Documente Academic
Documente Profesional
Documente Cultură
VERSION 5.2.2
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
December 5, 2014
FortiOS 5.2.2 Log Reference
01-522-262694-20141205
TABLEOFCONTENTS
Change Log
Introduction
Before You Begin
How This Reference is Organized
Overview
Managing and Understanding Logs
Traffic Log
Traffic Log Messages
Security Log
Application Control
Application Control Log Messages
AntiVirus
AntiVirus Log Messages
DLP
Email Filter
Email Filter Log Messages
IPS
IPS Log Messages
Anomaly
Anomaly Log Messages
Web Filter
Web Filter Log Messages
6
7
8
8
9
10
11
11
12
12
13
13
14
14
17
18
22
31
32
33
37
38
44
47
53
57
59
63
64
67
68
73
Event Log
Endpoint Control
Endpoint Log Messages
GTP
GTP Log Messages
High Availability
High Availability Log Messages
Router
Router Log Messages
System
System Log Messages
User
User Log Messages
VPN
VPN Log Messages
WAD
WAD Log Messages
Wireless
Wireless Log Messages
Other Logs
VOIP
VOIP Log Messages
NetScan
NetScan Log Messages
76
77
81
83
91
93
96
98
100
101
112
138
142
145
152
158
161
163
170
172
173
176
177
181
182
182
182
182
183
183
185
185
185
186
186
186
186
187
187
188
User
VPN
WAD
Wireless
Other logs
NetScan
VOIP
189
190
190
191
191
191
191
Change Log
Date
Change Description
2014-12-05
Initial release.
2015-01-30
Added log definitions for log type and sub type IDs.
Added notes about UTM log type information in Security log section.
Log Reference
Fortinet Technologies Inc.
Introduction
This document provides information about all the log messages applicable to the FortiGate devices running FortiOS
version 5.2.0 or higher. The logs are intended for administrators to be used as reference for more information about a
specific log entry and message that is generated.
Log Reference
Fortinet Technologies Inc.
Ensure that you have enabled logging for FortiGate unit. For more information, see the Logging and Reporting
chapter in the FortiGate handbook.
Each log message is displayed in RAW format in the Log View of the web-based manager.
Each log message is documented similar to how it appears in the log viewer table based on the RAW format. For
more information, see the Logging and Reporting chapter in the FortiGate Handbook.
NOTE: This reference contains detailed information for each log type and sub type; however, this reference contains
only information gathered at publication and, as a result, not every log message field contains detailed information.
Log Reference
Fortinet Technologies Inc.
Overview
The log types described in this document report traffic, security, and event log information useful for system
administrators when recording, monitoring, and tracing the operation of a FortiGate device running FortiOS. The logs
provide information regarding the following:
l
Firewall attacks
Configuration changes
10
Log Reference
Fortinet Technologies Inc.
10
Log Reference
Fortinet Technologies Inc.
Type
Description
Traffic
Security
(UTM)
Event
Sub Type
l
Local
Forward
Multicast
Sniffer
AntiVirus
Application Control
Email Filter
Web Filter
System
High Availability
Router
Endpoint Control
GTP
WAD
Wireless
User
Type
Each log entry contains a Type (type) field that indicates its log type, and in which log file it is stored.
11
Log Reference
Fortinet Technologies Inc.
Subtype
Each log entry might also contain a Sub Type (subtype) field within a log type, based on the feature associated with
the cause of the log entry.
For example:
l
In event logs, some log entries have a subtype of user, system, or other sub types.
In security (UTM) logs, some log entries have a subtype of DLP, Web Filter, Email or other sub types.
In traffic logs, the sub types are: local, forward, multicast, and sniffer.
Priority Level
Each log entry contains a Level (pri) field that indicates the estimated severity of the event that caused the log entry,
such as pri=warning, and therefore how high a priority it is likely to be. Level (pri) associations with the descriptions
below are not always uniform. They also may not correspond with your own definitions of how severe each event is. If
you require notification when a specific event occurs, either configure SNMP traps or alert email by administratordefined Severity Level (severity_level) or ID (log_id), not by Level (pri).
Priority Levels
Level (0 is
highest)
Name
Description
Emergency
Alert
Critical
Funcationality is affected.
Error
Warning
Notification
Information
General information about system operations. Used in event logs to record configuration changes.
For each location where the FortiGate device can store log files (disk, memory, Syslog or FortiAnalyzer), you can
define a severity threshold. The FortiGate stores all log messages equal to or exceeding the log severity level
selected. For example, if you select Error, FortiGate will store log messages whose log severity level is Error, Critical,
Alert, and Emergency.
Log Reference
Fortinet Technologies Inc.
12
Message ID
2
Message
Severity
LOG_ID_TRAFFIC_ALLOW
Notice
Log Field
appact
13
Data Type
ENUM
Length
16
Value(s)
l
block
encrypt-kickout
monitor
pass
reject
reset
Log Reference
Fortinet Technologies Inc.
Header - Contains the date and time the log originated, log identifier, message identifier, administrative domain
(ADOM), the log caategory, severity level, and where the log originated. These fields are common to all log types.
Body - Describes the reason why the log was created and actions taken by the FortiGate device to address it. These
fields vary by log type.
Following is an example of traffic log entry in raw format. The body fields are highlighted in Bold.
date=2014-07-04 time=14:26:59 logid=0001000014 type=traffic subtype=local
level=notice vd=vdom1 srcip=10.6.30.254 srcport=54705 srcintf="mgmt1"
dstip=10.6.30.1 dstport=80 dstintf="vdom1" sessionid=350696 status=close
policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=HTTP
Log Reference
Fortinet Technologies Inc.
14
The following table describes each possible header and body field, according to its name as it appears in the
Formatted or Raw view.
Example: Traffic Log (Raw Format)
Field Name
(Raw format
view in
parentheses)
Field
Description
Traffic
Event
Security
Header
Date(date)
date=2014-07-04
time=14:26:59
ID (log_id)
See Log ID
logid=0001000014
MSG(msg)
msg=000100000012
Type(type)
See Type
type=traffic
Sub Type(sub-
subtype=local
vd=vdom1
level=notice
type)
VDOM(vd)
Priority level
Body
15
Log Reference
Fortinet Technologies Inc.
Field Name
(Raw format
view in
parentheses)
Field
Description
Protocol(proto)
proto=6
srcip=10.6.30.254
srcport=54705
srcintf="mgmt1"
dstip=10.6.30.1
dstport=80
dstintf="vdom1"
The IP address of
(srcip)
Source Port
(srcport)
Source Inter-
face(srcintf)
traffic's origin.
Destination IP
The destination
(dstip)
Destination
Port(dstport)
Destination
Interface
traffic's destination.
(dstintf)
Log Reference
Fortinet Technologies Inc.
16
Log ID Numbers
Field Name
(Raw format
view in
parentheses)
Field
Description
sessionid=350696
status=close
policyid=0
service=HTTP
user=admin
Status(status)
Policy(policyid)
Service (ser-
vice)
User (user)
The daemon or
name of the administrator account
that performed the
action that caused
the log message.
Log ID Numbers
The ID (log_id) is a 10-digit field located in the header, immediately following the time and date fields. It is a unique
identifier for that specific log and includes the following information about the log entry.
17
Log Reference
Fortinet Technologies Inc.
Log ID Numbers
Description
Examples
Log Type
Represented by the
log ID.
Sub Type or Event Type
Represented by the
second two digits of
Message ID
An administrator account
0000003401.
The log_id field is a number assigned to all permutations of the same message. It classifies a log entry by the nature
of the cause of the log message, such as administrator authentication failures or traffic. Other log messages that
share the same cause will share the same log_id.
Log ID Definitions
Following are the definitions for the log type IDs and sub type IDs applicable to FortiOS version 5.2.1 and later.
traffic:0
forward:0
local:1
multicast:2
sniffer:4
Log Reference
Fortinet Technologies Inc.
18
event:1
system:0
vpn:1
user:2
router:3
wireless:4
wad:5
gtp:6
endpoint:7
ha:8
virus:2
suspicious:0
analytics:1
botnet:2
infected:11
filename:12
oversize:13
scanerror:62
switchproto:63
content:14
urlfilter:15
ftgd_blk:16
ftgd_allow:17
ftgd_err:18
activexfilter:35
cookiefilter:36
appletfilter:37
ftgd_quota_counting:38
ftgd_quota_expired:39
ftgd_quota:40
scriptfilter:41
webfilter_command_block:43
signature:19
antivirus: 2
webfilter:3
ips:4
19
Log ID Numbers
Log Reference
Fortinet Technologies Inc.
Log ID Numbers
spam: 5
msn-hotmail:5
yahoo-mail:6
gmail:7
smtp:8
pop3:9
imap:10
mapi:11
carrier-endpoint-filter:
47 mass-mms:52
HTTP:24
FTP:25
SMTP:26
POP3:27
IMAP:28
HTTPS:30
im-all:31
NNTP:39
VOIP:40
SMTPS:55
POP3S:56
IMAPS:57
MM1:48
MM3:49
MM4:50
MM7:51
anomaly: 7
anomaly: 20
voip: 8
viop: 14
dlp: 9
dlp:54
dlp-docsource:55
app-ctrl-all:59
contentlog: 6
app-ctrl-all: 10
Log Reference
Fortinet Technologies Inc.
20
netscan: 11
discovery:0
vulnerability:1
virus:2
webfilter:3
ips:4
spam:5
contentlog:6
voip:8
dlp:9
app-ctrl:10
UTM
21
Log ID Numbers
Log Reference
Fortinet Technologies Inc.
Traffic Log
Traffic log messages record network traffic passing through the FortiGate unit.
Traffic logs include the following log sub types.
l
Forward
Multicast
Local
Sniffer
The following table describes the log fields of the Traffic log.
NOTE: In the policyid field of traffic log messages, the number may be zero because any policy that is automatically
added by the FortiGate unit is indexed as zero. For more information, see the Fortinet Knowledge Base article, Firewall
policy=0.
Length Value
action
16
String
close
deny
dns
ip-conn
start
timeout
- Deny = blocked by
firewall policy.
- Start = session
start log (special
option to enable logging at start of a
session). This
means firewall
allowed.
- All Others =
allowed by Firewall
Policy and the
status indicates
how it was closed.
app
The application
String
96
name.
22
Log Reference
Fortinet Technologies Inc.
Traffic Log
Length Value
appact
16
String
appcat
String
64
UINT32
10
block
encrypt-kickout
monitor
pass
reject
reset
critical
elevated
high
low
medium
egory.
appid
applist
64
String
16
level.
collectedemail
String
66
UINT32
10
UINT32
10
The number of
appplication control
logs associated with
the session.
countav
The number of
AntiVirus logs associated with the session.
Log Reference
Fortinet Technologies Inc.
23
Traffic Log
Length Value
countdlp
UINT32
10
UINT32
10
UINT32
10
UINT32
10
UINT32
10
String
10
UINT32
10
countips
countweb
craction
crlevel
crscore
custom
Custom
date
String
10
String
16
String
32
devtype
24
Log Reference
Fortinet Technologies Inc.
Traffic Log
Length Value
dstcountry
String
64
String
32
IP Address
39
String
66
UINT16
String
33
String
37
UINT32
10
The destination
interface.
dstip
The destination IP
address.
dstname
The destination
name.
dstport
The destination
port.
dstssid
The destination
SSID.
dstuuid
duration
group
String
64
lanin
UINT64
20
UINT64
20
String
11
work incoming
traffic in bytes.
lanout
level
Log Reference
Fortinet Technologies Inc.
25
Traffic Log
Length Value
logid
A ten-digit number.
String
10
String
17
String
64
String
66
String
66
UINT32
10
String
37
UINT8
UINT64
20
10
msg
osname
osversion
policyid
poluuid
proto
rcvdbyte
The number of
bytes received.
rcvdpkt
ets received.
26
Log Reference
Fortinet Technologies Inc.
Traffic Log
Length Value
sentbyte
The number of
UINT64
20
10
bytes sent.
sentpkt
ets sent.
service
String
36
vice.
sessionid
UINT32
10
shaperdroprcvdbyte
The number of
UINT32
10
UINT32
10
UINT32
10
String
36
String
36
String
36
String
64
String
32
received bytes
dropped by shaper.
shaperdropsentbyte
shaperperipdropbyte
The number of
dropped bytes per
IP by shaper.
shaperperipname
shaperrcvdname
shapersentname
srccountry
srcintf
Log Reference
Fortinet Technologies Inc.
27
Traffic Log
Length Value
srcip
The source IP
IP Address
39
String
17
address.
srcmac
srcname
String
66
srcport
UINT16
number.
srcssid
String
33
srcuuid
String
37
String
20
String
String
16
source IP address.
subtype
time
trandisp
tranip
IP Address
39
UINT16
IP Address
39
UINT16
dnat
noop
snat
snat+dnat
tination IP.
tranport
transip
transport
28
Log Reference
Fortinet Technologies Inc.
Traffic Log
Length Value
type
String
16
unauthuser
The unau-
String
66
String
66
thenticated user
name.
unauthusersource
user
String
256
utmaction
String
32
performed by UTM.
vd
String
32
String
32
String
14
allow
block
n/a
reset
traffic-shape
ipsec-ddns
ipsec-dynamic
ipsec-static
sslvpn
name.
vpn
vpntype
wanin
UINT32
10
traffic in bytes.
Log Reference
Fortinet Technologies Inc.
29
Traffic Log
Length Value
wanoptapptype
String
ization application
type.
wanout
UINT32
cifs
ftp
ftp-proxy
http
mapi
tcp
web-cache
web-proxy
10
traffic in bytes.
30
Log Reference
Fortinet Technologies Inc.
Message ID
Message
Severity
LOG_ID_TRAFFIC_ALLOW
Notice
LOG_ID_TRAFFIC_DENY
Warning
LOG_ID_TRAFFIC_OTHER_START
Notice
LOG_ID_TRAFFIC_OTHER_ICMP_ALLOW
Notice
LOG_ID_TRAFFIC_OTHER_ICMP_DENY
Warning
LOG_ID_TRAFFIC_OTHER_INVALID
Warning
LOG_ID_TRAFFIC_WANOPT
Notice
LOG_ID_TRAFFIC_WEBCACHE
Notice
10
LOG_ID_TRAFFIC_EXPLICIT_PROXY
Notice
11
LOG_ID_TRAFFIC_FAIL_CONN
Warning
12
LOG_ID_TRAFFIC_MULTICAST
Notice
13
LOG_ID_TRAFFIC_END_FORWARD
Notice
14
LOG_ID_TRAFFIC_END_LOCAL
Notice
15
LOG_ID_TRAFFIC_START_FORWARD
Notice
16
LOG_ID_TRAFFIC_START_LOCAL
Notice
17
LOG_ID_TRAFFIC_SNIFFER
Notice
31
Log Reference
Fortinet Technologies Inc.
Security Log
Security Log
The following sections provide information about the different types of logs recorded under the Security log type.
In FortiOS 5.0 and previous versions, the logs were displayed under the UTM log type. In FortiOS
5.2.0 and later versions, the UTM logs are displayed under the Security log type. All logs grouped
in the security log include the log field type=utm.
Application Control
Application Control Log Messages
33
37
AntiVirus
AntiVirus Log Messages
38
44
DLP
47
Email Filter
Email Filter Log Messages
53
57
IPS
IPS Log Messages
59
63
Anomaly
Anomaly Log Messages
64
67
Web Filter
Web Filter Log Messages
68
73
Log Reference
Fortinet Technologies Inc.
32
Application Control
Application Control log messages record application control protocols and events.
In the log fields, these logs are defined as: type=utm; subtype=app-ctrl.
