Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Overview

Fortigate provides a series of network appliances, including firewalls.

Collection

Fortigate appliances can send log data to third party syslog servers. Configuration on a per-device basis is available via the command-line interface. In particular, the "config log syslogd setting" command provides the following options:

config log syslogd setting
  set csv {disable | enable}
  set facility <facility_name>
  set port <port_integer>
  set reliable {disable | enable}
  set server <ip_address>
  set status {disable | enable}
end

For delivery to a Snare Central server, it is recommended that the following settings be used:

  • CSV: enable

  • Facility: local0

  • Port: 514

  • Reliable: disable

    • Note that 'reliable delivery' as defined by Fortigate, means that the content will be sent encrypted, using RFC3195 (https://tools.ietf.org/html/rfc3195) compatible protocols to port 601. The Snare Central server supports encrypted syslog content, but not via RFC3195.

  • Server: The IP address of the Snare Central server

  • Status: enable

Syslog criticality levels are dynamically determined by the source event priority.

Log Priority Levels

Levels

Description

0 - Emergency

The system has become unstable.

1 - Alert

Immediate action is required.

2 - Critical

Functionality is affected.

3 - Error

An error condition exists and functionality could be affected.

4 - Warning

Functionality could be affected.

5 - Notification

Information about normal events.

6 - Information

General information about system operations.

The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.

Log ID numbers

The ID (logid="xxyyzzzzzz") is a 10-digit field. It is a unique identifier for that specific log and includes the following information about the log entry.

Log ID number components

Description

Examples

Log Type

"xx--------": Represented by the first two digits of the log ID.

  • Traffic log IDs begin with "00".

  • Event log IDs begin with "01".

Sub Type or Event Type

"--yy------": Represented by the second two digits of the log ID.

  • VPN log subtype is represented with "01" which belongs to the Event log type that is represented with "01".  Therefore, all VPN related Event log IDs will begin with the 0101 log ID series.

Message ID

"----zzzzzz": The last six digits of the log ID represent the message ID.

  • An administrator account always has the log ID 0000003401.

List of Log Types and Subtypes

Type

Subtype

Traffic

  • Forward

  • Local

  • Multicast

  • Sniffer

Event

  • System

  • VPN

  • User

  • Router

  • Wireless

  • WAD

  • Endpoint

  • HA

  • Security Rating

  • FortiExtender

  • Connector

  • SD-WAN

UTM

(see below for UTM log subtypes)

UTM Log Subtypes

UTM Log Subtypes

Event Type

Virus

  • Analytics

  • Filetype Executable

  • Outbreak Prevention

  • Content Disarm

  • Command Blocked

  • Malware list

  • Infected

  • Filename

  • Oversize

  • Mime Fragmented

  • Scan Error

  • Switch Proto

Web Filter

  • Unknown

  • Content

  • URL Filter

  • FortiGuard Block

  • FortiGuard Allow

  • FortiGuard Error

  • ActiveX Filter

  • Cookie Filter

  • Applet Filter

  • FortiGuard Quota Counting

  • FortiGuard Quota

  • Script Filter

  • webfilter_command_block

  • HTTP Header Change

  • SSL Exempt

  • Anti-phishing

  • FortiGuard Quota Expired

  • URL Monitor

IPS

  • Signature

  • Malicious URL

  • Botnet

Email Filter

  • Spam

  • Email

  • Bannedword

  • FTGD Error

  • Webmail

  • File Filter

Anomaly

  • Anomaly

VoIP

  • VoIP

DLP

  • DLP

  • Document Source

App Ctrl

  • Signature

  • Port-violation

  • Protocol-violation

WAF

  • Signature

  • Custom Signature

  • HTTP Method

  • HTTP Constraint

  • Address List

  • URL Access

GTP

  • GTP-All

DNS

  • DNS-query

  • DNS-response

SSH

  • SSH-Command

  • SSH-Channel

SSL

  • SSL-Anomalies

  • SSL-Exempt

  • SSL-Negotiation

CIFS

  • CIFS-File Filter

  • CIFS-Auth Fail

File Filter

  • File filter

ICAP

  • ICAP

Sample Event

date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" levell="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcintf="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050 app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" duration=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65500-742

Fields

(Generic - for FortiGate log type/subtype/eventtype not yet supported in version 6.4.2(for future support purposes))

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

FortiGate

CRITICALITY

LOGID  

Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry

TYPE  

Represented by the first two digits of the log ID

SUBTYPE  

Represented by the second two digits of the log ID

EVENTTYPE  

Represented by the second two digits of the log ID

DEVNAME  

DEVID  

Serial number of the device for the traffic's origin

LEVEL  

Security level rating

VD  

Name of the virtual domain in which the log message was recorded

EVENTTIME  

Epoch time the log was triggered by FortiGate

SRCIP  

IP address of the traffic’s origin

SRCPORT  

Port number of the traffic's origin

SRCINTF  

Interface name of the traffic's origin

SRCINTFROLE  

Name of the source interface

DSTIP  

Destination IP address for the web

DSTPORT  

Port number of the traffic's destination

DSTINTF  

Interface of the traffic's destination

DSTINTFROLE  

Name of the destination interface

SESSIONID  

Session ID

PROTO  

The protocol used by web traffic

ACTION  

Status of the session

POLICYID  

Name of the firewall policy governing the traffic which caused the log message

POLICYTYPE  

SERVICE  

Name of the service

MSG  

Message text

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference

  • No labels