circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

FortiGate Log Reference

hashtag
Log Samples

Learn what raw FortiGate events look like before they're processed in Logpoint:

Key-Value Pair Format (Space-separated)

<13>date=2015-06-03 time=10:14:15 devname=FGxxxDxxxxxxxxxxx-LogPoint devid=XXxxxXxxxxxxxxxx logid=000000110013 type=traffic subtype=forward level=notice vd=root srcip=1.1.1.1 srcname="abc" srcport=573045 srcintf="port4" dstip=1.1.1.2 dstport=80 dstintf="port13" poluuid=4f744435637c-029e-5132e4-773451-48634f548cc847 sessionid=10192343328701 action=close policyid=27 dstcountry="XXXXXX" srccountry="Reserved" trandisp=noop service="HTTP" proto=6 duration=120 sentbyte=0 rcvdbyte=216 sentpkt=0 rcvdpkt=4 devtype="Windows PC" osname="Windows 7 / Windows" mastersrcmac=XX:XX:XX:XX:XX:XX srcmac=XX:XX:XX:XX:8X:XX

Key-Value Pair Format (Comma-separated)

<189>date=2015-06-29,time=06:20:02,devname=NL_xxx__xxxxxxx_xx,devid=XXXXX,logid=0XXXXXX,type=traffic,subtype=forward,level=notice,vd=root,srcip=1.1.1.1,srcname="Apple-xx",srcport=123,srcintf="internal7",dstip=1.1.1.2,dstport=123,dstintf="wan1",poluuid=963bjsadfjjk3764-fksafhdjba6-51jasfdje4-f6sadkfjsdk11-1d8fc22600lkasdf1f,sessionid=106370,proto=17,action=deny,policyid=12,dstcountry="XXXXXXX",srccountry="Reserved",trandisp=noop,service="NTP",duration=0,sentbyte=0,rcvdbyte=0,sentpkt=0,crscore=30,craction=133421072,crlevel=high,devtype="Streaming",osname="iOS",osversion="5.x",mastersrcmac=XX:XX:XX:XX:XX:XX,srcmac=XX:XX:XX:XX:XX:X1

hashtag
Field Mapping

FortiGate fields are mapped to Logpoint standardized fields for consistent analysis. For the complete field mapping reference, refer to the Vendor Field Map section in the original FortiGate documentation, which includes mappings for over 300 FortiGate-specific fields to Logpoint normalized fields.

Common Field Mappings (Examples):

  • srcipsource_address

  • dstipdestination_address

  • srcportsource_port

  • dstportdestination_port

  • actionaction

  • policyidpolicy_id

  • virusmalware

  • attackthreat

  • useruser

  • sessionidsession_id

hashtag
Log Source Labels

FortiGate events are categorized with specific labels based on message IDs. The integration includes over 500 label mappings for comprehensive event classification. Labels help identify event types, severity, and context for faster analysis and correlation.

Label Categories:

  • Attack and Anomaly Detection

  • Application Control

  • Antivirus and Malware

  • Web Filtering

  • VPN and IPSec

  • System Events

  • Authentication and User Management

  • Email Security

  • DNS Events

  • DLP Events

  • Wireless Events

  • High Availability

  • Traffic Events

For the complete list of message IDs and their corresponding labels, refer to the FortiGate Labels section in the original documentation.

Example Label Mappings:

Message ID
Description
Labels

018432

TCP/UDP Anomaly

Attack, Detect, Anomaly, TCP, UDP

016384

Signature-based TCP/UDP Attack

Attack, Detect

000002

Traffic Allowed

Traffic, Allow

000003

Traffic Denied

Traffic, Violate, Message

008192

File Infection Warning

File, Infect, Block

009248

Botnet Warning

Botnet, CnC, Warn

024576

DLP Warning

Data, Leak, Detect, Warn

032001

Admin Login Success

User, Logon, Successful, Admin

032002

Admin Login Fail

User, Login, Fail, Admin

039426

SSL VPN Login Failed

SSL, VPN, Login, Fail

Last updated

Was this helpful?