k. Domain Name System (DNS)
- Svetlana Sheptiy
- Karein Directo (Unlicensed)
Records domain name server events.
Sample Events
date=2019-05-15 time=15:05:49 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1557957949740931155 policyid=1 sessionid=6887 srcip=10.1.100.22 srcport=50002 srcintf="port12" srcintfrole="undefined" dstip=172.16.100.100 dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2001:67c:1560:8008::11" msg="Domain is monitored" action="pass" cat=52 catdesc="Information Technology"
date=2019-05-15 time=15:05:49 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1557957949653103543 policyid=1 sessionid=6887 srcip=10.1.100.22 srcport=50002 srcintf="port12" srcintfrole="undefined" dstip=172.16.100.100 dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass="IN"
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | FortiGateDNS |
CRITICALITY |
|
LOGID | Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry |
TYPE | Represented by the first two digits of the log ID |
SUBTYPE | Represented by the first/second two digits of the log ID |
EVENTTYPE | Represented by the second two digits of the log ID |
DEVNAME |
|
DEVID | Serial number of the device for the traffic's origin |
LEVEL | Security level rating |
VD | Name of the virtual domain in which the log message was recorded |
EVENTTIME | Epoch time the log was triggered by FortiGate |
TZ |
|
POLICYID | Policy ID |
SESSIONID | Session ID |
USER | User name |
SRCIP | Source IP |
SRCPORT | Source port |
SRCINTF | Source interface |
SRCINTFROLE |
|
DSTIP | Destination IP |
DSTPORT | Destination port |
DSTINTF | Destination interface |
DSTINTFROLE |
|
PROTO | Protocol number |
PROFILE | Profile name for DNS filter |
SRCMAC | MAC address associated with the Source IP |
XID | Transaction ID |
QNAME | Query domain name |
QTYPE | Query domain description |
QTYPEVAL |
|
QCLASS | Query class |
IPADDR | IP addresses from DNS response answer section |
ACTION | Security action performed by DNS filter |
DOMAINFILTERIDX | Domain filter ID |
DOMAINFILTERLIST | Domain filter name |
CAT | DNS category ID |
CATDESC | DNS category description |
MSG | Log message |
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference