Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

[ Introduction ] [ Tag structure ] [ How is the data sent to Devo? ] [ Table structure ]

Introduction

The tags beginning with cef0.fortinet identify events in CEF format generated by Fortinet.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tags

Data tables

cef0.fortinet.fortiauthenticator

cef0.fortinet.fortiauthenticator

cef0.fortinet.fortigate

cef0.fortinet.fortigate

cef0.fortinet.fortigate200e

cef0.fortinet.fortigate200e

cef0.fortinet.fortigate300d

cef0.fortinet.fortigate300d

cef0.fortinet.fortigate400e

cef0.fortinet.fortigate400e

cef0.fortinet.fortigate600e

cef0.fortinet.fortigate600e

cef0.fortinet.fortigate60e

cef0.fortinet.fortigate60e

cef0.fortinet.fortigateAll

cef0.fortinet.fortigateAll

cef0.fortinet.fortinacVmCa

cef0.fortinet.fortinacVmCa

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

cef0.fortinet.fortiauthenticator

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

destinationServiceName

str

msg

str

deviceFacility

str

suser

str

dvc

ip4

act

str

deviceProcessName

str

in

int8

rt

timestamp

out

int8

dtz

str

deviceZoneID

str

eventAnnotationAuditTrail

str

eventAnnotationVersion

str

eventAnnotationModificationTime

str

art

str

originalAgentAddress

str

eventId

str

at

str

mrt

str

customerURI

str

originalAgentZoneURI

str

assetCriticality

str

eventAnnotationFlags

str

agt

str

modelConfidence

str

aid

str

amac

str

deviceZoneExternalID

str

Severity

str

relevance

str

av

str

eventAnnotationStageUpdateTime

str

locality

str

ahost

str

originalAgentVersion

str

customerID

str

atz

str

originalAgentMacAddress

str

originalAgentType

str

deviceSeverity

str

originalAgentId

str

eventAnnotationManagerReceiptTime

str

originalAgentHostName

str

priority

str

deviceZoneURI

str

eventAnnotationEndTime

str

hostchain

str

tag

str

cefTag

rawMessage

str

cef0.fortinet.fortigate

Field

Type

Extra field

Source field name

eventdate

timestamp

rawMessage

str

hostchain

str

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

act

str

app

str

cat

str

c6a1Label

str

c6a1

str

c6a2Label

str

c6a2

str

c6a3Label

str

c6a3

str

c6a4Label

str

c6a4

str

cfp1Label

str

cfp1

float8

cfp2Label

str

cfp2

float8

cfp3Label

str

cfp3

float8

cfp4Label

str

cfp4

float8

cn1Label

str

cn1

int8

cn2Label

str

cn2

int8

cn3Label

str

cn3

int8

cnt

int4

cs1Label

str

cs1

str

cs2Label

str

cs2

str

cs3Label

str

cs3

str

cs4Label

str

cs4

str

cs5Label

str

cs5

str

cs6Label

str

cs6

str

destinationDnsDomain

str

destinationServiceName

str

destinationTranslatedAddress

ip4

destinationTranslatedPort

int4

deviceCustomDate1Label

str

deviceCustomDate1

timestamp

deviceCustomDate2Label

str

deviceCustomDate2

timestamp

deviceDirection

int4

deviceDnsDomain

str

deviceExternalId

str

deviceInboundInterface

str

deviceMacAddress

str

deviceNtDomain

str

deviceOutboundInterface

str

deviceProcessName

str

deviceTranslatedAddress

ip4

dhost

str

dmac

str

dntdom

str

dpid

int4

dpriv

str

dproc

str

dst

ip4

duid

str

duser

str

dvchost

str

dvc

ip4

dvcpid

int4

end

timestamp

deviceFacility

str

externalId

str

fileCreateTime

timestamp

fileHash

str

fileId

str

fileModificationTime

timestamp

filePath

str

filePermission

str

fileType

str

fname

str

fsize

int8

in

int8

msg

str

oldFileCreateTime

timestamp

oldFileHash

str

oldFileId

str

oldFileModificationTime

timestamp

oldFileName

str

oldFilePath

str

oldFilePermission

str

oldFileSize

int8

oldFileType

str

outcome

str

out

int8

proto

str

reason

str

requestClientApplication

str

requestCookies

str

requestMethod

str

request

str

rt

timestamp

shost

str

smac

str

sntdom

str

sourceDnsDomain

str

sourceServiceName

str

sourceTranslatedAddress

ip4

sourceTranslatedPort

int4

spid

int4

spriv

str

sproc

str

spt

int4

src

ip4

start

timestamp

suid

str

suser

str

catdt

str

deviceDomain

str

deviceSeverity

str

dpt

int4

dtz

str

dvcmac

str

endTime

str

eventId

str

flexNumber1

str

flexNumber1Label

str

flexNumber2

str

flexNumber2Label

str

flexString1

str

flexString1Label

str

flexString2

str

flexString2Label

str

modelConfidence

int4

priority

int4

relevance

int4

requestContext

str

sessionId

str

slat

float8

slong

float8

dlat

float8

dlong

float8

sourceGeoCountryCode

str

sourceGeoLocationInfo

str

sourceGeoPostalCode

str

sourceGeoRegionCode

str

destinationGeoCountryCode

str

destinationGeoLocationInfo

str

destinationGeoPostalCode

str

destinationGeoRegionCode

str

agt

ip4

ahost

str

art

str

atz

str

mrt

timestamp

categoryBehavior

str

categoryCustomFormatField

str

categoryDeviceGroup

str

categoryObject

str

categoryOutcome

str

categorySignificance

str

categoryTechnique

str

categoryTupleDescription

str

assetCriticality

str

customerID

str

customerURI

str

tag

str

cefTag

cef0.fortinet.fortigate200e