Log Field
Name
action
String
16
Value
performed by Applic-
ation Control.
l
l
l
l
l
app
The application
String
96
String
64
block
encrypt-kickout
kickout
monitor
pass
reject
reset
name.
appcat
appid
UINT32
10
applist
String
64
String
16
l
l
level.
l
l
l
cloudaction
String
critical
elevated
high
low
medium
32
formed by cloud
application.
33
Log Reference
Fortinet Technologies Inc.
Application Control
Security Log
Log Field
Name
clouduser
String
256
String
10
UINT32
10
String
10
String
16
String
Value
detected by the
Deep Application
Control feature.
crlevel
crscore
date
devid
direction
l
l
packets.
dstip
The destination IP
IP Address
39
String
64
incoming
N/A
outgoing
address.
dstname
The destination
name.
dstport
UINT16
eventtype
String
32
String
256
filesize
UINT64
10
group
String
64
name.
Log Reference
Fortinet Technologies Inc.
34
Security Log
Application Control
Log Field
Name
hostname
String
256
Value
URL.
level
String
11
logid
A ten-digit number.
String
10
String
512
String
36
String
36
UINT8
UINT64
20
UINT64
20
profile
profiletype
proto
rcvdbyte
sentbyte
service
String
36
sessionid
UINT32
10
srcip
The
IP Address
39
sourceIPaddress.
35
Log Reference
Fortinet Technologies Inc.
Application Control
Security Log
Log Field
Name
srcname
String
64
srcport
UINT16
subtype
String
20
String
Value
type
String
16
url
String
512
user
String
256
vd
String
32
name.
Log Reference
Fortinet Technologies Inc.
36
Message ID
Message
Severity
28672
LOGID_APP_CTRL_IM_BASIC
Information
28673
LOGID_APP_CTRL_IM_BASIC_WITH_
Information
STATUS
28674
LOGID_APP_CTRL_IM_BASIC_WITH_
Information
COUNT
28675
LOGID_APP_CTRL_IM_FILE
Information
28676
LOGID_APP_CTRL_IM_CHAT
Information
28677
LOGID_APP_CTRL_IM_CHAT_BLOCK
Information
28678
LOGID_APP_CTRL_IM_BLOCK
Information
28704
LOGID_APP_CTRL_IPS_PASS
Information
28705
LOGID_APP_CTRL_IPS_BLOCK
Warning
28706
LOGID_APP_CTRL_IPS_RESET
Warning
28720
LOGID_APP_CTRL_SSH_PASS
Information
28721
LOGID_APP_CTRL_SSH_BLOCK
Warning
37
Log Reference
Fortinet Technologies Inc.
AntiVirus
AntiVirus log messages record actual viruses that are contained in an email as well as anything that appears to be
similar to a virus or suspicious, such as in a file or in an email.
In the log fields, these logs are defined as: type=utm; subtype=virus.
Data Type
Length
action
String
11
Value
l
l
by antivirus profile.
l
l
agent
String
64
String
64
String
10
analytics
blocked
monitored
pass through
- eg. agent="Mozilla/5.0".
analyticscksum
analyticssubmit
l
l
mission.
checksum
String
16
command
String
16
false
true
String
10
crscore
UINT32
10
date
String
10
String
16
38
Log Reference
Fortinet Technologies Inc.
AntiVirus
Security Log
Data Type
Length
direction
String
Value
l
l
l
dstip
IP Address
39
dstport
UINT16
dtype
String
32
eventtype
String
32
filefilter
String
12
affected file.
incoming
N/A
outgoing
none
file pattern
file type
filename
Log Reference
Fortinet Technologies Inc.
String
256
39
Security Log
AntiVirus
Data Type
Length
filetype
String
16
Value
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
40
arj
cab
lzh
rar
tar
zip
bzip
gzip
bzip2
bat
msc
uue
mime
base64
binhex
com
elf
exe
hta
html
jad
class
cod
javascript
msoffice
fsg
upx
petite
aspack
prc
sis
hlp
activemime
jpeg
gif
tiff
png
bmp
ignored
unknown
Log Reference
Fortinet Technologies Inc.
AntiVirus
Security Log
Data Type
Length
from
String
128
Value
Email Headers
(IMAP/POP3/SMTP).
group
String
64
level
String
11
logid
String
10
String
String
64
UINT8
quarskip
String
46
ation.
l
recipient
String
512
String
512
File-wasnotquarantined
No-quarantinefor- HTTP-GETfilepatternblock
No-quarantineforoversizedfiles
No-skip
Log Reference
Fortinet Technologies Inc.
41
Security Log
AntiVirus
Data Type
Length
sender
String
128
String
Value
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
sessionid
UINT32
10
srcip
IP Address
39
srcport
UINT16
subtype
String
20
String
128
ftp
ftps
http
https
im
imap
imaps
mapi
mm1
mm3
mm4
mm7
nntp
pop3
pop3s
smb
smtp
smtps
ssl
time
String
to
String
512
Email Headers
(IMAP/POP3/SMTP.
42
Log Reference
Fortinet Technologies Inc.
AntiVirus
Security Log
Data Type
Length
type
String
16
url
String
512
user
String
256
vd
String
32
virus
String
128
virusid
UINT32
10
Log Reference
Fortinet Technologies Inc.
Value
43
Message ID Message
Severity
8192
MESGID_INFECT_WARNING
Warning
8193
MESGID_INFECT_NOTIF
Notice
8194
MESGID_INFECT_MIME_WARNING
Warning
8195
MESGID_INFECT_MIME_NOTIF
Notice
8196
MESGID_WORM_WARNING
Warning
8197
MESGID_WORM_NOTIF
Notice
8198
MESGID_WORM_MIME_WARNING
Warning
8199
MESGID_WORM_MIME_NOTIF
Notice
8448
MESGID_BLOCK_WARNING
Warning
8449
MESGID_BLOCK_NOTIF
Notice
8450
MESGID_BLOCK_MIME_WARNING
Warning
8451
MESGID_BLOCK_MIME_NOTIF
Notice
8452
MESGID_BLOCK_COMMAND
Warning
8453
MESGID_INTERCEPT
Notice
8454
MESGID_INTERCEPT_MIME
Notice
8455
MESGID_EXEMPT
Notice
8456
MESGID_EXEMPT_MIME
Notice
8457
MESGID_MMS_CHECKSUM
Warning
8458
MESGID_MMS_CHECKSUM_NOTIF
Notice
44
Log Reference
Fortinet Technologies Inc.
AntiVirus
Security Log
Message ID Message
Severity
8704
MESGID_OVERSIZE_WARNING
Warning
8705
MESGID_OVERSIZE_NOTIF
Notice
8706
MESGID_OVERSIZE_MIME_WARNING
Warning
8707
MESGID_OVERSIZE_MIME_NOTIF
Notice
8720
MESGID_SWITCH_PROTO_WARNING
Warning
8721
MESGID_SWITCH_PROTO_NOTIF
Notice
8960
MESGID_SCAN_UNCOMPNESTLIMIT
Notice
8961
MESGID_SCAN_UNCOMPSIZELIMIT
Notice
8962
MESGID_SCAN_ARCHIVE_ENCRYPTED_
Warning
WARNING
8963
MESGID_SCAN_ARCHIVE_ENCRYPTED_NOTIF
Notice
8964
MESGID_SCAN_ARCHIVE_CORRUPTED_
Warning
WARNING
8965
MESGID_SCAN_ARCHIVE_CORRUPTED_
Notice
NOTIF
8966
MESGID_SCAN_ARCHIVE_MULTIPART_
Warning
WARNING
8967
MESGID_SCAN_ARCHIVE_MULTIPART_NOTIF
Notice
8968
MESGID_SCAN_ARCHIVE_NESTED_WARNING
Warning
8969
MESGID_SCAN_ARCHIVE_NESTED_NOTIF
Notice
8970
MESGID_SCAN_ARCHIVE_OVERSIZE_
Warning
WARNING
8971
MESGID_SCAN_ARCHIVE_OVERSIZE_NOTIF
Log Reference
Fortinet Technologies Inc.
Notice
45
Security Log
AntiVirus
Message ID Message
Severity
8972
Warning
MESGID_SCAN_ARCHIVE_UNHANDLED_
WARNING
8973
MESGID_SCAN_ARCHIVE_UNHANDLED_
Notice
NOTIF
9233
MESGID_ANALYTICS_SUBMITTED
Notice
9248
MESGID_BOTNET_WARNING
Warning
9249
MESGID_BOTNET_NOTIF
Notice
46
Log Reference
Fortinet Technologies Inc.
DLP
Data Leak Protection (DLP) log messages record data leaks. These logs provide additional information to help
administrators better analyze and detect data leaks.
In the log fields, these logs are defined as: type=utm; subtype=dlp.
Data Type
Length
action
String
20
Value
l
l
formed by DLP.
l
l
l
l
agent
String
64
String
10
ban
ban-sender
block
exempt
log-only
quarantineinterface
quarantine-ip
t="Mozilla/5.0".
date
devid
String
16
direction
String
l
l
l
dlpextra
String
256
docsource
String
515
dstip
IP Address
39
dstport
UINT16
47
incoming
N/A
outgoing
Log Reference
Fortinet Technologies Inc.
DLP
Security Log
Data Type
Length
epoch
UINT32
10
UINT32
10
Value
file.
eventid
eventtype
String
32
filename
String
256
filesize
UINT64
10
filetype
String
23
filtercat
String
filteridx
UINT32
10
filtername
String
128
filtertype
String
23
l
l
l
l
l
l
l
l
l
l
l
l
from
String
128
file
message
none
credit-card
encrypted
file-size
file-type
fingerprint
none
regexp
ssn
watermark
Email Headers
(IMAP/POP3/SMTP).
group
String
64
hostname
String
256
Log Reference
Fortinet Technologies Inc.
48
Security Log
DLP
Data Type
Length
level
String
11
logid
String
10
String
String
512
Value
profile
String
64
proto
UINT8
rcvdbyte
UINT64
20
String
512
String
128
String
36
UINT64
20
received.
recipient
sender
sensitivity
sentbyte
49
Log Reference
Fortinet Technologies Inc.
DLP
Security Log
Data Type
Length
service
String
36
Value
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
sessionid
UINT32
10
severity
String
ftp
ftps
http
https
im
imap
imaps
mapi
mm1
mm3
mm4
mm7
nntp
pop3
pop3s
smtp
smtps
ssl
rule.
srcip
IP Address
39
srcport
UINT16
subject
String
128
String
20
message.
subtype
time
String
to
String
512
Email Headers
(IMAP/POP3/SMTP).
Log Reference
Fortinet Technologies Inc.
50
Security Log
DLP
Data Type
Length
type
String
16
url
String
512
user
String
256
vd
String
32
51
Value
Log Reference
Fortinet Technologies Inc.
Security Log
DLP
Message ID Message
Severity
24576
LOG_ID_DLP_WARN
Warning
24577
LOG_ID_DLP_NOTIF
Notice
24578
LOG_ID_DLP_DOC_SOURCE
Notice
24579
LOG_ID_DLP_DOC_SOURCE_ERROR
Warning
52
Log Reference
Fortinet Technologies Inc.
Email Filter
Email filter log messages record email protocols, such as SMTP, POP3 and IMAP.
In the log fields, these logs are defined as: type=utm; subtype=emailfilter.
Data Type
Length
action
String
Value
l
l
agent
String
64
String
blocked
detected
exempted
agent="Mozilla/5.0".
attachment
l
l
attachment.
banword
String
cc
String
No
yes
128
String
10
String
16
String
direction
l
l
ets.
dstip
The destination IP
IP Address
39
UINT16
incoming
N/A
outgoing
address.
dstport
53
Log Reference
Fortinet Technologies Inc.
Email Filter
Security Log
Data Type
Length
eventtype
String
32
String
128
Value
type.
from
group
String
64
level
String
11
logid
String
10
String
512
String
64
profile
proto
UINT8
rcvdbyte
UINT64
20
String
512
String
128
received.
recipient
sender
Log Reference
Fortinet Technologies Inc.
54
Security Log
Email Filter
Data Type
Length
sentbyte
UINT64
20
String
36
Value
sent.
service
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
sessionid
UINT32
10
size
String
16
srcip
IP Address
39
srcport
UINT16
subject
String
256
String
20
String
ftp
ftps
http
https
im
imap
imaps
mapi
mm1
mm3
mm4
mm7
nntp
pop3
pop3s
smtp
smtps
ssl
email message.
subtype
time
55
Log Reference
Fortinet Technologies Inc.
Email Filter
Security Log
Data Type
Length
to
String
512
Value
String
16
user
String
256
vd
String
12
name.
Log Reference
Fortinet Technologies Inc.
56
Message ID Message
Severity
20480
LOGID_ANTISPAM_EMAIL_SMTP_NOTIF
Notice
20481
LOGID_ANTISPAM_EMAIL_SMTP_
Notice
BWORD_NOTIF
20487
LOGID_ANTISPAM_ENDPOINT_MM7_
Warning
WARNING
20488
LOGID_ANTISPAM_ENDPOINT_MM7_
Notice
NOTIF
20489
LOGID_ANTISPAM_ENDPOINT_MM1_
Warning
WARNING
20490
LOGID_ANTISPAM_ENDPOINT_MM1_
Notice
NOTIF
20491
LOGID_ANTISPAM_EMAIL_IMAP_
Notice
BWORD_NOTIF
20492
LOGID_ANTISPAM_MM1_FLOOD_
Warning
WARNING
20493
LOGID_ANTISPAM_MM1_FLOOD_NOTIF
Notice
20494
LOGID_ANTISPAM_MM4_FLOOD_
Warning
WARNING
20495
LOGID_ANTISPAM_MM4_FLOOD_NOTIF
Notice
20496
LOGID_ANTISPAM_MM1_DUPE_
Warning
WARNING
20497
LOGID_ANTISPAM_MM1_DUPE_NOTIF
Notice
20498
LOGID_ANTISPAM_MM4_DUPE_
Warning
WARNING
57
Log Reference
Fortinet Technologies Inc.
Email Filter
Security Log
Message ID Message
Severity
20499
LOGID_ANTISPAM_MM4_DUPE_NOTIF
Notice
20500
LOGID_ANTISPAM_EMAIL_MSN_NOTIF
Information
20501
LOGID_ANTISPAM_EMAIL_YAHOO_NOTIF
Information
20502
LOGID_ANTISPAM_EMAIL_GOOGLE_
Information
NOTIF
20503
LOGID_EMAIL_SMTP_GENERAL_NOTIF
Information
20504
LOGID_EMAIL_POP3_GENERAL_NOTIF
Information
20505
LOGID_EMAIL_IMAP_GENERAL_NOTIF
Information
20506
LOGID_EMAIL_MAPI_GENERAL_NOTIF
Information
20507
LOGID_ANTISPAM_EMAIL_MAPI_
Notice
BWORD_NOTIF
20508
LOGID_ANTISPAM_EMAIL_MAPI_NOTIF
Log Reference
Fortinet Technologies Inc.
Notice
58
IPS
Intrusion logs record security logs for protocols, such as ICMP and virus attacks. The IPS logs also provide additional
log details, such as the anomaly logs. The "anomaly" logs are generated from the kernel without signatures. (e.g.TCP
SYN flood etc.).
In the log fields, these logs are defined as: type=utm; subtype= ips.
Data Type
Length
action
String
16
Value
l
l
formed by IPS.
l
l
l
l
l
l
agent
String
66
clear_session
detected
drop_session
dropped
pass_session
reset
reset_client
reset_server
- eg. agentt="Mozilla/5.0".
attack
String
256
attackcontext
String
2040
String
10
attackid
UINT32
10
count
UINT32
10
an attack event.
59
Log Reference
Fortinet Technologies Inc.
IPS
Security Log
Data Type
Length
craction
UINT32
10
String
10
UINT32
10
String
10
String
16
UINT32
10
Value
by client reputation
level.
crlevel
crscore
date
devid
direction
l
l
ets.
dstintf
String
64
IP Address
39
incoming
N/A
outgoing
face.
dstip
The destination
IPaddress.
dstport
UINT16
eventtype
String
32
group
String
64
icmpcode
String
String
String
icmptype
Log Reference
Fortinet Technologies Inc.
60
Security Log
IPS
Data Type
Length
incidentserialno
UINT32
10
Value
number.
level
String
11
logid
A ten-digit number.
String
10
String
518
String
64
profile
profiletype
String
64
proto
UINT8
ref
String
String
36
sessionid
UINT32
10
severity
String
l
l
attack.
l
l
l
srcintf
61
String
critical
high
info
low
medium
64
Log Reference
Fortinet Technologies Inc.
IPS
Security Log
Data Type
Length
srcip
IP Address
39
srcport
UINT16
subtype
String
20
String
Value
type
String
16
user
String
256
vd
String
32
name.
Log Reference
Fortinet Technologies Inc.
62
Message ID
Message
Severity
16384
LOGID_ATTCK_SIGNATURE_TCP_UDP
Alert
16385
LOGID_ATTCK_SIGNATURE_ICMP
Alert
16386
LOGID_ATTCK_SIGNATURE_OTHERS
Alert
18432
LOGID_ATTCK_ANOMALY_TCP_UDP
Alert
18433
LOGID_ATTCK_ANOMALY_ICMP
Alert
18434
LOGID_ATTCK_ANOMALY_OTHERS
Alert
63
Log Reference
Fortinet Technologies Inc.
Anomaly
Anomaly logs are associated with IPS log events.
In the log fields, these logs are defined as: type=utm; subtype= anomaly.
Data Type
Length
action
String
16
String
66
Value
attack
String
256
attackcontext
String
2040
String
10
attackid
UINT32
10
count
UINT32
10
UINT32
10
event.
craction
crlevel
String
10
crscore
UINT32
10
date
String
10
String
16
64
Log Reference
Fortinet Technologies Inc.
Anomaly
Security Log
Data Type
Length
direction
UINT32
10
dstintf
String
64
dstip
IP Address
39
dstport
UINT16
eventtype
String
32
group
String
64
icmpcode
String
icmpid
String
icmptype
String
incidentserialno
UINT32
10
level
String
11
logid
String
10
String
518
Value
profile
String
64
profiletype
String
64
proto
UINT8
ref
service
Log Reference
Fortinet Technologies Inc.
String
The service name.
String
36
65
Security Log
Anomaly
Data Type
Length
sessionid
UINT32
10
String
severity
srcintf
String
64
srcip
IP Address
39
srcport
UINT16
subtype
String
20
Value
String
type
String
16
user
String
256
String
32
the traffic.
vd
66
Log Reference
Fortinet Technologies Inc.
Message ID
Message
Severity
18432
LOGID_ATTCK_ANOMALY_TCP_UDP
Alert
18433
LOGID_ATTCK_ANOMALY_ICMP
Alert
18434
LOGID_ATTCK_ANOMALY_OTHERS
Alert
67
Log Reference
Fortinet Technologies Inc.
Web Filter
Web filter log messages record URL activity as well as filters, such as a blocked URL as it is found in the URL black list.
In the log fields, these logs are defined as: type=utm; subtype= webfilter.
Data Type
Length
action
String
11
Value
l
l
l
l
l
l
agent
String
64
allowed
blocked
DLP
exempted
filtered
pass through
- eg. agent="Mozilla/5.0".
banword
String
128
cat
UINT8
catdesc
String
64
String
64
tion.
contenttype
crlevel
String
10
crscore
UINT32
10
date
String
10
String
16
68
Log Reference
Fortinet Technologies Inc.
Web Filter
Security Log
Data Type
Length
direction
String
Value
l
l
traffic.
dstip
IP Address
39
dstport
UINT16
error
String
256
incoming
N/A
outgoing
sage.
eventtype
String
32
filtertype
String
10
l
l
l
l
l
from
String
128
javascript
jscript
n/a
unknown
vbscript
String
64
hostname
String
256
initiator
String
64
String
512
rid.
keyword
level
String
11
logid
String
10
Log Reference
Fortinet Technologies Inc.
69
Security Log
Web Filter
Data Type
Length
method
String
Value
l
l
Domain
ip
address.
mode
String
32
msg
String
512
UINT32
10
ovrdtbl
String
128
profile
String
64
proto
UINT8
quotaexceeded
String
l
l
quotamax
UINT64
20
String
16
no
yes
allowed
- in seconds if time-based
- in bytes if traffic-based
quotatype
l
l
quotaused
UINT64
20
UINT64
20
String
time
traffic
- in seconds if time-based
- in bytes if traffic-based).
rcvdbyte
reqtype
l
l
ruledata
String
512
ruletype
String
l
l
l
70
direct
referral
directory
domain
rating
Log Reference
Fortinet Technologies Inc.
Web Filter
Security Log
Data Type
Length
sentbyte
UINT64
20
service
String
36
Value
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
sessionid
UINT32
10
srcip
IP Address
39
srcport
UINT16
subtype
String
20
String
String
512
dns
ftp
ftps
http
https
im
imap
imaps
mm1
mm3
mm4
mm7
nntp
pop3
pop3s
smtp
smtps
ssl
to
type
String
16
url
String
512
urlfilteridx
UINT32
10
Log Reference
Fortinet Technologies Inc.
71
Security Log
Web Filter
Data Type
Length
urlfilterlist
String
64
urltype
String
Value
l
l
l
l
l
l
user
String
256
vd
String
32
72
ftp
http
https
mail
phishing
telnet
Log Reference
Fortinet Technologies Inc.
Message ID Message
Severity
12288
LOG_ID_WEB_CONTENT_BANWORD
Warning
12289
LOG_ID_WEB_CONTENT_MMS_BANWORD
Warning
12290
LOG_ID_WEB_CONTENT_EXEMPTWORD
Notice
12291
LOG_ID_WEB_CONTENT_MMS_
Notice
EXEMPTWORD
12292
LOG_ID_WEB_CONTENT_KEYWORD
Notice
12293
LOG_ID_WEB_CONTENT_SEARCH
Notice
12305
LOG_ID_WEB_CONTENT_BANWORD_NOTIF
Notice
12544
LOG_ID_URL_FILTER_BLOCK
Warning
12545
LOG_ID_URL_FILTER_EXEMPT
Information
12546
LOG_ID_URL_FILTER_ALLOW
Information
12547
LOG_ID_URL_FILTER_INVALID_
Notice
HOSTNAME_HTTP_BLK
12548
LOG_ID_URL_FILTER_INVALID_
Notice
HOSTNAME_HTTPS_BLK
12549
LOG_ID_URL_FILTER_INVALID_
Information
HOSTNAME_HTTP_PASS
12550
LOG_ID_URL_FILTER_INVALID_
Information
HOSTNAME_HTTPS_PASS
12551
LOG_ID_URL_FILTER_INVALID_
Notice
HOSTNAME_SNI_BLK
73
Log Reference
Fortinet Technologies Inc.
Web Filter
Security Log
Message ID Message
Severity
12552
Information
LOG_ID_URL_FILTER_INVALID_
HOSTNAME_SNI_PASS
12553
LOG_ID_URL_FILTER_INVALID_CERT
Notice
12554
LOG_ID_URL_FILTER_INVALID_SESSION
Notice
12555
LOG_ID_URL_FILTER_SRV_CERT_ERR_BLK
Notice
12556
LOG_ID_URL_FILTER_SRV_CERT_ERR_
Notice
PASS
12557
LOG_ID_URL_FILTER_FAMS_NOT_ACTIVE
Critical
12558
LOG_ID_URL_FILTER_RATING_ERR
Information
12559
LOG_ID_URL_FILTER_PASS
Information
12800
LOG_ID_WEB_FTGD_ERR
Error
12801
LOG_ID_WEB_FTGD_WARNING
Warning
12802
LOG_ID_WEB_FTGD_QUOTA
Information
13056
LOG_ID_WEB_FTGD_CAT_BLK
Warning
13057
LOG_ID_WEB_FTGD_CAT_WARN
Warning
13312
LOG_ID_WEB_FTGD_CAT_ALLOW
Notice
13313
LOG_ID_WEB_FTGD_RULE_ALLOW
Notice
13314
LOG_ID_WEB_FTGD_OFF_SITE_ALLOW
Information
13315
LOG_ID_WEB_FTGD_QUOTA_COUNTING
Notice
13316
LOG_ID_WEB_FTGD_QUOTA_EXPIRED
Warning
13317
LOG_ID_WEB_URL
Notice
13568
LOG_ID_WEB_SCRIPTFILTER_ACTIVEX
Notice
Log Reference
Fortinet Technologies Inc.
74
Security Log
Web Filter
Message ID Message
Severity
13573
LOG_ID_WEB_SCRIPTFILTER_COOKIE
Notice
13584
LOG_ID_WEB_SCRIPTFILTER_APPLET
Notice
13600
LOG_ID_WEB_SCRIPTFILTER_OTHER
Notice
13601
LOG_ID_WEB_WF_COOKIE
Notice
13602
LOG_ID_WEB_WF_REFERER
Notice
13603
LOG_ID_WEB_WF_COMMAND_BLOCK
Warning
13616
LOG_ID_CONTENT_TYPE_BLOCK
Warning
75
Log Reference
Fortinet Technologies Inc.
Event Log
Event Log
The following sections provide information about the different types of logs recorded under the Event log type.
Event log include the following log subtypes:
l
Endpoint Control
GTP
High Availability
System
Router
VPN
USer
WAD
Wireless
In the log field, these logs are defined as: type=event; subtypes=endpoint control, gtp, vpn, user, wad, system, router,
wireless, high availability.
Endpoint Control
Endpoint Log Messages
77
81
GTP
GTP Log Messages
83
91
High Availability
High Availability Log Messages
93
96
Router
Router Log Messages
98
100
System
System Log Messages
101
112
User
User Log Messages
138
142
VPN
VPN Log Messages
145
152
WAD
WAD Log Messages
158
161
Wireless
Wireless Log Messages
163
170
Log Reference
Fortinet Technologies Inc.
76
Endpoint Control
Following are the log details for the events generated for Endpoint control logs.
In the log fields, these logs are defined as: type=event; subtype= endpoint.
Log Field
Name
Log Field
Description
Data Type
Length
action
String
32
String
UINT32
10
String
10
String
16
String
33
Value
FortiGate unit
should take for
this firewall
policy.
connection_
The FortiClient
type
connection type.
count
The number of
dropped SIP
packets.
date
devid
forticlient_id
The FortiClient
uuid.
hostname
String
128
interface
The interface
String
32
name.
77
Log Reference
Fortinet Technologies Inc.
EndpointControl
Event Log
Log Field
Name
Log Field
Description
Data Type
Length
ip
The IP address.
IP Address
39
level
String
11
String
32
UINT16
Value
level.
license_limit
The number of
limited licenses.
license_
The number of
used
licenses used.
logdesc
String
description.
logid
A ten-digit num-
String
10
The activity or
String
String
128
String
256
UINT16
Log Reference
Fortinet Technologies Inc.
78
Event Log
EndpointControl
Log Field
Name
Log Field
Description
Data Type
Length
status
String
23
Value
action the
FortiGate unit
l
l
event occurred.
l
l
start
end
timeout
blocked
succeeded
failed
authentication-required
sub type gtp
forwarded
prohibited
rate-limited
state-invalid
tunnel-limited
traffic-count
user-data
endpoint
event
l
l
l
l
l
l
l
l
l
l
l
l
l
l
subtype
The subtype of
String
20
String
ipsec
success
failure
negotiate_error
esp_error
dpd_failure
subtype voip
type
String
16
ui
String
64
UINT16
String
256
face.
used_for_
type
user
79
Log Reference
Fortinet Technologies Inc.
EndpointControl
Event Log
Log Field
Name
Log Field
Description
Data Type
Length
vd
The virtual
String
32
Value
domain name.
Log Reference
Fortinet Technologies Inc.
80
Message
ID
Message
Description
Severity
45056
LOG_ID_FCC_EXCEED
Notice
45057
LOG_ID_FCC_ADD
Information
45058
LOG_ID_FCC_CLOSE
FortiClient closed
Information
45059
LOG_ID_FCC_UPGRADE_
Notice
Error
SUCC
45060
LOG_ID_FCC_UPGRADE_FAIL
upgrade
45100
LOG_ID_EC_REG_FAIL
Warning
45101
LOG_ID_EC_REG_SUCCEED
Notice
ceeded
45102
LOG_ID_EC_REG_RENEWED
FortiClient registration
Notice
renewed
45103
LOG_ID_EC_REG_BLOCK
Notice
45104
LOG_ID_EC_REG_UNBLOCK
FortiClient registration
Notice
unblocked
45105
LOG_ID_EC_REG_DEREG
FortiClient deregistered
Notice
45106
LOG_ID_EC_REG_LIC_
Notice
UPGRADED
upgraded
LOG_ID_EC_CONF_
DISTRIBUTED
tributed
45108
LOG_ID_EC_FTCL_UNREG
FortiClient unregistered
Notice
45109
LOG_ID_EC_FTCL_LOGOFF
Notice
45107
81
Notice
Log Reference
Fortinet Technologies Inc.
EndpointControl
Event Log
Message
ID
Message
Description
Severity
45110
LOG_ID_EC_FTCL_ENABLE_
Notice
NOTSYNC
disabled
LOG_ID_EC_REG_SYNC_FAIL
45111
Warning
failed
Log Reference
Fortinet Technologies Inc.
82
GTP
Event-GTP log messages record GTP activity. These messages are recorded only when running FortiGate Carrier
firmware.
In the log fields, these logs are defined as: type=event; subtype= gtp.
Log Field
Name
Data Type
Length
apn
String
128
UINT64
20
IP Address
39
UINT32
10
IP Address
39
IP Address
39
IP Address
39
IP Address
39
Value
name.
c-bytes
c-ggsn
c-ggsn-teid
c-gsn
cpaddr
cpdladdr
cpdlisraddr
83
Log Reference
Fortinet Technologies Inc.
GTP
Event Log
Log Field
Name
Data Type
Length
cpdlisrteid
UINT32
10
UINT32
10
UINT64
20
UINT32
10
IP Address
39
UINT32
10
IP Address
39
UINT32
10
String
10
Value
downlink teid.
cpdlteid
c-pkts
cpteid
cpuladdr
cpulteid
c-sgsn
c-sgsn-teid
date
Log Reference
Fortinet Technologies Inc.
84
Event Log
Log Field
Name
GTP
deny_cause
Data Type
Length
String
25
Value
adv-policy-filter
apn-filter
ggsn-not-authorized
gtp-in-gtp
imsi-filter
invalid-ie-length
invalid-msg-length
devid
invalid-reserved-field invalidstate
ip-policy
miss-mandatory-ie
msg-filter
non-ip-policy
out-state-ie
out-state-msg
packet-sanity
rate-limited
reserved-ie
reserved-msg
response-without-request
sgsn-no-handover
sgsn-not-authorized
spoof
unknown-gtp-version
16
ber.
dstport
85
UINT16
Log Reference
Fortinet Technologies Inc.
