p. Internet Content Adaptation Protocol (ICAP)
- Svetlana Sheptiy
- Karein Directo (Unlicensed)
Records ICAP events.
Sample Event
date=2021-01-06 time=12:42:15 logid="2000060000" type="utm" subtype="icap" eventtype="icap" level="warning" vd="root" eventtime=1587465735129231120 tz="+0200" msg="Request blocked due to ICAP server error" service="HTTP" srcip=172.31.133.213 dstip=162.x.x.x srcport=56232 dstport=80 srcintf="port3" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=1 sessionid=371403 proto=6 action="blocked" profile="default" url="http://www.anydomain.com /images/gap.jpg"
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | FortiGateICAP |
CRITICALITY |
|
LOGID | Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry |
TYPE | Represented by the first two digits of the log ID |
SUBTYPE | Represented by the first/second two digits of the log ID |
EVENTTYPE | Represented by the second two digits of the log ID |
DEVNAME |
|
DEVID | Serial number of the device for the traffic's origin |
LEVEL | Security level rating |
VD | Name of the virtual domain in which the log message was recorded |
EVENTTIME | Epoch time the log was triggered by FortiGate |
TZ |
|
SERVICE | Service name |
SRCIP | Source IP |
SRCPORT | Source port |
SRCINTF | Source interface |
SRCINTFROLE |
|
DSTIP | Destination IP |
DSTPORT | Destination port |
DSTINTF | Destination interface |
DSTINTFROLE |
|
POLICYID | Policy ID |
SESSIONID | Session ID |
PROTO | Protocol number |
ACTION | Security action performed by IPS |
PROFILE | Profile name for IPS |
URL |
|
MSG | Log message for the attack |
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference