Fortinet black logo

Anatomy of a log message

Anatomy of a log message

This section discusses the composition of a log message.

Log message header vs. log message body

As illustrated above, a log message consists of a number of message fields, which can be separated into two part: log message header and log message body.

  • Log message header—The log message header shows a log's date, time, log ID, administrative domain, type, sub-type, and priority. These fields exist in all log types.
  • Log message body—The log message body describes the reason that the log was generated and the action that the FortiADC appliance took in response. These fields vary by log type.

Example log messages

The log messages below are provided to help you understand the composition of FortiADC log messages. Note that these are raw log messages that you see from the FortiADC Console or when log file you opened in a text editor. Some of the fields may look slightly different from the formatted log messages that you see on the GUI.

Note: The log message body in the following example log messages is intentionally marked in BOLD to help distinguish it from the log message header.

Event log

date=2018-01-23 time=16:18:15 log_id=0000000100 type=event subtype=config pri=information vd=root msg_id=39242021 user=admin ui=GUI(172.30.16.64) action=add cfgpath=global-load-balance data-center cfgobj=name cfgattr=dc1 logdesc=Change the configuration msg=added a new entry 'dc1' for "global-load-balance data-center" on domain "root"

Traffic log

date=2018-01-20 time=15:27:40 log_id=0101008001 type=traffic subtype=slb_http pri=information vd=root msg_id=39233799 duration=0 ibytes=150 obytes=258 proto=6 service=http src=192.168.1.10 src_port=50758 dst=192.168.1.141 dst_port=80 trans_src=2.2.2.1 trans_src_port=23992 trans_dst=2.2.2.10 trans_dst_port=80 policy=test1111111111111111111111111111111 action=none http_method=get http_host=192.168.1.141 http_agent=Wget/1.16.3 (linux-gnu) http_url=/index.html http_qry=none http_referer=none http_cookie=none http_retcode=200 user=none usrgrp=none auth_status=none srccountry=Reserved dstcountry=Reserved real_server=s1

Security log

date=2018-01-11 time=09:13:21 log_id=0201006003 type=attack subtype=synflood pri=alert vd=root msg_id=38284198 count=18287 severity=high proto=6 service=tcp src=0.0.0.0 src_port=0 dst=192.168.1.141 dst_port=0 policy=l7vs action=deny srccountry=Reserved dstcountry=Reserved

Script log

date=2018-02-08 time=19:31:45 log_id=0300010000 type=script subtype=slb pri=information vd=priceminister msg_id=3291 obj_name=Virtual Server obj_value=VIP_narcisse_443 msg="agent iphone matches UA mobile "

Anatomy of a log message

This section discusses the composition of a log message.

Log message header vs. log message body

As illustrated above, a log message consists of a number of message fields, which can be separated into two part: log message header and log message body.

  • Log message header—The log message header shows a log's date, time, log ID, administrative domain, type, sub-type, and priority. These fields exist in all log types.
  • Log message body—The log message body describes the reason that the log was generated and the action that the FortiADC appliance took in response. These fields vary by log type.

Example log messages

The log messages below are provided to help you understand the composition of FortiADC log messages. Note that these are raw log messages that you see from the FortiADC Console or when log file you opened in a text editor. Some of the fields may look slightly different from the formatted log messages that you see on the GUI.

Note: The log message body in the following example log messages is intentionally marked in BOLD to help distinguish it from the log message header.

Event log

date=2018-01-23 time=16:18:15 log_id=0000000100 type=event subtype=config pri=information vd=root msg_id=39242021 user=admin ui=GUI(172.30.16.64) action=add cfgpath=global-load-balance data-center cfgobj=name cfgattr=dc1 logdesc=Change the configuration msg=added a new entry 'dc1' for "global-load-balance data-center" on domain "root"

Traffic log

date=2018-01-20 time=15:27:40 log_id=0101008001 type=traffic subtype=slb_http pri=information vd=root msg_id=39233799 duration=0 ibytes=150 obytes=258 proto=6 service=http src=192.168.1.10 src_port=50758 dst=192.168.1.141 dst_port=80 trans_src=2.2.2.1 trans_src_port=23992 trans_dst=2.2.2.10 trans_dst_port=80 policy=test1111111111111111111111111111111 action=none http_method=get http_host=192.168.1.141 http_agent=Wget/1.16.3 (linux-gnu) http_url=/index.html http_qry=none http_referer=none http_cookie=none http_retcode=200 user=none usrgrp=none auth_status=none srccountry=Reserved dstcountry=Reserved real_server=s1

Security log

date=2018-01-11 time=09:13:21 log_id=0201006003 type=attack subtype=synflood pri=alert vd=root msg_id=38284198 count=18287 severity=high proto=6 service=tcp src=0.0.0.0 src_port=0 dst=192.168.1.141 dst_port=0 policy=l7vs action=deny srccountry=Reserved dstcountry=Reserved

Script log

date=2018-02-08 time=19:31:45 log_id=0300010000 type=script subtype=slb pri=information vd=priceminister msg_id=3291 obj_name=Virtual Server obj_value=VIP_narcisse_443 msg="agent iphone matches UA mobile "