GTP
Log Field
Name
Event Log
dtlexp
Data Type
Length
String
64
Value
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
Log Reference
Fortinet Technologies Inc.
cant-have-both-ebi-and-lbi
cant-have-both-hteid-andcteid
cause-value-should-be-isrdeactivation
expired-create-bearerresponse
expired-create-indirect- tunnelresponse
expired-create-response
expired-create-sessionresponse
expired-delete-beaererresponse
expired-delete-indirect- tunnelresponse
expired-delete-response
expired-delete-sessionresponse
expired-echo-response
expired-modified-bearerresponse
expired-release-accessbearer-response
expired-update-bearerresponse
expired-update-response fteidshouldnt-exist
header-seq-num-is-missing
hteid-is-zero
ie-is-missing
imsi-shouldnt-exist
invalid-eps-bearer-id
invalid-ie-length
invalid-mcc-mnc
invalid-tid
malformed-extension-header
malformed-p-flag
malformed-piggybacked-msg
malformed-t-flag
neither-hteid-nor-cteidexists
no-tunnel-exists
none
payload-teid-is-zero
response-hteid-doesntmatchrequest
86
Event Log
GTP
Log Field
Name
Data Type
Length
duration
UINT32
10
The IP address.
39
String
128
UINT32
10
UINT8
String
32
String
16
Value
ation.
end-usr-
address
address.
from
headerteid
ietype
imei-sv
International Mobile
Equipment Identity or
IMEI is a number, usually unique, to identify
GSM, WCDMA, and
iDEN mobile phones,
as well as some satellite phones
imsi
The International
mobile subscriber ID.
level
String
11
linked-nsapi
UINT8
String
tion.
87
Log Reference
Fortinet Technologies Inc.
GTP
Event Log
Log Field
Name
Data Type
Length
logid
A ten-digit number.
String
10
Value
String
UINT8
msisdn
String
16
UINT8
profile
String
64
rai
String
32
String
String
14
UINT32
10
identification.
rat-type
selection
seqnum
Log Reference
Fortinet Technologies Inc.
88
Event Log
GTP
Log Field
Name
Data Type
Length
snetwork
String
64
Value
UINT16
status
String
23
tunnel-limited
tunnel-limited-monitor
user-data
event occurred.
subtype
String
20
String
String
512
UINT32
10
to
tunnel-idx
type
String
16
u-bytes
UINT64
20
IP Address.
39
89
Log Reference
Fortinet Technologies Inc.
GTP
Event Log
Log Field
Name
Data Type
Length
u-ggsn-teid
UINT32
10
IP Address
39
String
32
UINT64
20
String
256
IP Address
39
UINT32
10
String
32
String
64
Value
uli
u-pkts
user_data
u-sgsn
u-sgsn-teid
vd
version
Log Reference
Fortinet Technologies Inc.
90
Message
ID
Message
Description
Severity
41216
LOGID_GTP_FORWARD
Information
41217
LOGID_GTP_DENY
Information
41218
LOGID_GTP_RATE_LIMIT
Information
41219
LOGID_GTP_STATE_
Information
INVALID
41220
LOGID_GTP_TUNNEL_
Information
LIMIT
41221
LOGID_GTP_TRAFFIC_
Information
COUNT
41222
LOGID_GTP_USER_DATA
Information
41223
LOGID_GTPV2_FORWARD
Information
41224
LOGID_GTPV2_DENY
Information
41225
LOGID_GTPV2_RATE_LIMIT
Information
41226
LOGID_GTPV2_STATE_
Information
INVALID
41227
LOGID_GTPV2_TUNNEL_
Information
LIMIT
41228
LOGID_GTPV2_TRAFFIC_
Information
COUNT
41229
LOGID_GTPU_FORWARD
Information
41230
LOGID_GTPU_DENY
Information
91
Log Reference
Fortinet Technologies Inc.
GTP
Log Reference
Fortinet Technologies Inc.
Event Log
92
High Availability
Event-HA log messages are recorded when FortiGate units are in high availability mode. These log messages describe
changes in cluster unit status. The changes in status occur if a cluster unit fails or starts up, or if a link fails or is
restored. Each of these messages includes the serial number of the cluster unit reporting the message. You can use
the serial number to determine the status of cluster unit that has changed.
In the log fields, these logs are defined as: type=event; subtype= ha.
Log Field
Description
Data
Type
Length
activity
String
128
String
10
String
16
String
32
UINT32
10
UINT8
Value
ability activity
message.
date
devid
devintfname
from_vcluster
ha_group
93
Log Reference
Fortinet Technologies Inc.
High Availability
Event Log
Log Field
Description
Data
Type
Length
ha_role
String
Value
l
l
Master
slave
cluster.
ha-prio
UINT8
String
18
ability priority.
hbdn_reason
The heartbeat
down reason.
ip
The IP address.
IP
Link fail
neighbor-info-lost
39
Address
level
String
11
level.
logdesc
String
tion.
logid
A ten-digit num-
String
10
The activity or
String
Log Reference
Fortinet Technologies Inc.
String
64
94
Event Log
High Availability
Log Field
Description
Data
Type
Length
subtype
The subtype of
String
20
String
11
Value
String
14
l
l
String
UINT32
10
in-sync
out-of-sync
Configurations
external-files
of the event.
to_vcluster
The destination
virtual cluster
number.
type
String
16
vcluster
UINT32
10
UINT32
10
String
ID.
vcluster_member
vcluster_state
l
l
state.
l
l
vd
The virtual
String
32
String
16
helo
init
standby
work
domain
vdname
The virtual
domain name.
95
Log Reference
Fortinet Technologies Inc.
Message ID
Message
Description
Severity
35001
LOG_ID_HA_SYNC_
Notice
VIRDB
message
LOG_ID_HA_SYNC_ETDB
35002
Notice
base message
35003
LOG_ID_HA_SYNC_EXDB
Notice
base message
35005
LOG_ID_HA_SYNC_IPS
Notice
message
35007
LOG_ID_HA_SYNC_AV
Notice
age message
35008
LOG_ID_HA_SYNC_VCM
Notice
message
35009
LOG_ID_HA_SYNC_CID
Notice
message
35010
LOG_ID_HA_SYNC_FAIL
Error
37888
MESGID_HA_GROUP_
HA group deleted
Notice
DELETE
37889
MESGID_VC_DELETE
Notice
37890
MESGID_VC_MOVE_
Notice
VDOM
37891
MESGID_VC_ADD_VDOM
Notice
37892
MESGID_VC_MOVE_
Notice
MEMB_STATE
moved
96
Log Reference
Fortinet Technologies Inc.
High Availability
Event Log
Message ID
Message
Description
Severity
37893
MESGID_VC_DETECT_
Critical
MEMB_DEAD
dead
MESGID_VC_DETECT_
MEMB_JOIN
joined
MESGID_VC_ADD_
HADEV
interface
MESGID_VC_DEL_HADEV
37894
37895
37896
Critical
Notice
Notice
device interface
37897
MESGID_HADEV_READY
Notice
37898
MESGID_HADEV_FAIL
Warning
37899
MESGID_HADEV_
Notice
PEERINFO
information
MESGID_HBDEV_DELETE
37900
Notice
deleted
37901
MESGID_HBDEV_DOWN
Critical
down
37902
MESGID_HBDEV_UP
Information
up
37903
MESGID_SYNC_STATUS
Information
MESGID_HA_ACTIVITY
Notice
device as HA master
37904
MESGID_HA_ACTIVITY
Information
device as HA master
Log Reference
Fortinet Technologies Inc.
97
Router
Event-Router log messages record events that occur on the FortiGate network interfaces.
In the log fields, these logs are defined as: type=event; subtype= router.
Log
Field
Name
Data Type
Length
action
String
32
String
10
String
16
Value
devid
dhcp_
String
dns_ip
IP Address
39
dns_
String
64
dst_int
String
64
interface
String
32
lease
UINT32
10
level
String
11
logdesc
String
msg
name
98
Log Reference
Fortinet Technologies Inc.
Router
Event Log
Log
Field
Name
Data Type
Length
logid
String
10
17
Value
String
msg
String
String
64
src_int
String
64
subtype
String
20
String
type
String
16
vd
String
32
Log Reference
Fortinet Technologies Inc.
99
Message
ID
Message
Description
Severity
20300
LOG_ID_BGP_NB_STAT_
Unknown
CHG
27001
LOG_ID_VRRP_STATE_CHG
Information
51000
51000
Information
changed
100
Log Reference
Fortinet Technologies Inc.
System
Event-System log messages record events that occur in the FortiGatesystem, such as administrators logging in and
out, or events occurring on the interfaces.
In the log fields, these logs are defined as: type=event; subtype= system.
Data Type
Length
acktime
String
24
act
String
16
action
String
32
Value
The address.
String
80
alarmid
UINT32
10
assigned
IP Address
39
bandwidth
String
42
banned_rule
String
36
banned_src
String
16
l
l
l
l
l
blocked
UINT32
10
36
ips
dos
dlp-rule
dlp-compound
av
sages.
cert
The certificate.
String
cfgattr
String
101
Log Reference
Fortinet Technologies Inc.
System
Event Log
Data Type
Length
cfgobj
String
256
cfgpath
String
128
cfgtid
UINT32
10
Value
id.
chassisid
UINT8
checksum
UINT32
10
UINT16
community
String
36
conserve
String
32
count
UINT32
10
UINT8
created
String
64
crl
String
packets.
cpu
daddr
String
80
'dstip'.
daemon
String
32
datarange
String
50
date
String
10
String
128
devid
String
16
device.
Log Reference
Fortinet Technologies Inc.
102
Event Log
System
Data Type
Length
dhcp_msg
String
dintf
String
36
dir
String
disk
UINT8
disklograte
UINT64
20
dns_ip
IP Address
39
dns_name
String
64
dport
UINT16
dst_int
String
64
UINT16
Value
dstip
IP Address
39
dstport
UINT16
duration
UINT32
10
UINT32
10
error
String
256
UINT32
10
upload to FortiCloud.
exitmargin
103
Log Reference
Fortinet Technologies Inc.
System
Event Log
fams_pause
Data Type
Length
UINT32
10
fazlograte
UINT64
20
field
String
32
file
String
256
Value
report.
filesize
free
from
UINT32
String
32
String
128
IP Address
39
String
32
notification.
gateway
green
group
String
64
groupid
UINT32
10
handshake
String
32
hash
A character.
String
32
hostname
String
128
identidx
UINT32
10
infected
UINT32
10
sages.
informationsource
String
intercepted
UINT32
10
String
32
messages.
interface
Log Reference
Fortinet Technologies Inc.
104
Event Log
System
Data Type
Length
intf
The interface.
String
16
ip
The IP address.
IP Address
39
iptype
String
16
lease
UINT32
10
UINT32
10
String
11
UINT32
10
len
level
limit
local
IP Address
39
log
String
32
logdesc
String
logid
String
10
17
Value
String
major
UINT8
max
UINT8
max_minor
mem
UINT8
The memory usage for per-
UINT8
formance.
min
min_minor
105
UINT8
UINT8
Log Reference
Fortinet Technologies Inc.
System
Event Log
Data Type
Length
minor
UINT8
mode
The mode.
String
12
module
String
32
monitor-name
String
32
monitor-type
String
32
msg
String
Value
String
16
mtu
UINT32
10
unit.
name
String
128
nat
IP Address
39
lation.
new_status
String
512
new_value
String
128
newchannel
UINT8
newchassisid
UINT8
newslot
UINT8
Log Reference
Fortinet Technologies Inc.
106
Event Log
System
Data Type
Length
nf_type
String
14
Value
bword
file_block
carrier_ep_bwl
flood
dupe
alert
mms_checksum
virus
old_status
String
512
old_value
String
16
name.
oldchannel
UINT8
oldchassisid
UINT8
oldslot
UINT8
passwd
The password.
String
20
pid
UINT32
10
policyid
UINT32
10
this log.
poolname
String
36
port
UINT16
portbegin
UINT16
portend
UINT16
probeproto
String
16
process
String
107
Log Reference
Fortinet Technologies Inc.
System
Event Log
Data Type
Length
processtime
UINT32
profile
String
64
profile_vd
String
64
String
String
64
Value
file.
profilegroup
profiletype
proto
UINT8
reason
String
256
recorded.
received
UINT8
received.
recv_minor
UINT8
red
String
32
remote
IP Address
39
reporttype
String
20
saddr
String
80
UINT32
10
String
36
'srcip'.
scanned
sensor
Log Reference
Fortinet Technologies Inc.
108
Event Log
System
Data Type
Length
serial
UINT32
10
String
16
Value
message.
serialno
server
String
64
service
String
64
UINT32
10
session_id
UINT32
10
setuprate
UINT64
20
slot
UINT8
sn
String
64
String
64
src_int
src_port
UINT16
srcip
IP Address
39
ssl2
UINT8
state
status
String
64
String
23
String
32
109
Log Reference
Fortinet Technologies Inc.
System
Event Log
Data Type
Length
subtype
String
20
UINT32
10
Value
sysconserve
String
32
time
String
to
String
512
UINT32
10
notification.
total
totalsession
UINT32
10
trace_id
String
32
type
String
16
ui
String
64
UINT32
10
String
512
UINT32
10
String
256
unit
url
The URLaddress.
used
user
vd
String
32
version
String
64
vip
String
64
virus
String
128
Log Reference
Fortinet Technologies Inc.
110
Event Log
111
System
Log Reference
Fortinet Technologies Inc.
Message
ID
Message
20000
20000
20001
LOG_ID_CLIENT_
Description
Severity
Debug
Client is disassociated
Information
Client is disassociated
Debug
LOG_ID_DOMAIN_
Notice
UNRESOLVABLE
20003
LOG_ID_MAIL_SENT_FAIL
Notice
20004
LOG_ID_POLICY_TOO_BIG
Unknown
20005
LOG_ID_PPP_LINK_UP
Information
20006
LOG_ID_PPP_LINK_DOWN
Information
20007
20007
Critical
DISASSOCIATED
20001
LOG_ID_CLIENT_
DISASSOCIATED
20002
LOG_ID_CLIENT_NEW_
Client is associated
Information
ASSOCIATION
20012
LOG_ID_CLIENT_WPA_1X
Client supports 1X
Information
20013
LOG_ID_CLIENT_WPA_SSN
Information
20015
LOG_ID_IEEE802_NEW_
Information
STATION
authentication
LOG_ID_MODEM_EXCEED_
20016
Information
REDIAL_COUNT
112
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
20017
LOG_ID_MODEM_FAIL_TO_
Information
OPEN
20020
LOG_ID_MODEM_HOTPLUG
Warning
20020
LOG_ID_MODEM_HOTPLUG
Information
20021
LOG_ID_MAIL_RESENT
Information
cessful
20025
LOG_ID_REPORTD_REPORT_
Notice
Error
LOG_ID_REPORT_DEL_OLD_
Warning
REC
base records
20031
LOG_ID_RAD_OUT_OF_MEM
Critical
20032
LOG_ID_RAD_NOT_FOUND
Critical
20033
LOG_ID_RAD_MOBILE_IPV6
Information
SUCCESS
20026
LOG_ID_REPORTD_REPORT_
FAILURE
20027
sions
20034
LOG_ID_RAD_IPV6_OUT_OF_
RANGE
Critical
range
20035
20036
LOG_ID_RAD_MIN_OUT_OF_
RANGE
of range
LOG_ID_RAD_MAX_OUT_OF_
RANGE
Critical
Critical
range
20037
LOG_ID_RAD_MAX_ADV_
OUT_OF_RANGE
of range
Log Reference
Fortinet Technologies Inc.