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

act

str

app

str

cat

str

c6a4Label

str

deviceExternalId

str

deviceInboundInterface

str

deviceOutboundInterface

str

dst

ip4

dpt

int4

dvchost

str

in

int8

out

int8

proto

str

rt

timestamp

shost

str

sourceTranslatedAddress

ip4

sourceTranslatedPort

int4

src

ip4

spt

int4

agentZoneURI

str

agt

str

ahost

str

aid

str

amac

str

art

str

at

str

atz

str

av

str

categoryBehavior

str

categoryDeviceGroup

str

categoryObject

str

categoryOutcome

str

categorySignificance

str

customerURI

str

destinationZoneURI

str

deviceSeverity

str

dtz

str

eventId

str

geid

str

sourceTranslatedZoneURI

str

sourceZoneURI

str

hostchain

str

tag

str

cefTag

rawMessage

str

cef0.fortinet.fortigate300d

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

act

str

app

str

cat

str

c6a4Label

str

cnt

int4

deviceExternalId

str

deviceInboundInterface

str

deviceOutboundInterface

str

dhost

str

dst

ip4

dpt

int4

dvchost

str

in

int8

msg

str

out

int8

proto

str

request

str

rt

timestamp

shost

str

sourceTranslatedAddress

ip4

src

ip4

start

timestamp

agentZoneURI

str

agt

str

ahost

str

aid

str

amac

str

art

str

at

str

atz

str

av

str

categoryBehavior

str

categoryDeviceGroup

str

categoryObject

str

categoryOutcome

str

categorySignificance

str

customerURI

str

destinationZoneURI

str

deviceSeverity

str

dtz

str

eventId

str

geid

str

sourceTranslatedZoneURI

str

sourceZoneURI

str

type

str

hostchain

str

tag

str

cefTag

rawMessage

str

cef0.fortinet.fortigate400e

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

act

str

app

str

cat

str

c6a4Label

str

deviceExternalId

str

deviceInboundInterface

str

deviceOutboundInterface

str

dhost

str

dst

ip4

dpt

int4

dvchost

str

in

int8

out

int8

proto

str

rt

timestamp

shost

str

sourceTranslatedAddress

ip4

sourceTranslatedPort

int4

src

ip4

spt

int4

agentZoneURI

str

agt

str

ahost

str

aid

str

amac

str

art

str

at

str

atz

str

av

str

categoryBehavior

str

categoryDeviceGroup

str

categoryObject

str

categoryOutcome

str

categorySignificance

str

destinationZoneURI

str

deviceSeverity

str

dtz

str

eventId

str

geid

str

sourceTranslatedZoneURI

str

sourceZoneURI

str

hostchain

str

tag

str

cefTag

rawMessage

str

cef0.fortinet.fortigate600e

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

rt

timestamp

eventId

str

msg

str

app

str

proto

str

in

int8

out

int8

categorySignificance

str

categoryBehavior

str

categoryDeviceGroup

str

categoryOutcome

str

categoryObject

str

art

str

cat

str

deviceSeverity

str

act

str

src

ip4

sourceZoneURI

str

spt

int4

dhost

str

dst

ip4

destinationZoneURI

str

dpt

int4

request

str

requestContext

str

c6a4Label

str

ahost

str

agt

str

agentZoneURI

str

amac

str

av

str

atz

str

at

str

dvchost

str

dtz

str

deviceExternalId

str

deviceInboundInterface

str

deviceOutboundInterface

str

aid

str

geid

str

hostchain

str

tag

str

cefTag

rawMessage

str

cef0.fortinet.fortigate60e

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priorityCode

str

cefTag

str

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

_cefVer

str

act

str

app

str

cat

str

c6a4Label

str

deviceExternalId

str

deviceInboundInterface

str

deviceOutboundInterface

str

dst

ip4

dpt

int4

dvchost

str

in

int8

out

int8

proto

str

rt

timestamp

shost

str

src

ip4

spt

int4

agentZoneURI

str

agt

str

ahost

str

aid

str

amac

str

art

str

at

str

atz

str

av

str

categoryBehavior

str

categoryDeviceGroup

str

categoryObject

str

categoryOutcome

str

categorySignificance

str

customerURI

str

destinationZoneURI

str

deviceSeverity

str

dtz

str

eventId

str

geid

str

sourceZoneURI

str

hostchain

str

tag

str

cefTag

rawMessage

str

cef0.fortinet.fortigateAll

Field

Type

Extra field

Source field name

eventdate

timestamp

source

str

_cefVer

str

fwname

str

act

str

app

str

cat

str

c6a4Label

str

deviceExternalId

str

deviceInboundInterface

str

deviceOutboundInterface

str

dst

ip4

dpt

int4

dvchost

str

in

int8

out

int8

proto

str

rt

timestamp

src

ip4

spt

int4

agt

str

ahost

str

art

str

atz

str

categoryBehavior

str

categoryDeviceGroup

str

categoryObject

str

categoryOutcome

str

categorySignificance

str

deviceSeverity

str

dtz

str

eventId

str

rawMessage

str

rawSource

hostchain

str

tag

str

cef0.fortinet.fortinacVmCa

Field

Type

Extra field

Source field name

eventdate

timestamp

hostname

str

priority_code

str

cef_tag

str

cef_version

str

emb_device_vendor

str

emb_device_product

str

device_version

str

signature_id

str

name

str

severity

str

category

str

message

str

device_receipt_time

str

source_hostname

str

source_ip

ip4

source_mac

str

source_user_id

str

cs1Label

str

cs1

str

hostchain

str

tag

str

cef_tag

rawMessage

str

  • No labels