Overview
| Info |
|---|
Fortigate provides a series of network appliances, including firewalls. |
Collection
Fortigate appliances can send log data to third party syslog servers. Configuration on a per-device basis is available via the command-line interface. In particular, the "config log syslogd setting" command provides the following options:
config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer> set reliable {disable | enable} set server <ip_address> set status {disable | enable}end
For delivery to a Snare Central server, it is recommended that the following settings be used:
CSV: enable
Facility: local0
Port: 514
Reliable: disable
Note that 'reliable delivery' as defined by Fortigate, means that the content will be sent encrypted, using RFC3195 (https://tools.ietf.org/html/rfc3195) compatible protocols to port 601. The Snare Central server supports encrypted syslog content, but not via RFC3195.
Server: The IP address of the Snare Central server
Status: enable
Syslog criticality levels are dynamically determined by the source event priority.
Log Priority Levels
...
Levels
...
Description
...
0 - Emergency
...
The system has become unstable.
...
1 - Alert
...
Immediate action is required.
...
2 - Critical
...
Functionality is affected.
...
3 - Error
...
An error condition exists and functionality could be affected.
...
4 - Warning
...
Functionality could be affected.
...
5 - Notification
...
Information about normal events.
...
6 - Information
...
General information about system operations.
The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.
Log ID numbers
The ID (logid="xxyyzzzzzz") is a 10-digit field. It is a unique identifier for that specific log and includes the following information about the log entry.
...
Log ID number components
...
Description
...
Examples
...
Log Type
...
"xx--------": Represented by the first two digits of the log ID.
...
Traffic log IDs begin with "00".
Event log IDs begin with "01".
...
Sub Type or Event Type
...
"--yy------": Represented by the second two digits of the log ID.
...
VPN log subtype is represented with "01" which belongs to the Event log type that is represented with "01". Therefore, all VPN related Event log IDs will begin with the 0101 log ID series.
...
Message ID
...
"----zzzzzz": The last six digits of the log ID represent the message ID.
...
An administrator account always has the log ID 0000003401.
List of Log Types and Subtypes
...
Type
...
Subtype
...
Traffic
...
Forward
...
Local
...
Multicast
...
Sniffer
...
Event
...
System
...
VPN
...
User
...
Router
...
Wireless
...
WAD
...
Endpoint
...
HA
...
Security Rating
...
FortiExtender
...
Connector
...
SD-WAN
...
UTM
...
(see below for UTM log subtypes)
UTM Log Subtypes
...
UTM Log Subtypes
...
Event Type
...
Virus
...
Analytics
...
Filetype Executable
...
Outbreak Prevention
...
Content Disarm
...
Command Blocked
...
Malware list
...
Infected
...
Filename
...
Oversize
...
Mime Fragmented
...
Scan Error
...
Switch Proto
...
Web Filter
...
Unknown
...
Content
...
URL Filter
...
FortiGuard Block
...
FortiGuard Allow
...
FortiGuard Error
...
ActiveX Filter
...
Cookie Filter
...
Applet Filter
...
FortiGuard Quota Counting
...
FortiGuard Quota
...
Script Filter
...
webfilter_command_block
...
HTTP Header Change
...
SSL Exempt
...
Anti-phishing
...
FortiGuard Quota Expired
...
URL Monitor
...
IPS
...
Signature
...
Malicious URL
...
Botnet
...
Email Filter
...
Spam
...
Email
...
Bannedword
...
FTGD Error
...
Webmail
...
File Filter
...
Anomaly
...
Anomaly
...
VoIP
...
VoIP
...
DLP
...
DLP
...
Document Source
...
App Ctrl
...
Signature
...
Port-violation
...
Protocol-violation
...
WAF
...
Signature
...
Custom Signature
...
HTTP Method
...
HTTP Constraint
...
Address List
...
URL Access
...
GTP
...
GTP-All
...
DNS
...
DNS-query
...
DNS-response
...
