firewall.fortinet
- Juan Tomás Alonso Nieto (Unlicensed)
The tags beginning with firewall.fortinet identify log events generated by the following Fortinet technologies:
- Fortinet FortiGate
- Fortinet Unified Threat Management (UTM)
There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible.
Tag structure
The full tag must have at least two levels, although most require three and four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type and must be one of event, traffic, ips, utm, or anomaly. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule.
Technology | Brand | Type | Subtype |
|---|---|---|---|
firewall | fortinet |
| may be fixed and required |
Here's a complete list of valid tags:
- firewall.fortinet
- firewall.fortinet.anomaly.anomaly
- firewall.fortinet.event
- firewall.fortinet.event.admin
- firewall.fortinet.event.config
- firewall.fortinet.event.dhcp
- firewall.fortinet.event.dns
- firewall.fortinet.event.ha
- firewall.fortinet.event.his-performance
- firewall.fortinet.event.ipsec
- firewall.fortinet.event.pattern
- firewall.fortinet.event.perf-historical
- firewall.fortinet.event.sslvpn-session
- firewall.fortinet.event.sslvpn-user
- firewall.fortinet.event.system
- firewall.fortinet.event.user
- firewall.fortinet.event.vpn
- firewall.fortinet.event.wireless
- firewall.fortinet.ips.anomaly
- firewall.fortinet.traffic
- firewall.fortinet.traffic.forward
- firewall.fortinet.traffic.local
- firewall.fortinet.traffic.multicast
- firewall.fortinet.traffic.other
- firewall.fortinet.traffic.violation
- firewall.fortinet.utm.app-ctrl
- firewall.fortinet.utm.dns
- firewall.fortinet.utm.emailfilter
- firewall.fortinet.utm.ips
- firewall.fortinet.utm.virus
- firewall.fortinet.utm.webfilter
For more information, read more about Devo tags.
Set up the Devo relay rule
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.
The relay rule is different depending on if you are using FortiAnalyzer to manage the logs or if you are simply using FortiGate.
If you are using FortiAnalyzer
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and the target tag definition uses capturing groups to form the 3rd and 4th levels of the tag.
- Source Port → 13003
- Source Data → type=\"{0,1}([^\s^\"]+)\"{0,1}\ssubtype=\"{0,1}([^\s^\"]+)\"{0,1}
- Target Tag → firewall.fortinet.\\D1.\\D2.noncsv
- Check the Sent without syslog tag checkbox
If you are using just FortiGate
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and will depend on the version of FortiGate you are using:
Depending on the format of the sent event data, you must enter a different regular expression in the Source Data field:
- Events are received in CSV format without quotes → ,type=([^,]+),subtype=([^,]+)(,|$)
- Events are received in CSV format with double quotes → ,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)
Data is then extracted from the event and used to create the third and fourth levels of the tag as needed. In the example below the rule is defined with the following settings:
- Source Port → 13003
- Source Data → ,type=([^,]+),subtype=([^,]+)(,|$) (this regular expression is based on receiving events in CSV format without quotes, as explained above)
- Target Tag → firewall.fortinet.\\D1.\\D2
- Check the Sent without syslog tag checkbox
Configure the forwarding of Fortinet logs
Using FortiAnalyzer
For deployments that aggregate FortiGate log data using FortiAnalyzer, follow the vendor instructions to configure the Devo relay as a remote syslog server using either the admin console or the FortiAnalyzer CLI. In both cases, you only need to enter the IP address of the Devo relay and specify the port on which you created the relay rule.
Using FortiGate/FortiOS
You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product. In our example, here and in the relay rule above, we are sending FortiGate log events to the relay in CSV format.
- Using the FortiGate GUI, go to Log & Report → Log Settings and select Remote Logging and Archiving to configure the Devo relay as a remote syslog server.
- Using the FortiGate CLI, enter the following commands setting the server to the Devo relay IP address and the port to the relay port on which you created the rule.
config log syslogd setting set status enable set csv enable set reliable set facility local7 set server <relay_ip> set port <relay_port> end
For more details about FortiGate logging, see the vendor documentation.
Log samples
The following are sample logs sent to each of the firewall.fortinet data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
firewall.fortinet.utm.dns
2022-02-15 12:24:44.189 localhost=127.0.0.1 firewall.fortinet.utm.dns: date=2022-02-11,time=01:52:55,devname="Some dev",devid="AAA11AA21081637",eventtime=1644558775402818899,tz="-0400",logid="1500054000",type="utm",subtype="dns",eventtype="dns-query",level="information",vd="root",policyid=3,sessionid=35603897,srcip=127.67.86.9,srcport=49097,srcintf="internal",srcintfrole="lan",dstip=127.199.197.189,dstport=53,dstintf="wan1",dstintfrole="wan",proto=17,profile="default",xid=15477,qname="some_query",qtype="A",qtypeval=1,qclass="IN"
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
serverdate |
|
| |
servertime |
|
| |
devname |
|
| |
devid |
|
| |
eventtime |
|
| |
tz |
|
| |
logid |
|
| |
type |
|
| |
subtype |
|
| |
eventtype |
|
| |
level2 |
|
| |
vd |
|
| |
policyid |
|
| |
sessionid |
|
| |
srcip |
|
| |
srcport |
|
| |
srcintf |
|
| |
srcintfrole |
|
| |
dstip |
|
| |
dstport |
|
| |
dstintf |
|
| |
dstintfrole |
|
| |
proto |
|
| |
profile |
|
| |
xid |
|
| |
qname |
|
| |
qtype |
|
| |
qtypeval |
|
| |
qclass |
|
| |
ipaddr |
|
| |
msg |
|
| |
action |
|
| |
cat |
|
| |
catdesc |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
firewall.fortinet.utm.dns.noncsv
2022-02-15 12:24:44.330 localhost=127.0.0.1 firewall.fortinet.utm.dns.noncsv: date=2022-02-11 time=01:53:18 devname="Some dev" devid="AAA11AA21081637" eventtime=1644558797362988759 tz="-0400" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" policyid=3 sessionid=35604031 srcip=192.168.135.28 srcport=42169 srcintf="internal" srcintfrole="lan" dstip=192.168.53.25 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="default" xid=35690 qname="lt-70.johnson-gay.com" qtype="AAAA" qtypeval=28 qclass="IN"
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
serverdate |
|
| |
servertime |
|
| |
devname |
|
| |
devid |
|
| |
eventtime |
|
| |
tz |
|
| |
logid |
|
| |
type |
|
| |
subtype |
|
| |
eventtype |
|
| |
level2 |
|
| |
vd |
|
| |
policyid |
|
| |
sessionid |
|
| |
srcip |
|
| |
srcport |
|
| |
srcintf |
|
| |
srcintfrole |
|
| |
dstip |
|
| |
dstport |
|
| |
dstintf |
|
| |
dstintfrole |
|
| |
proto |
|
| |
profile |
|
| |
xid |
|
| |
qname |
|
| |
qtype |
|
| |
qtypeval |
|
| |
qclass |
|
| |
ipaddr |
|
| |
msg |
|
| |
action |
|
| |
cat |
|
| |
catdesc |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |