20 |
remip |
remote ip |
string |
20 |
remotegw |
remote gateway |
string |
256 |
remport |
remote port |
int |
20 |
ruleuuid |
uuid of violated rule |
string |
260 |
score |
file score |
int |
20 |
service |
network protocol |
string |
64 |
sigid |
signature id |
string |
260 |
site |
Multi-tenancy site |
string |
32 |
status |
scan status |
string |
16 |
status |
status |
enumeration string |
16 |
subtype |
AntiVirus, FireWall, WebFilter ... |
enumeration string |
32 |
time |
time |
string |
260 |
to |
email to |
string |
512 |
type |
Traffic, Security Event or System Event |
string |
16 |
uid |
FortiClient unique ID |
string |
32 |
url |
url |
string |
512 |
user |
current logged on user |
string |
256 |
username |
username of process |
string |
260 |
usingpolicy |
current policy name |
string |
64 |
vid |
virus id |
int |
20 |
videourl |
videourl |
string |
260 |
virus |
virus name |
string |
512 |
viruscat |
virus category |
string |
260 |
vpn |
vpn tunnel name |
string |
32 |
vpnstate |
tunnel status |
enumeration string |
64 |
vpntunnel |
tunnel name |
string |
128 |
vpnuser |
vpn tunnel user name |
string |
128 |
vulncat |
category |
string |
32 |
vulncvss |
cvss score |
string |
64 |
vulnengine |
engine version |
string |
64 |
vulnid |
id of the vulnerability |
int |
20 |
vulnname |
name of the vulnerability |
string |
128 |
vulnproducts |
name of the vulnerable product |
string |
2048 |
vulnref |
reference of the vulnerability |
string |
256 |
vulnseverity |
severity level |
string |
8 |
vulnsignature |
signature version |
string |
260 |
systemevent
Log Field Name |
Description |
Data Type |
Length |
---|---|---|---|
appengine |
app DB engine |
string |
260 |
apppath |
process name |
string |
128 |
appsig |
app DB signature |
string |
11 |
avaleng |
AV allowlist engine version |
string |
260 |
avalsig |
AV allowlist signatures version |
string |
260 |
avengine |
AV engine |
string |
11 |
avsig |
AV signature |
string |
11 |
avsigetm |
AV extreme signature |
string |
11 |
avsigext |
AV extended signature |
string |
11 |
avsigheu |
AV heuristic signature |
string |
11 |
avsiglastupdate |
last update time |
string |
260 |
avsigpallas |
AV pallas signature |
string |
260 |
date |
date |
string |
260 |
deviceip |
device IP address |
string |
20 |
devicemac |
device MAC address |
string |
17 |
devid |
device ID |
string |
16 |
emshostname |
EMS host name |
string |
64 |
emsip |
EMS IP |
string |
20 |
emsserial |
EMS serial number |
string |
16 |
epenfeatures |
enabled features list |
string |
128 |
epfeatures |
installed features list |
string |
128 |
ephbemsduration |
EMS heart beat duration |
int |
20 |
ephbemslast |
EMS heart beat last time |
string |
64 |
epmgmtst |
management status |
enumeration string |
64 |
eponlinest |
online status |
enumeration string |
32 |
epplace |
EP place |
enumeration string |
32 |
epquarmsg |
quarant message |
string |
260 |
eventtype |
type of event |
enumeration string |
32 |
fctip |
FCT IP |
string |
20 |
fctver |
FCT version |
string |
16 |
fgtserial |
FGT serial number |
string |
16 |
file |
file or registry path |
string |
256 |
hostname |
host name of local machine |
string |
256 |
id |
log id |
int |
20 |
ipseng |
firewall engine |
string |
11 |
ipssig |
firewall signature |
string |
11 |
irdbsig |
irdb signature |
string |
260 |
level |
log level |
enumeration string |
20 |
logver |
log protocol version |
int |
20 |
msg |
description of this log |
string |
512 |
os |
operating system |
string |
96 |
pcdomain |
domain name of local machine |
string |
128 |
policyname |
policy name |
string |
64 |
processname |
blocked process |
string |
128 |
rootkitengine |
anti-rootkit engine |
string |
11 |
rootkitsig |
anti-rootkit signature |
string |
11 |
site |
Multi-tenancy site |
string |
32 |
social_email |
social email |
string |
128 |
social_phone |
social phone number |
string |
64 |
social_srvc |
social service |
string |
64 |
social_user |
social user name |
string |
256 |
status |
status description |
string |
16 |
subtype |
AntiVirus, FireWall, WebFilter ... |
enumeration string |
32 |
time |
time |
string |
260 |
type |
Traffic, Security Event or System Event |
string |
16 |
uid |
FortiClient unique ID |
string |
32 |
user |
current logged on user |
string |
256 |
usingpolicy |
current policy name |
string |
64 |
vulnengine |
vulnerability engine |
string |
64 |
vulnsig |
vulnerability signature |
string |
11 |
traffic
Log Field Name |
Description |
Data Type |
Length |
---|---|---|---|
browsetime |
user browsing time of web page(in seconds) |
int |
20 |
date |
date |
string |
260 |
deviceip |
device IP address |
string |
20 |
devicemac |
device MAC address |
string |
17 |
devid |
device ID |
string |
16 |
direction |
traffic direction |
string |
8 |
dstip |
destination IP |
string |
20 |
dstport |
destination port |
int |
20 |
emsserial |
EMS serial number |
string |
16 |
eventtype |
type of event |
enumeration string |
32 |
fctver |
FCT version |
string |
16 |
fgtserial |
FGT serial number |
string |
16 |
hostname |
host name of local machine |
string |
256 |
id |
log id |
int |
20 |
level |
log level |
enumeration string |
20 |
logver |
log protocol version |
int |
20 |
msg |
description of this log |
string |
512 |
os |
operating system |
string |
96 |
pcdomain |
domain name of local machine |
string |
128 |
proto |
network protocol |
int |
20 |
rcvdbyte |
data received (in bytes) |
int |
20 |
regip |
regip |
string |
64 |
remotename |
remote name |
string |
256 |
sentbyte |
data sent (in bytes) |
int |
20 |
service |
network protocol |
string |
64 |
sessionid |
network session |
string |
64 |
site |
Multi-tenancy site |
string |
32 |
srcip |
source IP |
string |
20 |
srcname |
source name |
string |
256 |
srcport |
source port |
int |
20 |
srcproduct |
source product |
string |
256 |
subtype |
AntiVirus, FireWall, WebFilter ... |
enumeration string |
32 |
threat |
threat |
string |
128 |
time |
time |
string |
260 |
type |
Traffic, Security Event or System Event |
string |
16 |
uid |
FortiClient unique ID |
string |
32 |
url |
url |
string |
512 |
user |
current logged on user |
string |
256 |
userinitiated |
if user initiated url request |
int |
20 |
usingpolicy |
current policy name |
string |
64 |
utmaction |
utm action |
string |
32 |
utmevent |
utm event |
string |
32 |