SSH
...
SSH-Command
...
SSH-Channel
...
SSL
...
SSL-Anomalies
...
SSL-Exempt
...
SSL-Negotiation
...
CIFS
...
CIFS-File Filter
...
CIFS-Auth Fail
...
File Filter
...
File filter
...
ICAP
...
ICAP
Sample Event
date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" levell="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcintf="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050 app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" duration=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65500-742
Fields
(Generic - for FortiGate log type/subtype/eventtype not yet supported in version 6.4.2(for future support purposes))
Centripetal provides CleanINTERNET® technology which delivers fully-managed Enterprise-class SecOps as a service for all organizations, regardless of size or industry. CleanINTERNET® technology's Flow Event Logging does inspection of every inbound and outbound packet, log-and-flow event delivers real-time analytics. The syslog data is continually sent to standard Security and Event Monitoring (SIEM) platforms for threat analysis and mitigation. Advanced packet filtering that leverages threat intelligence becomes a critical technology in today’s SOC. |
Collection
Sample Event
<14>1 2019-10-28T15:24:43.300-04:00 10.4.2.199 rulegate 3989 - - devname=office2.centripetal.local devid=PBWFHY type=traffic subtype=apf-flow eventid=5B70BD33AE direction=out observed=WAN,LAN,PUBLIC-d4,PUBLIC-d5 rx_bytes=1757 packet_count=7 action=allowed action_context=>WAN:pass,cap;>LAN:logged,cap;<WAN:pass,cap;<LAN:logged,cap cti_trigger=168.143.241.155 cti_provider=ET cti_feed=ET-IPCheck_Block-ip cti_type=IP proto=6 tcp_flags=>SYN;<SYN,ACK;>ACK;>ACK,PUSH;<ACK;<ACK,PUSH srcip=10.4.7.12 srcport=61518 dstip=168.143.241.155 dstport=80 wanip=150.225.2.180 wanport=61518
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format |
is ISO 8601 and RFC 3339 | |
SYSTEM | The source system |
TABLE
FortiGate
CRITICALITY
LOGID
Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry
TYPE
Represented by the first two digits of the log ID
SUBTYPE
Represented by the second two digits of the log ID
EVENTTYPE
Represented by the second two digits of the log ID
DEVNAME
DEVID
Serial number of the device for the traffic's origin
LEVEL
Security level rating
VD
Name of the virtual domain in which the log message was recorded
EVENTTIME
Epoch time the log was triggered by FortiGate
CRITICALITY | |
DEVNAME | Device name |
DEVID | Serial number of the device for the traffic’s origin |
TYPE | Event type is traffic |
SUBTYPE | Event subtype is apf-flow |
EVENTID | Eventid is 10 digit hexadecimal value |
DIRECTION | IN, OUT |
OBSERVED | Observed network types used |
RX_BYTES | Received transmission bytes |
PACKET_COUNT | Received packet count |
ACTION | Status of the session |
ACTION_CONTEXT | List of executed actions per network type sessions detected. e.g. logged, logged, captured, etc. |
CTI_TRIGGER | |
CTI_PROVIDER | |
CTI_FEED | |
CTI_TYPE | |
PROTO | Interface of the traffic's destination |
SRCIP | IP address of the traffic’s origin |
DSTIP
SRCPORT | Port number of the traffic's origin |
SRCINTF
Interface name of the traffic's origin
SRCINTFROLE
Name of the source interface
DSTIP | Destination IP address for the web |
DSTPORT | Port number |
DSTINTF
of the traffic's |
DSTINTFROLE
destination |
SESSIONID
Session ID
PROTO
The protocol used by web traffic
ACTION
Status of the session
POLICYID
Name of the firewall policy governing the traffic which caused the log message
POLICYTYPE
SERVICE
Name of the service
MSG
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Log Message Reference Documentation: https://docswww.fortinet.com/document/fortigate/6.4.2/fortios-log-message-referencecentripetal.ai/