Critical
113
Event Log
System
Message
ID
Message
Description
Severity
20038
LOG_ID_RAD_MTU_OUT_OF_
Critical
RANGE
range
LOG_ID_RAD_MTU_TOO_
Critical
LOG_ID_RAD_TIME_TOO_
Interface "AdvReachableTime" is
Critical
SMALL
small
LOG_ID_RAD_HOP_OUT_OF_
RANGE
LOG_ID_RAD_DFT_HOP_
OUT_OF_RANGE
LOG_ID_RAD_AGENT_OUT_
Interface "HomeAgentLifetime" in
OF_RANGE
20039
SMALL
20040
20041
20042
20043
Critical
Critical
Critical
of range
20044
LOG_ID_RAD_AGENT_FLAG_
Interface "AdvHomeAgentFlag
NOT_SET
HomeAgentLifetime" in router
Critical
LOG_ID_RAD_PREFIX_TOO_
Critical
LOG_ID_RAD_PREF_TIME_
Critical
TOO_SMALL
than "AdvPreferredLifetime"
LOG_ID_RAD_FAIL_IPV6_
SOCKET
socket
LOG_ID_RAD_FAIL_OPT_
IPV6_PKTINFO
PKTINFO option
LOG_ID_RAD_FAIL_OPT_
IPV6_CHECKSUM
CHECKSUM option
LONG
20046
20047
20048
20049
114
Critical
Critical
Critical
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
20050
LOG_ID_RAD_FAIL_OPT_
Critical
IPV6_UNICAST_HOPS
UNICAST_HOPS option
LOG_ID_RAD_FAIL_OPT_
IPV6_MULTICAST_HOPS
MULTICAST_HOPS option
LOG_ID_RAD_FAIL_OPT_
IPV6_HOPLIMIT
HOPLIMIT option
LOG_ID_RAD_FAIL_OPT_
IPPROTO_ICMPV6
FILTER option
LOG_ID_RAD_EXIT_BY_
Information
LOG_ID_RAD_FAIL_CMDB_
Critical
QUERY
LOG_ID_RAD_FAIL_CMDB_
FOR_EACH
20051
20052
20053
20054
Critical
Critical
Critical
SIGNAL
20055
20056
Critical
used
20057
20058
LOG_ID_RAD_FAIL_FIND_
VIRT_INTF
LOG_ID_RAD_UNLOAD_INTF
Critical
Information
face
20059
LOG_ID_RAD_NO_PKT_INFO
Warning
no pkt_info
20060
20061
20062
LOG_ID_RAD_INV_ICMPV6_
LEN
LOG_ID_RAD_INV_ICMPV6_
TYPE
LOG_ID_RAD_INV_ICMPV6_
RA_LEN
Log Reference
Fortinet Technologies Inc.
Warning
Critical
Warning
115
Event Log
System
Message
ID
Message
Description
Severity
20063
LOG_ID_RAD_ICMPV6_NO_
Warning
SRC_ADDR
20064
20065
20066
20067
LOG_ID_RAD_INV_ICMPV6_
RS_LEN
LOG_ID_RAD_INV_ICMPV6_
CODE
LOG_ID_RAD_INV_ICMPV6_
HOP
LOG_ID_RAD_MISMATCH_
HOP
Warning
Warning
Warning
Warning
remote site
20068
LOG_ID_RAD_MISMATCH_
Interface "AdvManagedFlag" on
MGR_FLAG
Warning
remote site
20069
LOG_ID_RAD_MISMATCH_
Interface "AdvOtherConfigFlag" on
OTH_FLAG
Warning
remote site
20070
LOG_ID_RAD_MISMATCH_
Interface "AdvReachableTime" on
TIME
Warning
remote site
20071
LOG_ID_RAD_MISMATCH_
Interface "AdvRetransTimer" on
TIMER
Warning
remote site
20072
LOG_ID_RAD_EXTRA_DATA
Critical
packet
20073
LOG_ID_RAD_NO_OPT_DATA
Critical
no option data
116
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
20074
LOG_ID_RAD_INV_OPT_LEN
Critical
LOG_ID_RAD_MISMATCH_
MTU
Warning
remote site
20077
LOG_ID_RAD_MISMATCH_
Interface "AdvPreferredLifetime" on
PREF_TIME
Warning
remote site
20078
LOG_ID_RAD_INV_OPT
Critical
LOG_ID_RAD_READY
Information
20080
LOG_ID_RAD_FAIL_TO_RCV
Critical
20081
LOG_ID_RAD_INV_HOP
Critical
a wrong IPV6_HOPLIMIT
20082
LOG_ID_RAD_INV_PKTINFO
Critical
a wrong IPV6_PKTINFO
20083
20084
LOG_ID_RAD_FAIL_TO_
CHECK
LOG_ID_RAD_FAIL_TO_SEND
Warning
Warning
sendmsg ()
20085
20085
Session status
Information
20086
20086
Unknown
20090
LOG_ID_INTF_LINK_STA_
Notice
Information
CHG
20099
LOG_ID_INTF_STA_CHG
20100
20100
Log Reference
Fortinet Technologies Inc.
Critical
117
Event Log
System
Message
ID
Message
Description
Severity
20101
LOG_ID_WEB_LIC_EXPIRE
Critical
expired
20101
LOG_ID_WEB_LIC_EXPIRE
Warning
expired
20102
LOG_ID_SPAM_LIC_EXPIRE
Critical
expired
20102
LOG_ID_SPAM_LIC_EXPIRE
Warning
expired
20103
LOG_ID_AV_LIC_EXPIRE
Critical
expired
20103
LOG_ID_AV_LIC_EXPIRE
Warning
expired
20104
LOG_ID_IPS_LIC_EXPIRE
Warning
20105
LOG_ID_LOG_UPLOAD_SKIP
Warning
20107
LOG_ID_LOG_UPLOAD_ERR
Warning
20108
LOG_ID_LOG_UPLOAD_DONE
Notice
20110
LOG_ID_HPAPI_ESPD_START
Notice
tialized
20111
LOG_ID_HPAPI_ESPD_RESET
Warning
20113
LOG_ID_IPSA_DOWNLOAD_
Error
Error
Error
FAIL
20114
LOG_ID_IPSA_SELFTEST_
FAIL
20115
LOG_ID_IPSA_STATUSUPD_
FAIL
118
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
20200
LOG_ID_FIPS_SELF_TEST
Notice
self test
20201
20202
20203
LOG_ID_FIPS_SELF_ALL_
Notice
TEST
LOG_ID_DISK_FORMAT_
ERROR
ting
LOG_ID_DAEMON_
Daemon shutdown
Information
Warning
SHUTDOWN
20204
LOG_ID_DAEMON_START
Daemon started
Information
20205
LOG_ID_DISK_FORMAT_REQ
Critical
20206
LOG_ID_DISK_SCAN_REQ
Warning
22000
LOG_ID_INV_PKT_LEN
Warning
LOG_ID_UNSUPPORTED_
Warning
PROT_VER
22002
LOG_ID_INV_REQ_TYPE
Warning
22003
LOG_ID_FAIL_SET_SIG_
Warning
Warning
LOG_ID_FAIL_CREATE_
Warning
SOCKET_RETRY
LOG_ID_FAIL_REG_CMDB_
HANDLER
22004
LOG_ID_FAIL_CREATE_
SOCKET
22005
22006
Warning
EVENT
Log Reference
Fortinet Technologies Inc.
119
Event Log
System
Message
ID
Message
Description
Severity
22009
LOG_ID_FAIL_FIND_AV_
Warning
Debug
PROFILE
22009
LOG_ID_FAIL_FIND_AV_
PROFILE
22010
LOG_ID_SENDTO_FAIL
Error
22011
22011
Unknown
22012
22012
Unknown
22013
22013
Alert
22014
22014
Alert
22014
22014
Notice
22015
LOG_ID_EXCEED_VD_RES_
Notice
LIMIT
22016
22016
Notice
22020
LOG_ID_FAIL_CREATE_HA_
Warning
SOCKET
LOG_ID_FAIL_CREATE_HA_
SOCKET_RETRY
nection to HA master
LOG_ID_QUAR_DROP_TRAN_
JOB
quarantine daemon
LOG_ID_QUAR_DROP_TLL_
JOB
nection
22102
LOG_ID_LOG_DISK_FAILURE
Critical
22103
LOG_ID_QUAR_DAILY_LIMIT_
Warning
REACHED
reaced
LOG_ID_POWER_RESTORE
22021
22100
22101
22104
120
Warning
Warning
Warning
Critical
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
22104
LOG_ID_POWER_RESTORE
Notice
22105
LOG_ID_POWER_FAILURE
Critical
22105
LOG_ID_POWER_FAILURE
Warning
22106
LOG_ID_POWER_OPTIONAL_
Information
Warning
NOT_DETECTED
22106
LOG_ID_POWER_OPTIONAL_
NOT_DETECTED
22107
LOG_ID_VOLT_ANOM
Warning
22108
LOG_ID_FAN_ANOM
Warning
22109
LOG_ID_TEMP_TOO_HIGH
Warning
22110
LOG_ID_SPARE_BLOCK_LOW
Critical
device is low
22150
LOG_ID_VOLT_NOM
Notice
22151
LOG_ID_FAN_NOM
Notice
22152
LOG_ID_TEMP_TOO_LOW
Warning
22153
LOG_ID_TEMP_NORM
Notice
22200
LOG_ID_AUTO_UPT_CERT
Warning
22201
LOG_ID_AUTO_GEN_CERT
Warning
22201
LOG_ID_AUTO_GEN_CERT
Information
22202
LOG_ID_AUTO_UPT_CERT_
Error
Error
Critical
FAIL
22203
LOG_ID_AUTO_GEN_CERT_
FAIL
22700
LOG_ID_IPS_FAIL_OPEN
Log Reference
Fortinet Technologies Inc.
121
Event Log
System
Message
ID
Message
Description
Severity
22800
LOG_ID_SCAN_SERV_FAIL
Critical
22801
LOG_ID_SCAN_LEAVE_
Critical
CONSERVE_MODE
serve mode
LOG_ID_SYS_ENTER_
Critical
Critical
22802
CONSERVE_MODE
22803
LOG_ID_SYS_LEAVE_
CONSERVE_MODE
22804
LOG_ID_LIC_STATUS_CHG
Critical
22805
LOG_ID_FAIL_TO_VALIDATE_
Warning
LIC
22806
LOG_ID_DUP_LIC
Warning
22810
LOG_ID_SCAN_ENTER_
Critical
CONSERVE_MODE
serve mode
22900
LOG_ID_CAPUTP_SESSION
Notice
22901
LOG_ID_FAZ_CON
Connected to FortiAnalyzer
Notice
22902
LOG_ID_FAZ_DISCON
Notice
22903
LOG_ID_FAZ_CON_ERR
Critical
22916
LOG_ID_FDS_STATUS
Notice
22917
LOG_ID_FDS_SMS_QUOTA
Notice
22921
LOG_ID_EVENT_ROUTE_
Critical
INFO_CHANGED
22922
LOG_ID_EVENT_LINK_
Notice
MONITOR_STATUS
122
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
22923
LOG_ID_EVENT_VWL_LQTY_
Notice
Notice
STATUS
22924
LOG_ID_EVENT_VWL_
VOLUME_STATUS
26001
LOG_ID_DHCP_MSG
Information
26001
LOG_ID_DHCP_MSG
Unknown
26002
LOG_ID_DHCP_NO_SHARE_
Error
NET
26003
LOG_ID_DHCP_STAT
Information
26004
LOG_ID_DHCP_MULT_SUB_
Error
NET
nets
LOG_ID_DHCP_INV_ADDR_
RANGE
the network
LOG_ID_DHCP_LEASE_
Warning
26005
26006
Error
USAGE
29001
LOG_ID_PPPD_MSG
Unknown
29002
LOG_ID_PPPD_AUTH_SUC
Notice
29002
LOG_ID_PPPD_AUTH_SUC
Debug
29003
LOG_ID_PPPD_AUTH_FAIL
Notice
29009
LOG_ID_PPPOE_STATUS_
Notice
Error
REPORT
29011
LOG_ID_PPPD_FAIL_TO_
EXEC
29012
LOG_ID_PPP_OPT_ERR
Unknown
29013
LOG_ID_PPPD_START
PPPD is started
Notice
Log Reference
Fortinet Technologies Inc.
123
Event Log
System
Message
ID
Message
Description
Severity
29014
LOG_ID_PPPD_EXIT
PPPD is exiting
Information
29015
LOG_ID_PPP_RCV_BAD_
Error
PEER_IP
address
LOG_ID_PPP_RCV_BAD_
LOCAL_IP
address
LOG_ID_PPP_OPT_NOTIF
29016
29017
Error
Unknown
fications
29020
LOG_ID_WIRELESS_SET_
Notice
Unknown
Warning
Information
FAIL
29020
LOG_ID_WIRELESS_SET_
FAIL
29021
LOG_ID_EVENT_AUTH_
SNMP_QUERY_FAILED
32001
LOG_ID_ADMIN_LOGIN_
SUCC
32002
LOG_ID_ADMIN_LOGIN_FAIL
Alert
32003
LOG_ID_ADMIN_LOGOUT
Information
32005
LOG_ID_ADMIN_OVERIDE_
Information
VDOM
cessfully
LOG_ID_ADMIN_ENTER_
VDOM
VDOM
LOG_ID_ADMIN_LEFT_VDOM
32006
32007
Information
Information
VDOM
32008
LOG_ID_VIEW_LOG_FAIL
Warning
32009
LOG_ID_SYSTEM_START
FortiGate started
Information
32010
LOG_ID_DISK_LOG_FULL
Emergency
124
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
32010
LOG_ID_DISK_LOG_FULL
Information
32010
LOG_ID_DISK_LOG_FULL
Unknown
32011
LOG_ID_LOG_ROLL
Notice
32012
LOG_ID_FIPS_LEAVE_ERR_
Information
Warning
MOD
32014
LOG_ID_CS_LIC_EXPIRE
license expiring
32015
LOG_ID_DISK_LOG_USAGE
Warning
32018
LOG_ID_FIPS_ENTER_ERR_
Emergency
Warning
Alert
MOD
32020
LOG_ID_SSH_CORRPUT_
MAC
32021
LOG_ID_ADMIN_LOGIN_
DISABLE
32022
LOG_ID_VDOM_ENABLED
VDOM enabled
Notice
32023
LOG_ID_MEM_LOG_FULL
Warning
32023
LOG_ID_MEM_LOG_FULL
Information
32024
LOG_ID_ADMIN_PASSWD_
Notice
Critical
EXPIRE
32026
LOG_ID_STORE_CONF_FAIL
LOG_ID_VIEW_LOG_SUCC
Notice
32028
LOG_ID_LOG_DEL_DIR
Information
32029
LOG_ID_LOG_DEL_FILE
Warning
Log Reference
Fortinet Technologies Inc.
125
Event Log
System
Message
ID
Message
Description
Severity
32030
LOG_ID_SEND_FDS_STAT
Notice
32035
LOG_ID_VDOM_DISABLED
VDOM disabled
Notice
32040
LOG_ID_REPORT_DELETED
Report deleted
Information
32045
LOG_ID_MGR_LIC_EXPIRE
Warning
license is expiring
32048
LOG_ID_SCHEDULE_EXPIRE
Warning
32049
LOG_ID_FC_EXPIRE
Warning
32051
LOG_ID_LOG_UPLOAD
Notice
VDOM
32086
32087
LOG_ID_ENTER_
TRANSPARENT
LOG_ID_ENTER_NAT
Warning
Warning
32096
32100
LOG_ID_GUI_CHG_SUB_
Warning
MODULE
LOG_ID_GUI_DOWNLOAD_
LOG
LOG_ID_FORTI_TOKEN_
FortiToken synchronization
Warning
Notice
Warning
SYNC
32101
LOG_ID_LCD_CHG_CONF
LOG_ID_CHG_CONFIG
Unknown
configuration
32103
LOG_ID_NEW_FIRMWARE
Notice
on FortiGuard
32120
126
LOG_ID_RPT_ADD_DATASET
Notice
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
32122
LOG_ID_RPT_DEL_DATASET
Notice
32125
LOG_ID_RPT_ADD_CHART
Notice
32126
LOG_ID_RPT_DEL_CHART
Notice
32129
LOG_ID_ADD_GUEST
Notice
32130
LOG_ID_CHG_USER
Notice
32131
LOG_ID_DEL_GUEST
Notice
32132
LOG_ID_ADD_USER
Notice
32138
LOG_ID_REBOOT
Device rebooted
Critical
32139
LOG_ID_UPD_SIGN_DB
Critical
32139
LOG_ID_UPD_SIGN_DB
Warning
32139
LOG_ID_UPD_SIGN_DB
Notice
32140
LOG_ID_NTP_SVR_STAUS_
Notice
CHG
32142
LOG_ID_BACKUP_CONF
Alert
32142
LOG_ID_BACKUP_CONF
Warning
32142
LOG_ID_BACKUP_CONF
Error
32142
LOG_ID_BACKUP_CONF
Notice
32148
LOG_ID_GET_CRL
Notice
32149
LOG_ID_COMMAND_FAIL
Command failed
Notice
32151
LOG_ID_ADD_IP6_LOCAL_
Notice
POL
added
Log Reference
Fortinet Technologies Inc.
127
Event Log
System
Message
ID
Message
Description
Severity
32152
LOG_ID_CHG_IP6_LOCAL_
Notice
POL
has changed
LOG_ID_DEL_IP6_LOCAL_
POL
deleted
32155
LOG_ID_ACT_FTOKEN_REQ
Notice
32156
LOG_ID_ACT_FTOKEN_SUCC
Notice
32157
LOG_ID_SYNC_FTOKEN_
Successfully synchronized
Notice
SUCC
FortiToken
32158
LOG_ID_SYNC_FTOKEN_FAIL
Notice
32159
LOG_ID_ACT_FTOKEN_FAIL
Notice
32168
LOG_ID_REACH_VDOM_
Notice
LIMIT
limit reached
32170
LOG_ID_ALARM_MSG
Alert
32171
LOG_ID_ALARM_ACK
Alarm is acknowledged
Alert
32172
LOG_ID_ADD_IP4_LOCAL_
Notice
POL
added
LOG_ID_CHG_IP4_LOCAL_
POL
LOG_ID_DEL_IP4_LOCAL_
POL
deleted
LOG_ID_SSL_PROXY_CA_
Warning
Notice
Device shutdown
Critical
32153
32173
32174
32188
Notice
Notice
Notice
INIT_FAIL
32188
LOG_ID_SSL_PROXY_CA_
INIT_FAIL
32200
128
LOG_ID_SHUTDOWN
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
32201
LOG_ID_LOAD_IMG_SUCC
Critical
FIPS CC mode
32202
LOG_ID_RESTORE_IMG
Image restored
Critical
32203
LOG_ID_RESTORE_CONF
Configuration restored
Critical
32203
LOG_ID_RESTORE_CONF
Configuration restored
Warning
32203
LOG_ID_RESTORE_CONF
Configuration restored
Notice
32204
LOG_ID_RESTORE_FGD_SVR
Critical
32204
LOG_ID_RESTORE_FGD_SVR
Notice
32205
LOG_ID_RESTORE_VDOM_
VM license restored
Critical
VM license restored
Notice
LIC
32205
LOG_ID_RESTORE_VDOM_
LIC
32206
LOG_ID_RESTORE_SCRIPT
Script restored
Warning
32207
LOG_ID_RETRIEVE_CONF_
Warning
LIST
32208
LOG_ID_IMP_PKCS12_CERT
Critical
32209
LOG_ID_RESTORE_USR_
Critical
DEF_IPS
natures
LOG_ID_RESTORE_USR_
DEF_IPS
natures
LOG_ID_BACKUP_IMG
32209
32210
Notice
Notice
backed up
32211
LOG_ID_UPLOAD_REVISION
Notice
32212
LOG_ID_DEL_REVISION
Notice
cessfully
Log Reference
Fortinet Technologies Inc.
129
Event Log
System
Message
ID
Message
Description
Severity
32213
LOG_ID_RESTORE_
Template restored
Warning
TEMPLATE
32214
LOG_ID_RESTORE_FILE
Warning
32215
LOG_ID_UPT_IMG
Critical
image
32217
LOG_ID_UPD_IPS
Warning
LOG_ID_UPD_IPS
Notice
LOG_ID_UPD_DLP
Warning
LOG_ID_BACKUP_OUTPUT
Warning
LOG_ID_BACKUP_COMMAND
Warning
LOG_ID_UPD_VDOM_LIC
Warning
LOG_ID_GLB_SETTING_CHG
Notice
setting
32223
32223
32224
130
LOG_ID_BACKUP_USER_
DEF_IPS
signatures
LOG_ID_BACKUP_USER_
DEF_IPS
signatures
LOG_ID_BACKUP_LOG
Error
Notice
Notice
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
32225
LOG_ID_DEL_ALL_REVISION
Notice
LOG_ID_LOAD_IMG_FAIL
Critical
32240
LOG_ID_SYS_USB_MODE
Critical
32252
LOG_ID_FACTORY_RESET
Critical
tings
32253
LOG_ID_FORMAT_RAID
Critical
RAID disk
32254
LOG_ID_ENABLE_RAID
Critical
32255
LOG_ID_DISABLE_RAID
Critical
32300
LOG_ID_UPLOAD_RPT_IMG
Notice
32301
LOG_ID_ADD_VDOM
VDOM added
Notice
32302
LOG_ID_DEL_VDOM
VDOM deleted
Notice
32340
LOG_ID_LOG_DISK_UNAVAIL
Disk is unavailable
Critical
32340
LOG_ID_LOG_DISK_UNAVAIL
Disk is unavailable
Warning
32341
LOG_ID_LOG_DISK_
Notice
DEFAULT_DISABLED
32400
LOG_ID_CONF_CHG
Alert
32545
LOG_ID_SYS_RESTART
Critical
LOG_ID_APPLICATION_
Application crashed
Warning
LOG_ID_EVENT_SYSTEM_
Warning
MAC_HOST_STORE_LIMIT
CRASH
36880
sistently stored
Log Reference
Fortinet Technologies Inc.
131
Event Log
System
Message
ID
Message
Description
Severity
38400
LOGID_EVENT_NOTIF_SEND_
Notice
SUCC
fication message
LOGID_EVENT_NOTIF_SEND_
FAIL
notification message
LOGID_EVENT_NOTIF_DNS_
FAIL
an MMSC hostname
LOGID_EVENT_NOTIF_
INSUFFICIENT_RESOURCE
fication
LOGID_EVENT_NOTIF_
HOSTNAME_ERROR
name
LOGID_NOTIF_CODE_
SENDTO_SMS_PHONE
LOGID_NOTIF_CODE_
SENDTO_SMS_TO
LOGID_NOTIF_CODE_
SENDTO_EMAIL
40704
LOG_ID_EVENT_SYS_PERF
Notice
41000
LOG_ID_UPD_FGT_SUCC
Notice
38401
38402
38403
38404
38405
38406
38407
Warning
Notice
Critical
Error
Notice
Notice
Notice
FortiGate successfully
41001
LOG_ID_UPD_FGT_FAIL
Critical
LOG_ID_UPD_SRC_VIS
Notice
age is updated
41003
LOG_ID_INVALID_UPD_LIC
Critical
41005
LOG_ID_UPD_VCM
Notice
132
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
43264
LOGID_MMS_STATS
MMS statistics
Information
43776
LOGID_EVENT_NAC_
Notice
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Configured path
Information
Configured object
Information
QUARANTINE
43800
LOG_ID_EVENT_ELBC_
BLADE_JOIN
43801
LOG_ID_EVENT_ELBC_
BLADE_LEAVE
43802
LOG_ID_EVENT_ELBC_
MASTER_BLADE_FOUND
43803
LOG_ID_EVENT_ELBC_
MASTER_BLADE_LOST
43804
LOG_ID_EVENT_ELBC_
MASTER_BLADE_CHANGE
43805
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_FOUND
43806
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_LOST
43807
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_CHANGE
43808
LOG_ID_EVENT_ELBC_
CHASSIS_ACTIVE
43809
LOG_ID_EVENT_ELBC_
CHASSIS_INACTIVE
44544
LOGID_EVENT_CONFIG_
PATH
44545
LOGID_EVENT_CONFIG_OBJ
Log Reference
Fortinet Technologies Inc.
133
Event Log
System
Message
ID
Message
Description
Severity
44546
LOGID_EVENT_CONFIG_
Configured attribute
Information
Information
ATTR
44547
LOGID_EVENT_CONFIG_
OBJATTR
45000
LOG_ID_VSD_SSL_RCV_HS
Debug
45001
LOG_ID_VSD_SSL_RCV_
Error
WRG_HS
message
45002
LOG_ID_VSD_SSL_SENT_HS
Debug
45003
LOG_ID_VSD_SSL_WRG_HS_
Error
LEN
45004
LOG_ID_VSD_SSL_RCV_CCS
Debug
45005
LOG_ID_VSD_SSL_RSA_DH_
Error
FAIL
meters failed
45006
LOG_ID_VSD_SSL_SENT_CCS
Debug
45007
LOG_ID_VSD_SSL_BAD_HASH
Error
LOG_ID_VSD_SSL_DECRY_
Error
Debug
LOG_ID_VSD_SSL_LESS_
Error
MINOR
LOG_ID_VSD_SSL_REACH_
MAX_CON
reached
LOG_ID_VSD_SSL_NOT_
FAIL
45010
LOG_ID_VSD_SSL_SESSION_
CLOSED
45011
45012
45013
Warning
Error
SUPPORT_CS
134
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
45016
LOG_ID_VSD_SSL_HS_FIN
Debug
45017
LOG_ID_VSD_SSL_HS_TOO_
Error
LOG_ID_VSD_SSL_MORE_
Debug
MINOR
LOG_ID_VSD_SSL_SENT_
Error
Debug
Debug
LONG
45018
45019
ALERT_ERR
45020
LOG_ID_VSD_SSL_SESSION_
EXPIRE
45021
LOG_ID_VSD_SSL_SENT_
ALERT
45022
LOG_ID_VSD_SSL_RCV_CH
Debug
45023
LOG_ID_VSD_SSL_RCV_SH
Debug
45024
LOG_ID_VSD_SSL_SENT_SH
Debug
45025
LOG_ID_VSD_SSL_RCV_
Error
Debug
Error
LOG_ID_VSD_SSL_BAD_CCS_
Error
LEN
rect length
LOG_ID_VSD_SSL_BAD_DH
ALERT
45025
LOG_ID_VSD_SSL_RCV_
ALERT
45027
LOG_ID_VSD_SSL_INVALID_
CONT_TYPE
45029
45031
Error
value
45032
LOG_ID_VSD_SSL_PUB_KEY_
TOO_BIG
Log Reference
Fortinet Technologies Inc.
Error
135
Event Log
System
Message
ID
Message
Description
Severity
45033
LOG_ID_VSD_SSL_NOT_
Error
SUPPORT_CM
supported
LOG_ID_VSD_SSL_SERVER_
KEY_HASH_ALGORITHM_
algorithm mismatch
45034
Error
MISMATCH
45035
LOG_ID_VSD_SSL_SERVER_
KEY_SIGNATURE_
algorithm mismatch
Error
ALGORITHM_MISMATCH
46000
LOG_ID_VIP_REAL_SVR_ENA
Notice
46001
LOG_ID_VIP_REAL_SVR_DISA
Alert
46002
LOG_ID_VIP_REAL_SVR_UP
Notice
46003
LOG_ID_VIP_REAL_SVR_
Alert
LOG_ID_VIP_REAL_SVR_
Notice
ENT_HOLDDOWN
down period
LOG_ID_VIP_REAL_SVR_
FAIL_HOLDDOWN
hold-down period
LOG_ID_VIP_REAL_SVR_FAIL
DOWN
46004
46005
46006
Alert
Debug
LOG_ID_EVENT_EXT_SYS
Unknown
46401
LOG_ID_EVENT_EXT_LOCAL
FortiExtender AC activity
Unknown
46402
LOG_ID_EVENT_EXT_
Unknown
Emergency
Emergency
REMOTE
47201
LOG_ID_AMC_ENTER_
BYPASS
47202
136
LOG_ID_AMC_EXIT_BYPASS
Log Reference
Fortinet Technologies Inc.
System
Event Log
Message
ID
Message
Description
Severity
47203
LOG_ID_ENTER_BYPASS
Emergency
mode
47204
LOG_ID_EXIT_BYPASS
Emergency
mode
Log Reference
Fortinet Technologies Inc.
137
User
Event-User log messages record what users are configuring on the FortiGate unit, and what is occurring on the
FortiGate unit. For example, memory storage is becoming full.
In the log fields, these logs are defined as: type=event; subtype= user.
Log Field
Description
Data Type
Length Value
acct_stat
The accounting
String
14
l
l
state (RADIUS).
l
l
l
action
String
32
String
128
String
64
String
64
UINT32
10
UINT32
10
Accounting-Off
Accounting-On
Interim-Update
start
stop
FortiGate unit
should take for this
policy.
adgroup
authproto
carrier_ep
category
count
138
Log Reference
Fortinet Technologies Inc.
User
Event Log
Log Field
Description
Data Type
Length Value
date
String
10
String
16
IP Address
39
UINT32
10
String
64
String
64
String
64
String
11
dstip
The destination IP
address.
duration
expiry
The FortiGuard
override expiry
timestamp.
group
initiator
level
logdesc
String
tion.
Log Reference
Fortinet Technologies Inc.
139
Event Log
User
Log Field
Description
Data Type
Length Value
logid
A ten-digit number.
String
10
The activity or
String
String
64
UINT32
10
String
36
portbegin
UINT16
portend
UINT16
UINT8
String
256
rsso_key
String
64
scope
String
16
server
String
64
profile.
policyid
poolname
proto
The protocol
name.
reason
140
Log Reference
Fortinet Technologies Inc.
User
Event Log
Log Field
Description
Data Type
Length Value
srcip
The source IP
IP Address
39
String
23
String
20
String
address.
status
subtype
time
type
String
16
ui
String
64
user
String
256
String
32
Log Reference
Fortinet Technologies Inc.
141
Message
ID
Message
Description
Severity
38010
LOG_ID_FIPS_ENCRY_FAIL
Alert
38011
LOG_ID_FIPS_DECRY_FAIL
Alert
38031
LOG_ID_FSSO_LOGON
Notice
38032
LOG_ID_FSSO_LOGOFF
Notice
38033
LOG_ID_FSSO_SVR_STATUS
Notice
authentication status
38656
38657
LOGID_EVENT_RAD_RPT_
Notice
PROTO_ERROR
ing packet
LOGID_EVENT_RAD_RPT_
Notice
LOGID_EVENT_RAD_RPT_CTX_
Notice
NOT_FOUND
found
LOGID_EVENT_RAD_RPT_
ACCT_STOP_MISSED
stopped
LOGID_EVENT_RAD_RPT_
ACCT_EVENT
LOGID_EVENT_RAD_RPT_
OTHER
PROF_NOT_FOUND
38658
38659
38660
38661
Notice
Notice
other report
38662
LOGID_EVENT_RAD_STAT_
Notice
LOGID_EVENT_RAD_STAT_
Notice
PROF_NOT_FOUND
PROTO_ERROR
38663
142
Log Reference
Fortinet Technologies Inc.
User
Event Log
Message
ID
Message
Description
Severity
38665
LOGID_EVENT_RAD_STAT_
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Warning
Notice
ACCT_STOP_MISSED
38666
LOGID_EVENT_RAD_STAT_
ACCT_EVENT
38667
LOGID_EVENT_RAD_STAT_
OTHER
38668
LOGID_EVENT_RAD_STAT_EP_
BLK
43011
LOG_ID_EVENT_AUTH_TIME_
OUT
43012
LOG_ID_EVENT_AUTH_FSAE_
AUTH_SUCCESS
43013
LOG_ID_EVENT_AUTH_FSAE_
AUTH_FAIL
43014
LOG_ID_EVENT_AUTH_FSAE_
LOGON
43015
LOG_ID_EVENT_AUTH_FSAE_
LOGOFF
43016
LOG_ID_EVENT_AUTH_NTLM_
AUTH_SUCCESS
43017
LOG_ID_EVENT_AUTH_NTLM_
AUTH_FAIL
43018
LOG_ID_EVENT_AUTH_
FGOVRD_FAIL
43020
LOG_ID_EVENT_AUTH_
FGOVRD_SUCCESS
Log Reference
Fortinet Technologies Inc.
143
Event Log
User
Message
ID
Message
Description
Severity
43025
LOG_ID_EVENT_AUTH_PROXY_
Notice
SUCCESS
successful
LOG_ID_EVENT_AUTH_PROXY_
FAILED
failed
LOG_ID_EVENT_AUTH_PROXY_
TIME_OUT
out
LOG_ID_EVENT_AUTH_PROXY_
AUTHORIZATION_FAILED
authorization failed
LOG_ID_EVENT_AUTH_
WARNING_SUCCESS
successful
LOG_ID_EVENT_AUTH_
WARNING_TBL_FULL
failed
LOG_ID_EVENT_AUTH_LOGOUT
43026
43027
43028
43029
43030
43040
144
Notice
Notice
Notice
Notice
Warning
Notice
Log Reference
Fortinet Technologies Inc.
VPN
Event-VPN log messages record VPN user, administration and session events.
In the log fields, these logs are defined as: type=event; subtype= vpn.
Log Field
Name
Log Field
Description
Data Type
Length
action
String
32
IP Address
39
String
Value
FortiGate unit
should take for this
firewall policy.
assignip
The assigned IP
address.
cert-type
The certification
l
l
type.
l
l
cookies
String
64
String
10
String
16
String
CA
CRL
Local
Remote
devid
dir
The direction
(inbound or outbound) of packets.
145
Log Reference
Fortinet Technologies Inc.
VPN
Event Log
Log Field
Name
Log Field
Description
Data Type
Length
dst_host
The destination
String
64
UINT32
10
Value
host name.
duration
error_num
UINT
32
espauth
String
17
tication.
HMAC_SHA1
HMAC_MD5
HMAC_SHA256
esptransform
String
value.
ESP_NULL
ESP_DES
ESP_3DES
ESP_AES
exch
The exchange
String
12
name.
NSA_INIT
AUTH
CREATE_CHILD
group
String
64
String
16
String
group.
in_spi
init
The interface
name.
level
local
remote
String
11
level.
Log Reference
Fortinet Technologies Inc.
146
Event Log
VPN
Log Field
Name
Log Field
Description
Data Type
Length
locip
The local IP
IP Address
39
Value
address.
locport
UINT16
logdesc
String
tion.
logid
A ten-digit num-
String
10
String
64
The HTTP
method.
mode
The mode.
String
12
IP
Domain
aggressive
main
quick
xauth
xauth_client
msg
The activity or
String
String
128
UINT32
10
147
Log Reference
Fortinet Technologies Inc.
VPN
Event Log
Log Field
Name
Log Field
Description
Data Type
Length
out_spi
String
16
String
32
Value
Log Reference
Fortinet Technologies Inc.
148
Event Log
VPN
Log Field
Name
Log Field
Description
Data Type
Length
peer_notif
String
25
fication.
Value
NOT-APPLICABLE
INVALID-PAYLOAD-TYPE
DOI-NOT-SUPPORTED
SITUATION-NOT-SUPPORTED
INVALID-COOKIE
INVALID-MAJOR-VERSION
INVALID-MINOR-VERSION
INVALID-EXCHANGE-TYPE
INVALID-FLAGS
INVALID-MESSAGE-ID
INVALID-PROTOCOL-ID
INVALID-SPI INVALID-TRANSFORM-ID
ATTRIBUTES-NOT-SUPPORTED
NO-PROPOSAL-CHOSEN
BAD-PROPOSAL-SYNTAX
PAYLOAD-MALFORMED
INVALID-KEY-INFORMATION
INVALID-ID-INFORMATION
INVALID-CERT-ENCODING
INVALID-CERTIFICATE
BAD-CERT-REQUEST-SYNTAX
INVALID-CERT-AUTHORITY
INVALID-HASH-INFORMATION
AUTHENTICATION-FAILED
INVALID-SIGNATURE
ADDRESS-NOTIFICATION
NOTIFY-SA-LIFETIME
CERTIFICATE-UNAVAILABLE
UNSUPPORTED-EXCHANGE-TYPE
UNEQUAL-PAYLOAD-LENGTHS
CONNECTED
RESPONDER-LIFETIME
149
REPLAY-STATUS
Fortinet
INITIAL-CONTACT
R-U-THERE
Log Reference
Technologies Inc.
VPN
Event Log
Log Field
Name
Log Field
Description
Data Type
Length
phase2_name
String
128
UINT64
20
String
256
IP Address
39
Value
Phase 2 name.
rcvdbyte
The number of
bytes received.
reason
remip
The remote IP
address.
remport
UINT16
result
String
31
message.
ERROR
OK
DONE
PENDING
role
String
UINT64
20
String
16
String
16
stage
UINT8
status
String
23
sentbyte
The number of
bytes sent.
seq
The sequence
number.
spi
Log Reference
Fortinet Technologies Inc.
150
Event Log
VPN
Log Field
Name
Log Field
Description
Data Type
Length
subtype
The subtype of
String
20
String
Value
thelog message.
Thepossible values ofthis field
dependon the log
type.
time
tunnelid
UINT32
10
tunnelip
The tunnel IP
IP Address
39
address.
tunneltype
String
64
type
String
16
ui
String
64
user
String
256
String
32
String
128
String
128
String
128
vpntunnel
xauthgroup
xauthuser
151
Log Reference
Fortinet Technologies Inc.
Message Message
ID
37120
Description
MESGID_NEG_GENERIC_P1_
Value
Unknown
NOTIF
37121
MESGID_NEG_GENERIC_P1_
Unknown
ERROR
37122
MESGID_NEG_GENERIC_P2_
Unknown
NOTIF
37123
MESGID_NEG_GENERIC_P2_
Unknown
ERROR
37124
MESGID_NEG_I_P1_ERROR
Error
37125
MESGID_NEG_I_P2_ERROR
Error
37126
MESGID_NEG_NO_STATE_
Error
ERROR
37127
MESGID_NEG_PROGRESS_P1_
Unknown
NOTIF
37128
MESGID_NEG_PROGRESS_P1_
Unknown
ERROR
37129
MESGID_NEG_PROGRESS_P2_
Unknown
NOTIF
37130
MESGID_NEG_PROGRESS_P2_
Unknown
ERROR
37131
MESGID_ESP_ERROR
Unknown
37132
MESGID_ESP_CRITICAL
Unknown
37133
MESGID_INSTALL_SA
152
Installed IPsec SA
Notice
Log Reference
Fortinet Technologies Inc.
VPN
Event Log
Message Message
ID
Description
Value
37134
MESGID_DELETE_P1_SA
Notice
37135
MESGID_DELETE_P2_SA
Notice
37136
MESGID_DPD_FAILURE
Error
37137
MESGID_CONN_FAILURE
Error
37138
MESGID_CONN_UPDOWN
Notice
37139
MESGID_P2_UPDOWN
Notice
37140
MESGID_AUTO_IPSEC
Notice
37141
MESGID_CONN_STATS
Notice
37184
MESGID_NEG_GENERIC_P1_
Unknown
NOTIF_IKEV2
37185
MESGID_NEG_GENERIC_P1_
Unknown
ERROR_IKEV2
37186
MESGID_NEG_GENERIC_P2_
Unknown
NOTIF_IKEV2
37187
MESGID_NEG_GENERIC_P2_
Unknown
ERROR_IKEV2
37188
MESGID_NEG_I_P1_ERROR_
Error
Error
Error
IKEV2
37189
MESGID_NEG_I_P2_ERROR_
IKEV2
37190
MESGID_NEG_NO_STATE_
ERROR_IKEV2
37191
MESGID_NEG_PROGRESS_P1_
Unknown
NOTIF_IKEV2
Log Reference
Fortinet Technologies Inc.
153
Event Log
VPN
Message Message
ID
37192
Description
MESGID_NEG_PROGRESS_P1_
Value
Unknown
ERROR_IKEV2
37193
MESGID_NEG_PROGRESS_P2_
Unknown
NOTIF_IKEV2
37194
MESGID_NEG_PROGRESS_P2_
Unknown
ERROR_IKEV2
37195
MESGID_ESP_ERROR_IKEV2
Unknown
37196
MESGID_ESP_CRITICAL_IKEV2
Unknown
37197
MESGID_INSTALL_SA_IKEV2
Installed IPsec SA
Notice
37198
MESGID_DELETE_P1_SA_IKEV2
Notice
37199
MESGID_DELETE_P2_SA_IKEV2
Notice
37200
MESGID_DPD_FAILURE_IKEV2
Error
37201
MESGID_CONN_FAILURE_IKEV2
Error
37202
MESGID_CONN_UPDOWN_IKEV2
Notice
37203
MESGID_P2_UPDOWN_IKEV2
Notice
37204
MESGID_CONN_STATS_IKEV2
Notice
39424
LOG_ID_EVENT_SSL_VPN_
Unknown
USER_TUNNEL_UP
39425
LOG_ID_EVENT_SSL_VPN_
Unknown
USER_TUNNEL_DOWN
39426
LOG_ID_EVENT_SSL_VPN_
Unknown
USER_SSL_LOGIN_FAIL
39936
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_WEB_TUNNEL_STATS
154
Log Reference
Fortinet Technologies Inc.
VPN
Event Log
Message Message
ID
39937
LOG_ID_EVENT_SSL_VPN_
Description
Value
Unknown
SESSION_WEBAPP_DENY
39938
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_WEBAPP_PASS
39939
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_WEBAPP_TIMEOUT
39940
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_WEBAPP_CLOSE
39941
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_SYS_BUSY
39942
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_CERT_OK
39943
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_NEW_CON
39944
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_ALERT
39945
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_EXIT_FAIL
39946
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_EXIT_ERR
39947
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_TUNNEL_UP
39948
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_TUNNEL_DOWN
39949
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_TUNNEL_STATS
Log Reference
Fortinet Technologies Inc.
155
Event Log
VPN
Message Message
ID
39950
Description
LOG_ID_EVENT_SSL_VPN_
Value
Unknown
SESSION_TUNNEL_
UNKNOWNTAG
39951
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_TUNNEL_ERROR
39952
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_ENTER_CONSERVE_
MODE
39953
LOG_ID_EVENT_SSL_VPN_
Unknown
SESSION_LEAVE_CONSERVE_
MODE
40001
LOG_ID_PPTP_TUNNEL_UP
PPTP tunnel up
Unknown
40002
LOG_ID_PPTP_TUNNEL_DOWN
Unknown
40003
LOG_ID_PPTP_TUNNEL_STAT
Unknown
40014
LOG_ID_PPTP_REACH_MAX_
Warning
CON
40016
LOG_ID_L2TPD_SVR_DISCON
Warning
40017
LOG_ID_L2TPD_CLIENT_CON_
Warning
FAIL
40019
LOG_ID_L2TPD_CLIENT_DISCON
Information
40021
LOG_ID_PPTP_NOT_CONIG
Debug
VDOM
40022
LOG_ID_PPTP_NO_IP_AVAIL
Warning
this VDOM
40024
LOG_ID_PPTP_OUT_MEM
Warning
40034
LOG_ID_PPTP_START
Notice
156
Log Reference
Fortinet Technologies Inc.
VPN
Event Log
Message Message
ID
Description
Value
40035
LOG_ID_PPTP_START_FAIL
Error
40036
LOG_ID_PPTP_EXIT
Notice
40037
LOG_ID_PPTPD_SVR_DISCON
Information
40038
LOG_ID_PPTPD_CLIENT_CON
Information
40039
LOG_ID_PPTPD_CLIENT_DISCON
Information
40101
LOG_ID_L2TP_TUNNEL_UP
L2TP tunnel is up
Unknown
40102
LOG_ID_L2TP_TUNNEL_DOWN
Unknown
40103
LOG_ID_L2TP_TUNNEL_STAT
Unknown
40114
LOG_ID_L2TPD_START
L2TPD started
Notice
40115
LOG_ID_L2TPD_EXIT
L2TPD exited
Notice
40118
LOG_ID_L2TPD_CLIENT_CON
Information
41984
LOG_ID_EVENT_SSL_VPN_
Information
Certificate is removed
Information
Certificate is updated
Information
Information
Certificate error
Information
Information
CERT_LOAD
41985
LOG_ID_EVENT_SSL_VPN_
CERT_REMOVAL
41987
LOG_ID_EVENT_SSL_VPN_
CERT_UPDATE
41988
LOG_ID_EVENT_SSL_VPN_
SETTING_UPDATE
41989
LOG_ID_EVENT_SSL_VPN_
CERT_ERR
41990
LOG_ID_EVENT_SSL_VPN_
CERT_UPDATE_FAILED
Log Reference
Fortinet Technologies Inc.
157
WAD
Event-Wad log messages record WAN optimization events, such as a user adding an WAN optimization rule as well as
web proxy events.
In the log fields, these logs are defined as: type=event; subtype= wad.
Log Field
Name
Data Type
Length
action
String
32
Value
String
alert
String
256
app-type
String
64
authgrp
String
36
date
String
10
The description.
String
128
devid
String
16
device.
dstip
IP Address
39
dstport
UINT16
String
256
158
Log Reference
Fortinet Technologies Inc.
WAD
Event Log
Log Field
Name
Data Type
Length
fwserver_
String
32
handshake
String
32
host
String
256
ip
The IP address.
IP Address
39
level
String
11
local
IP Address
39
logdesc
String
logid
String
Value
name
10
String
String
36
policyid
UINT32
10
UINT16
Log Reference
Fortinet Technologies Inc.
159
Event Log
WAD
Log Field
Name
Data Type
Length
reason
String
256
Value
was generated.
remote
IP Address
39
serial
UINT32
10
message.
session_id
UINT32
10
srcip
IP Address
39
srcport
UINT16
String
20
String
time
type
String
16
vd
String
32
160
Log Reference
Fortinet Technologies Inc.
Message ID
Message
Description
Severity
40960
LOGID_EVENT_WAD_
Notice
Debug
Error
Debug
LOG_ID_WAD_SSL_WRG_
Error
HS_LEN
invalid length
LOG_ID_WAD_SSL_RCV_
Debug
LOG_ID_WAD_SSL_RSA_
Error
DH_FAIL
parameters failed
LOG_ID_WAD_SSL_SENT_
Debug
LOG_ID_WAD_SSL_BAD_
Error
HASH
LOG_ID_WAD_SSL_
Error
LOG_ID_WAD_SSL_LESS_
Error
MINOR
LOG_ID_WAD_SSL_NOT_
SUPPORT_CS
supported
WEBPROXY_FWD_SRV_
ERROR
48000
LOG_ID_WAD_SSL_RCV_
HS
48001
LOG_ID_WAD_SSL_RCV_
WRG_HS
48002
LOG_ID_WAD_SSL_SENT_
HS
48003
48004
CCS
48005
48006
CCS
48007
48009
DECRY_FAIL
48011
48013
161
Error
Log Reference
Fortinet Technologies Inc.
