| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
...
The full tag must have at least two levels, although most require three and four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type and must be one of event, traffic, ips, utm, or anomaly. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule.
technologyTechnology | brandBrand | typeType | subtypeSubtype |
|---|---|---|---|
firewall | fortinet |
| may be fixed and required |
...
- firewall.fortinet
- firewall.fortinet.anomaly.anomaly
- firewall.fortinet.event
- firewall.fortinet.event.admin
- firewall.fortinet.event.config
- firewall.fortinet.event.dhcp
- firewall.fortinet.event.dns
- firewall.fortinet.event.ha
- firewall.fortinet.event.his-performance
- firewall.fortinet.event.ipsec
- firewall.fortinet.event.pattern
- firewall.fortinet.event.perf-historical
- firewall.fortinet.event.sslvpn-session
- firewall.fortinet.event.sslvpn-user
- firewall.fortinet.event.system
- firewall.fortinet.event.user
- firewall.fortinet.event.vpn
- firewall.fortinet.event.wireless
- firewall.fortinet.ips.anomaly
- firewall.fortinet.traffic
- firewall.fortinet.traffic.forward
- firewall.fortinet.traffic.local
- firewall.fortinet.traffic.multicast
- firewall.fortinet.traffic.other
- firewall.fortinet.traffic.violation
- firewall.fortinet.utm.app-ctrl
- firewall.fortinet.utm.dns
- firewall.fortinet.utm.emailfilter
- firewall.fortinet.utm.ips
- firewall.fortinet.utm.virus
- firewall.fortinet.utm.webfilter
...
For more details about FortiGate logging, see the vendor documentation.
Related articles
...
Log samples
The following are sample logs sent to each of the firewall.fortinet data tables. Also, find how the information will be parsed in your data table under each sample log.
| Note | ||
|---|---|---|
| ||
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
firewall.fortinet.utm.dns
| Code Block |
|---|
2022-02-15 12:24:44.189 localhost=127.0.0.1 firewall.fortinet.utm.dns: date=2022-02-11,time=01:52:55,devname="Some dev",devid="AAA11AA21081637",eventtime=1644558775402818899,tz="-0400",logid="1500054000",type="utm",subtype="dns",eventtype="dns-query",level="information",vd="root",policyid=3,sessionid=35603897,srcip=127.67.86.9,srcport=49097,srcintf="internal",srcintfrole="lan",dstip=127.199.197.189,dstport=53,dstintf="wan1",dstintfrole="wan",proto=17,profile="default",xid=15477,qname="some_query",qtype="A",qtypeval=1,qclass="IN" |
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
serverdate |
|
| |
servertime |
|
| |
devname |
|
| |
devid |
|
| |
eventtime |
|
| |
tz |
|
| |
logid |
|
| |
type |
|
| |
subtype |
|
| |
eventtype |
|
| |
level2 |
|
| |
vd |
|
| |
policyid |
|
| |
sessionid |
|
| |
srcip |
|
| |
srcport |
|
| |
srcintf |
|
| |
srcintfrole |
|
| |
dstip |
|
| |
dstport |
|
| |
dstintf |
|
| |
dstintfrole |
|
| |
proto |
|
| |
profile |
|
| |
xid |
|
| |
qname |
|
| |
qtype |
|
| |
qtypeval |
|
| |
qclass |
|
| |
ipaddr |
|
| |
msg |
|
| |
action |
|
| |
cat |
|
| |
catdesc |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |