waf.fortiweb

Introduction

The tags beginning with waf.fortiweb identify events generated by FortiWeb web application firewall belonging to Fortinet.

The full tag must have 3 levels. The first two are fixed as waf.fortiweb and the third identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
FortiWeb web application firewall	`waf.fortiweb.attack`	`waf.fortiweb`
	`waf.fortiweb.event`
	`waf.fortiweb.traffic`
	`waf.fortiweb.attack`	`waf.fortiweb.attack`
	`waf.fortiweb.event`	`waf.fortiweb.event`
	`waf.fortiweb.traffic`	`waf.fortiweb.traffic`

For more information, read more About Devo tags.

These are the fields displayed in these tables:

Field	Type	Extra fields

Field	Type	Source field name	Extra Label

Field	Type	Source field name	Extra Label
eventdate	`timestamp`
hostname	`str`
host	`str`	vhost
date	`timestamp`
time	`str`
log_id	`str`
msg_id	`str`
device_id	`str`
vd	`str`
timezone	`str`
timezone_dayst	`str`
type	`str`
pri	`str`
main_type	`str`
sub_type	`str`
trigger_policy	`str`
severity_level	`str`
proto	`str`
service	`str`
backend_service	`str`
action	`str`
policy	`str`
src	`ip4`
src_port	`int4`
dst	`ip4`
dst_port	`int4`
http_method	`str`
http_url	`str`
http_host	`str`
http_agent	`str`
http_session_id	`str`
msg	`str`
signature_subclass	`str`
signature_id	`str`
signature_cve_id	`str`
srccountry	`str`
content_switch_name	`str`
server_pool_name	`str`
false_positive_mitigation	`str`
user_name	`str`
monitor_status	`str`
http_refer	`str`
http_version	`str`
dev_id	`str`
es	`str`
threat_weight	`str`
history_threat_weight	`str`
threat_level	`str`
ftp_mode	`str`
ftp_cmd	`str`
cipher_suite	`str`
ml_log_hmm_probability	`str`
ml_log_sample_prob_mean	`str`
ml_log_sample_arglen_mean	`str`
ml_log_arglen	`str`
ml_svm_log_main_types	`str`
ml_svm_log_match_types	`str`
ml_svm_accuracy	`str`
ml_domain_index	`str`
ml_url_dbid	`str`
ml_arg_dbid	`str`
ml_allow_method	`str`
owasp_top10	`str`
bot_info	`str`
matched_field	`str`
matched_pattern	`str`
attack_type	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

Field	Type	Source field name	Extra Label

Field	Type	Source field name	Extra Label
eventdate	`timestamp`
hostname	`str`
host	`str`	vhost
date	`timestamp`
time	`str`
log_id	`str`
msg_id	`str`
device_id	`str`
vd	`str`
timezone	`str`
timezone_dayst	`str`
type	`str`
subtype	`str`
pri	`str`
trigger_policy	`str`
user	`str`
ui	`str`
action	`str`
status	`str`
msg	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
host	`str`	vhost
date	`timestamp`
time	`str`
log_id	`str`
msg_id	`str`
device_id	`str`
vd	`str`
timezone	`str`
type	`str`
subtype	`str`
pri	`str`
proto	`str`
service	`str`
status	`str`
reason	`str`
policy	`str`
src	`ip4`
src_port	`int4`
dst	`ip4`
dst_port	`int4`
http_request_time	`str`
http_response_time	`str`
http_request_bytes	`str`
http_response_bytes	`str`
http_method	`str`
http_url	`str`
http_host	`str`
http_agent	`str`
http_retcode	`str`
msg	`str`
srccountry	`str`
content_switch_name	`str`
server_pool_name	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`