WAD
Event Log
Message ID
Message
Description
Severity
48016
LOG_ID_WAD_SSL_HS_
Debug
Error
Error
FIN
48017
LOG_ID_WAD_SSL_HS_
TOO_LONG
48019
LOG_ID_WAD_SSL_SENT_
ALERT
Debug
48023
LOG_ID_WAD_SSL_RCV_
Error
ALERT
Debug
48027
LOG_ID_WAD_SSL_
Error
LOG_ID_WAD_SSL_BAD_
Error
CCS_LEN
invalid length
LOG_ID_WAD_SSL_BAD_
DH
rect value
LOG_ID_WAD_SSL_PUB_
Error
LOG_ID_WAD_AUTH_
Error
FAIL_CERT
tication failed
LOG_ID_WAD_AUTH_
FAIL_PSK
failed
LOG_ID_WAD_AUTH_
FAIL_OTH
failed
LOG_ID_WRG_SVR_FGT_
CONF
LOG_ID_UNEXP_APP_
TYPE
type
INVALID_CONT_TYPE
48029
48031
48032
Error
KEY_TOO_BIG
48100
48101
48102
48300
48301
Log Reference
Fortinet Technologies Inc.
Error
Error
Critical
Critical
162
Wireless
Event-Wireless log messages record wireless events that occur with FortiGate units that have WiFi capabilities.
In the log fields, these logs are defined as: type=event; subtype= wireless.
Data Type
Length
action
String
32
UINT32
10
String
36
String
36
UINT8
UINT8
Value
FortiGate unit
should take for
this firewall policy.
age
The time in
seconds - time
passed since last
seen.
ap
The physical
access point
name.
apscan
apstatus
aptype
163
Log Reference
Fortinet Technologies Inc.
Wireless
Event Log
Data Type
Length
bssid
String
17
UINT32
10
UINT8
String
String
10
String
21
String
16
String
UINT32
10
UINT32
10
String
16
Value
ID.
cfgtxpower
The Config TX
power.
channel
configcountry
date
detectionmethod
The detection
method.
devid
ds
duration
The duration of
the interval for
item counts (such
as infected,
scanned, etc) in
this log entry.
eapolcnt
The EAPOL
packet count.
eapoltype
The EAPOL
packet type.
Log Reference
Fortinet Technologies Inc.
164
Event Log
Wireless
Data Type
Length
encrypt
UINT8
String
32
String
64
String
17
Whether the
Value
group
invalidmac
ip
The IPaddress.
IP Address
39
level
String
11
UINT32
10
level.
live
The time in
seconds.
logdesc
String
tion.
logid
A ten-digit num-
String
10
String
17
String
20
The MAC
address.
manuf
The manufacturer
name.
165
Log Reference
Fortinet Technologies Inc.
Wireless
Event Log
Data Type
Length
meshmode
String
19
mgmtcnt
The number of
UINT32
10
Value
The activity or
String
INT8
onwire
A flag to indicate if
String
String
UINT32
10
String
64
String
64
UINT8
UINT8
the AP is onwire
or not.
opercountry
The operating
country.
opertxpower
The operating TX
power.
profile
The application
profile .
radioband
radioid
radioidclosest
The radio ID on
the AP closest the
rogue AP.
Log Reference
Fortinet Technologies Inc.
166
Event Log
Wireless
Data Type
Length
radioiddetected
UINT8
The radio ID on
Value
the AP which
detected the
rogue AP.
rate
UINT8
reason
String
256
UINT8
security
10
ity.
open
wep64
wep128
wpa-psk
wpa-radius
wpa
wpa2
wpa2-auto
securitymode
The security
String
20
String
16
INT8
String
64
String
36
mode.
seq
signal
sn
snclosest
The SN of the
accesspoint
closest to the
rogue access
point.
167
Log Reference
Fortinet Technologies Inc.
Wireless
Event Log
Data Type
Length
sndetected
String
36
String
36
IP Address
39
String
33
The SN of the
Value
access point
which detected
the rogue access
point.
snmeshparent
The SN of the
mesh parent.
srcip
The source
IPaddress.
ssid
stacount
10
tions/clients.
stamac
The station/client
String
17
String
20
String
17
String
64
String
String
16
MAC address.
subtype
The subtype of
the log message.
The possible values of this field
depend on the log
type.
tamac
threattype
time
type
Log Reference
Fortinet Technologies Inc.
168
Event Log
Wireless
Data Type
Length
user
String
256
String
36
String
32
Value
vd
The virtual
domain name.
weakwepiv
tiation Vector.
169
Log Reference
Fortinet Technologies Inc.
Message ID
Message
Description
Severity
43520
LOG_ID_EVENT_
Notice
Unknown
Physical AP activity
Notice
Notice
Unknown
Notice
WIRELESS_SYS
43521
LOG_ID_EVENT_
WIRELESS_ROGUE
43522
LOG_ID_EVENT_
WIRELESS_WTP
43524
LOG_ID_EVENT_
WIRELESS_STA
43525
LOG_ID_EVENT_
WIRELESS_ONWIRE
43526
LOG_ID_EVENT_
WIRELESS_WTPR
Unknown
43527
43528
LOG_ID_EVENT_
WIRELESS_ROGUE_CFG
figured
Notice
LOG_ID_EVENT_
Unknown
Notice
LOG_ID_EVENT_
Notice
WIRELESS_WIDS_WL_
ted
WIRELESS_WTPR_ERROR
43529
LOG_ID_EVENT_
WIRELESS_CLB
43530
BRIDGE
43531
LOG_ID_EVENT_
WIRELESS_WIDS_BR_
thentication detected
Notice
DEAUTH
170
Log Reference
Fortinet Technologies Inc.
Wireless
Event Log
Message ID
Message
Description
Severity
43532
LOG_ID_EVENT_
Notice
WIRELESS_WIDS_NL_
Response detected
PBRESP
43533
LOG_ID_EVENT_
WIRELESS_WIDS_MAC_
ted
OUI
43534
LOG_ID_EVENT_
WIRELESS_WIDS_LONG_
detected
Notice
DUR
43535
43542
LOG_ID_EVENT_
WIRELESS_WIDS_WEP_IV
ted
LOG_ID_EVENT_
WIRELESS_WIDS_EAPOL_
ing detected
Notice
Notice
FLOOD
43544
LOG_ID_EVENT_
WIRELESS_WIDS_MGMT_
detected
Notice
FLOOD
43546
LOG_ID_EVENT_
WIRELESS_WIDS_
thentication detected
Notice
SPOOF_DEAUTH
43548
43550
Log Reference
Fortinet Technologies Inc.
LOG_ID_EVENT_
WIRELESS_WIDS_ASLEAP
ted
LOG_ID_EVENT_
WIRELESS_STA_LOCATE
tion
Notice
Notice
171
Other Logs
Other Logs
VOIP
VOIP Log Messages
173
176
NetScan
NetScan Log Messages
177
181
172
Log Reference
Fortinet Technologies Inc.
VOIP
VOIP log messages record VOIP activities that include the SIP and SCCP protocols.
Data Type
Length
action
String
15
call_id
String
64
column
UINT32
10
count
UINT32
10
String
10
String
16
String
String
16
Value
date
devid
dir
dst_int
dst_port
UINT16
dstip
The destination IP
IP Address
39
duration
UINT32
10
endpoint
String
128
epoch
UINT32
10
address.
event_id
UINT32
10
eventtype
String
32
173
Log Reference
Fortinet Technologies Inc.
VOIP
Other Logs
Data Type
Length
String
128
String
64
String
10
String
11
String
64
String
10
malform_data
UINT32
10
malform_desc
String
47
String
16
String
64
from
group
kind
level
line
logid
Value
message_type
phone
policy_id
UINT32
10
profile
String
64
profile_group
String
64
profile_type
String
64
proto
UINT8
reason
String
128
String
64
was recorded.
request_name
Log Reference
Fortinet Technologies Inc.
174
Other Logs
VOIP
Data Type
Length
session_id
UINT32
10
src_int
String
16
src_port
UINT16
srcip
IP Address
39
status
String
23
String
20
String
String
512
String
16
Value
time
to
type
user
256
String
32
String
name.
voip_proto
175
Log Reference
Fortinet Technologies Inc.
Message ID
Message
Severity
44032
LOGID_EVENT_VOIP_SIP
Information
44033
LOGID_EVENT_VOIP_SIP_BLOCK
Notice
44034
LOGID_EVENT_VOIP_SIP_FUZZING
Information
44035
LOGID_EVENT_VOIP_SCCP_
Information
REGISTER
44037
LOGID_EVENT_VOIP_SCCP_CALL_
Information
BLOCK
44038
LOGID_EVENT_VOIP_SCCP_CALL_
INFO
Information
NetScan
Netscan logs record network scanning activities preformed by the FortiGate unit.
Data Type
Length
action
String
17
Value
l
l
l
l
l
agent
String
64
assetid
UINT32
10
assetname
Th asset name.
String
64
date
String
10
host-detection
os-scan
port-detection
scan
service-detection
vuln-count
vuln-detection
String
16
direction
UINT32
10
String
32
IP Address
39
packets.
dstintf
dstip
The destination IP
address.
dstname
String
64
dstport
UINT16
UINT32
10
end
177
Log Reference
Fortinet Technologies Inc.
NetScan
Other Logs
engine
Data Type
Length
String
32
eventtype
String
32
group
String
64
level
String
11
logid
A ten-digit number.
String
10
String
Value
l
l
l
l
msg
ARP
ICMP
TCP
UDP
String
String
osfamily
String
64
osgen
String
64
String
64
String
32
osvendor
plugin
policyid
UINT32
10
profile
String
64
Log Reference
Fortinet Technologies Inc.
178
Other Logs
NetScan
Data Type
Length
profilegroup
String
proto
String
Value
l
l
serial
UINT32
10
String
64
String
tcp
udp
severity
l
l
l
l
l
srcintf
String
32
srcip
IP Address
39
srcname
String
64
srcport
UINT16
UINT32
10
String
start
status
l
l
event occurred.
subtype
String
20
String
String
16
critical
high
info
low
medium
complete
pause
resume
start
stop
type
179
Log Reference
Fortinet Technologies Inc.
NetScan
Other Logs
Data Type
Length
user
String
256
String
32
String
128
String
32
UINT32
10
UINT32
10
Value
vuln
The vulnerability
name.
vulncat
vulncnt
The vulnerabiility
count.
vulnid
vulnref
vulnscore
String
The vulnerability score.
Log Reference
Fortinet Technologies Inc.
String
128
180
Message ID Message
Severity
4096
LOG_ID_NETSCAN_VULN_SCAN
Notice
4097
LOG_ID_NETSCAN_DISCOVERY_SCAN
Notice
4098
LOG_ID_NETSCAN_VULN_DETECT
Notice
4100
LOG_ID_NETSCAN_SERVICE_DETECT
Notice
4101
LOG_ID_NETSCAN_VULN_MESSAGE
Notice
4102
LOG_ID_NETSCAN_DISCOVERY_MESSAGE
Notice
4104
LOG_ID_NETSCAN_HOST_DETECT
Notice
4105
LOG_ID_NETSCAN_PORT_DETECT
Notice
181
Log Reference
Fortinet Technologies Inc.
The following table lists the log fields that were added newly or removed from the Traffic log type in FortiOS version
5.2.2.
Traffic
Log Field Name
crlevel
Added
hostname
Removed
Security (UTM)
The following tables provide a list of log fields that were added newly or removed from the security (UTM) log subtypes
in FortiOS version 5.2.2.
Antivirus
Log Field Name
crlevel
Added
crscore
Added
profiletype
Removed
rcvdbyte
Removed
sentbyte
Removed
182
Log Reference
Fortinet Technologies Inc.
Security (UTM)
Application
Log Field Name
crlevel
Added
crscore
Added
dstname
Added
profile
Added
profiletype
Added
srcname
Added
Anomaly
Log Field Name
action
Added
agent
Added
attack
Added
attackcontext
Added
attackcontextid
Added
attackid
Added
count
Added
craction
Added
crlevel
Added
crscore
Added
date
Added
devid
Added
Log Reference
Fortinet Technologies Inc.
183
direction
Added
dstintf
Added
dstip
Added
dstport
Added
eventtype
Added
group
Added
icmpcode
Added
icmpid
Added
icmptype
Added
incidentserialno
Added
level
Added
logid
Added
msg
Added
profile
Added
profiletype
Added
proto
Added
ref
Added
service
Added
sessionid
Added
severity
Added
srcintf
Added
184
Security (UTM)
Log Reference
Fortinet Technologies Inc.
Security (UTM)
srcip
Added
srcport
Added
subtype
Added
time
Added
type
Added
user
Added
vd
Added
DLP
Log Field Name
mmsdir
Added
profiletype
Removed
Email
Log Field Name
profiletype
Removed
IPS
Log Field Name
craction
Added
crlevel
Added
crscore
Added
dstinf
Added
Log Reference
Fortinet Technologies Inc.
185
rcvdbyte
Removed
sentbyte
Removed
srcintf
Added
Event
WebFilter
Log Field Name
crlevel
Added
crscore
Added
profiletype
Removed
Event
The following tables provide a list of log fields that were added newly or removed between from the event log subtypes
in FortiOS version 5.2.2.
Endpoint
Log Field Name
dst
Removed
dstip
Added
src
Removed
srcip
Added
GTP
Log Field Name
dstport
Added
186
Log Reference
Fortinet Technologies Inc.
Event
logdesc
Added
msg
Added
profile
Added
High Availability
Log Field Name
date
Added
devid
Added
ip
Added
level
Added
logdesc
Added
logidd
Added
msg
Added
subtype
Added
time
Added
type
Added
vd
Added
Router
Log Field Name
action
Added
dhcp_msg
Added
dns_ip
Added
Log Reference
Fortinet Technologies Inc.
187
dns_name
Added
dst_int
Added
lease
Added
logdesc
Added
mac
Added
service
Added
src_int
Added
Event
System
Log Field Name
community
Added
dir
Added
disklograte
Added
dst
Removed
dstport
Added
expected
Removed
fazlograte
Added
group
Added
id
Removed
ip
Added
logdesc
Added
mac
Added
188
Log Reference
Fortinet Technologies Inc.
Event
max_minor
Added
max-minor
Removed
mode
Added
policy
Removed
probeid
Removed
recv-minor
Removed
recv_minor
Added
profile
Added
sn
Added
src
Removed
src-vis
Removed
srcport
Added
state
Added
vcm
Removed
version
Added
User
Log Field Name
category
Added
logdesc
Added
poolname
Added
portbegin
Added
Log Reference
Fortinet Technologies Inc.
189
portend
Added
profile
Removed
ui
Added
Event
VPN
Log Field Name
action
Added
error_num
Added
error_reason
Removed
name
Added
role
Added
status
Added
ui
Added
user
Added
version
Removed
WAD
Log Field Name
dst
Removed
dstip
Added
logdesc
Added
reason
Added
src
Removed
190
Log Reference
Fortinet Technologies Inc.
Other logs
srcip
Added
Wireless
Log Field Name
group
Added
logdesc
Added
mac
Added
seq
Added
sn
Added
srcip
Added
status
Removed
user
Added
Other logs
The following tables provide a list of log fields that were added newly or removed between the from the other log types
in FortiOS version 5.2.2.
NetScan
Log Field Name
custom
Removed
VOIP
Log Field Name
dst
Removed
Log Reference
Fortinet Technologies Inc.
191
dstip
Added
src
Removed
srcip
Added
192
Other logs
Log Reference
Fortinet Technologies Inc.
Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and
other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective
owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network
variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet
disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance
metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.