Fortinet FortiGate Security Gateway Sample Event Messages
Use this sample event message as a way of verifying a successful integration with JSA.
Fortinet FortiGate Security Gateway sample message when you use the Syslog or the Syslog Redirect protocol
Due to formatting, paste the message format into a text editor and then remove any carriage return or line feed characters.
Sample 1: The following sample shows an attempt to use a remote-access vulnerability that affects Microsoft Exchange Server. A remote attacker uses the vulnerability by sending an email with a meeting request that contains specially crafted vCal and iCal calendar data. As a result, the attacker might be able to take control of a vulnerable system.
<185>date=2011-05-09 time=14:31:07 devname=exampleDeviceName device_id=EXAMPLEDEVID2 log_id=0987654321 type=ips subtype=signature pri=alert severity=high carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="Example_Profile" src=10.10.10.10 dst=10.20.20.20 src_int=exampleVlan2 dst_int=exampleVlan1 policyid=4 identidx=0 serial=123456 status=detected proto=6 service=smtp vd="exampleDomain" count=1 src_port=50000 dst_port=8080 attack_id=11897 sensor=exampleSensor ref=url.example.test user="N/A" group=Example_Group incident_serialno=1234567890 msg="email: MS.Exchange.Mail.Calender.Buffer.Overflow"
|
JSA field name |
Highlighted payload field name |
|---|---|
|
Event ID |
attack_id |
|
Source IP |
src |
|
Source Port |
src_port |
|
Destination IP |
dst |
|
Destination Port |
dst_port |
|
Protocol |
proto |
|
Policy |
policyid |
|
Device Time |
date + time |
Sample 2: The following sample shows that routing information has changed.
date=2020-09-17 time=01:36:20 logid="0100022921" type="event"subtype="system" level="critical" vd="root" eventtime=1600331781108372788 tz="-0700" logdesc="Routing information changed" name="Google_Ping" interface="TEST-INF1" status="down" msg="Static route on interface TEST-INF1 may be removed by health-check Google_Ping. Route: (10.10.10.27->10.10.8.8 ping-down)"
|
JSA field name |
Highlighted payload field name |
|---|---|
|
Event ID |
logdesc + level |
|
Device Time |
date + time |
Sample 3: The following sample shows that a firewall is allowed.
date=2020-09-10 time=05:01:35 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1599739296076496743 tz="-0700" srcip=192.168.14.111 srcport=54923 srcintf="internal" srcintfrole="lan" dstip=192.168.14.112 dstport=80 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Test Country" sessionid=53159 proto=6 action="close" policyid=1 policytype="policy" poluuid="a9b81e06- c6a0-51e8-e434-a05c75d5ad74" policyname="Internet_Access" service="HTTP" trandisp="snat" transip=172.16.72.26 transport=54923 appid=17735 app="Facebook_Apps" appcat="Social.Media" apprisk="medium" applist="default" duration=187 sentbyte=2333 rcvdbyte=2585 sentpkt=42 rcvdpkt=42 vwlid=6 vwlservice="Facebook-Instagram" vwlquality="Seq_num(1 wan1), alive, sla(0x1), cfg_order(0), cost(10), selected" utmaction="allow" countapp=1 sentdelta=1092 rcvddelta=780 utmref=65515-3302
|
JSA field name |
Highlighted payload field name |
|---|---|
|
Event ID |
utmaction |
|
Source IP |
srcip |
|
Source Port |
srcport |
|
Destination IP |
dstip |
|
Destination Port |
dstport |
|
Pre NAT Source IP |
srcip |
|
Pre NAT Source Port |
srcport |
|
Post NAT Source IP |
transip |
|
Post NAT Source Port |
transport |
|
Protocol |
proto |
|
Policy |
policyid |
|
Duration Seconds |
duration |
|
Device Time |
date + time |