Overview
| Info |
|---|
Fortigate create a series of network appliances, including firewalls. |
Collection
Fortigate appliances can send log data to third party syslog servers. Configuration on a per-device basis is available via the command-line interface. In particular, the "config log syslog setting" command provides the following options:
config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer> set reliable {disable | enable} set server <ip_address> set status {disable | enable}end
For delivery to a Snare Central server, it is recommended that the following settings be used:
CSV: enable
Facility: local0
Port: 514
Reliable: disable
Note that 'reliable delivery' as defined by Fortigate, means that the content will be sent encrypted, using RFC3195 (https://tools.ietf.org/html/rfc3195) compatible protocols to port 601. The Snare Central server supports encrypted syslog content, but not via RFC3195.
Server: The IP address of the Snare Central server
Status: enable
Syslog criticality levels are dynamically determined by the source event priority.
Log priority levels
...
Levels
...
Description
...
0 - Emergency
...
The system has become unstable.
...
1 - Alert
...
Immediate action is required.
...
2 - Critical
...
Functionality is affected.
...
3 - Error
...
An error condition exists and functionality could be affected.
...
4 - Warning
...
Functionality could be affected.
...
5 - Notification
...
Information about normal events.
...
6 - Information
...
General information about system operations.
The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.
Sample Events
date=2020-02-14 time=04:30:00 devname=FG100C3G12600105 device_id=FG100C3G12600105 log_id=0038000006 type=traffic subtype=other pri=warning vd=fgate6f src=192.168.91.128 src_port=0 src_int="switch1" dst=10.10.10.1 dst_port=771 dst_int=unknown-0 SN=0 status=deny policyid=0 dst_country="Reserved" src_country="Reserved" service=3/3/icmp proto=1 duration=0 sent=0 rcvd=0 msg="no protocol tuple found, drop.Sample Event
date=2019-05-13 time=14:12:26 logid="0103020301" type="event" subtype="router" level="warning" vd="root" eventtime=1557781946677737955 logdesc="Routing log" msg="OSPF: RECV[Hello]: From 31.1.1.1 via port9:172.16.200.1: Invalid Area ID 0.0.0.0"
Fields
Field | Description | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
DATE | Event date, in the format YYYY-MM-DD | |||||||||||||||||||||||||||||||||||
TIME | Event time, in the format HH:MM:SS | |||||||||||||||||||||||||||||||||||
SYSTEM | The source system | |||||||||||||||||||||||||||||||||||
TABLE | Firewall1LogFortiGateEventRouter | |||||||||||||||||||||||||||||||||||
VERSIONCRITICALITY | ACTION | CATEGORY | TYPE | SUBTYPE | RULENAME | PROTO | USRNAME | SERIALNUMBER | NATSRCIP | NATDSTIP | SOURCEUSER | DESTINATIONUSER | APPLICATION | VIRTUALSYSTEM | SRCADDR | SRCPORT | DSTADDR | DSTPORT | SOURCEZONE | DESTINATIONZONE | INGRESSINTERFACE | EGRESSINTERFACE | LOGFORWARDINGPROFILE | SESSIONID | REPEATCOUNT | NATSOURCEPORT | NATDESTPORT | FLAGS | BYTES | PACKETS | ELAPSEDTIME | URLCATEGORY | BYTESIN | BYTESOUT | SEVERITY | STRINGS |
Notes
...
LOGID | Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry |
TYPE | Represented by the first two digits of the log ID |
SUBTYPE | Represented by the first/second two digits of the log ID |
EVENTTYPE | Represented by the second two digits of the log ID |
DEVNAME | |
DEVID | Serial number of the device for the traffic's origin |
LEVEL | Security level rating |
VD | Name of the virtual domain in which the log message was recorded |
EVENTTIME | Epoch time the log was triggered by FortiGate |
LOGDESC | Log Description |
MSG | Message text |
SNAREDATAMAP | All other data in the event will be pushed to this field. |
Notes
Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference