Sample Event

date=2019-05-13 time=14:21:42 logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1557782502722231889 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=50.1.1.101 locip=50.1.1.100 remport=500 locport=500 outintf="port14" cookies="9091f4d4837ea71c/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="test" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"

Fields

Field	Description

Field	Description
DATE	Event date, in the format YYYY-MM-DD
TIME	Event time, in the format HH:MM:SS
SYSTEM	The source system
TABLE	FortiGateEventVPN
CRITICALITY
LOGID	Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry
TYPE	Represented by the first two digits of the log ID
SUBTYPE	Represented by the first/second two digits of the log ID
EVENTTYPE	Represented by the second two digits of the log ID
DEVNAME
DEVID	Serial number of the device for the traffic's origin
LEVEL	Security level rating
VD	Name of the virtual domain in which the log message was recorded
EVENTTIME	Epoch time the log was triggered by FortiGate
LOGDESC	Log description
ACTION	Action
STATUS	Status
REMIP	Remote IP
LOCIP	Local IP
REMPORT	Remote port
LOCPORT	Local port
OUTINTF	Out interface
COOKIES	Cookie
USER	User name
GROUP	User group name
XAUTHUSER	XAuth user name
XAUTHGROUP	XAuth group name
ASSIGNIP	Assigned IP address
VPNTUNNEL	IPsec VPN tunnel name
INIT
MODE	Mode
DIR	Direction
STAGE
ROLE	Role
RESULT	Result
MSG	Message text
SNAREDATAMAP	All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference

Snare Central v8 Documentation

b. Virtual Private Network (VPN)

Analytics

Sample Event

Fields

Notes

Related content