Log messages
Log messages are recorded by the FortiGate unit, giving you detailed information about the network activity. Each log message has a unique number that helps identify it, as well as containing fields; these fields, often called log fields, organize the information so that it can be easily extracted for reports.
These log fields are organized in such a way that they form two groups: the first group, made up of the log fields that come first, is called the log header. The log header contains general information, such as the unique log identification and date and time that indicates when the activity was recorded. The log body is the second group, and contains all the other information about the activity. There are no two log message bodies that are alike, however, there may be fields common to most log bodies, such as the srcintf or identidix log fields.
The log header also contains information about the log priority level which is indicated in the level field. The priority level indicates the immediacy and the possible repercussions of the logged action. For example, if the field contains ‘alert’, you need to take immediate action with regards to what occurred. There are six log priority levels.
The log severity level is the level at and above which the FortiGate unit records logs. The log severity level is defined by you when configuring the logging location. The FortiGate unit will log all messages at and above the priority level you select. For example, if you select Error, the unit will log only Error, Critical, Alert, and Emergency level messages.
Log priority levels
Levels | Description |
0 – Emergency | The system has become unstable. |
1 – Alert | Immediate action is required. |
2 – Critical | Functionality is affected. |
3 – Error | An error condition exists and functionality could be affected. |
Levels | Description |
4 – Warning | Functionality could be affected. |
5 – Notification | Information about normal events. |
6 – Information | General information about system operations. |
The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.
Example log header fields
Log header | |
date=(2010-08-03) | The year, month and day of when the event occurred in yyyy-mm-dd format. |
time=(12:55:06) | The hour, minute and second of when the event occurred in the format hh:mm:ss. |
log_id=(2457752353) | A five or ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message. |
type=(dlp) | The section of system where the event occurred. |
subtype=(dlp) | The subtype category of the log message. |
level=(notice) | The priority level of the event. See the table above. |
vd=(root) | The name of the virtual domain where the action/event occurred in. If no virtual domains exist, this field always contains root. |
Example log body fields
Log body | |
policyid=(1) | The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. |
identidx=(0) | The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. |
sessionid=(311) | The serial number of the firewall session of which the event happened. |
srcip=(10.10.10.1) | The source IP address. |
Log body | |
srcport=(1190) | The source port number. |
srcintf=(internal) | The source interface name. |
dstip=(192.168.1.122) | The destination IP address. |
dstport=(80) | The destination port number. |
dstintf=(wan1) | The destination interface name. |
service=(https) | The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. |
status=(detected) | The action the FortiGate unit took. |
hostname=(example.com) | The home page of the web site. |
url=(/image/trees_pine_ forest/) | The URL address of the web page that the user was viewing. |
msg=(data leak detected (Data Leak Prevention Rule matched) | Explains the FortiGate activity that was recorded. In this example, the data leak that was detected matched the rule, All-HTTP, in the DLP sensor. |
rulename=(All-HTTP) | The name of the DLP rule within the DLP sensor. |
action=(log-only) | The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no action type is specified, this field display log-only. |
severity=(1) | The level of severity for that specific rule. |
Logs from other devices, such as the FortiAnalyzer unit and Syslog server, contain a slightly different log header. For example, when viewing FortiGate log messages on the FortiAnalyzer unit, the log header contains the following log fields when viewed in the Raw format:
itime=1302788921 date=20110401 time=09:04:23 devname=FG50BH3G09601792 device_ id=FG50BH3G09601792 log_id=0100022901 type=event subtype=system level=notice vd=root The log body contains the rest of the information of the log message, and this information is unique to the log message itself.
For detailed information on all log messages, see the FortiGate Log Message Reference.