Fortinet black logo

Administration Guide

User and endpoint ID log fields

User and endpoint ID log fields

Log information about user and endpoint IDs is available in Log View and can be viewed by configuring these fields as displayed columns. See Customizing displayed columns.

UEBA User ID and UEBA Endpoint ID fields with values below 1024 are special cases which are tracked by FortiAnalyzer's UEBA. See the table below for information on what each value represents.

Value

Name

Description

1

EPEU_NOT_IMPL_DEVTYPE EP and EU not implemented for this devtype.

2

EPEU_NOT_IMPL_LOGTYPE EP and EU not implemented for this logtype.

3

EPEU_NO_ENOUGH_INFO Not enough information to identify an EP or EU.

4

EPEU_CANNOT_GET_UID Cannot get a UID range (max limit reached).

5

EPEU_INTERNAL_ERROR Internal error (e.g. cannot allocate memory).

6

EPEU_HA_BACKUP_ASK_FAIL Ask primary failed and could not recover.

7

EPEU_HA_REBUILD_THROTTLE Prevent too many EP and EU requests during database rebuilding.

8

EPEU_CLIENT_ASK_FAIL Ask server failed and could not recover.

10

EPEU_NOT_SUPPORT_LOGVER

Log version is not supported.

100

EPEU_ID_LOCAL_HOST

Local host event, such as a local host event in FortiGate.

101

EPEU_ID_UNTRACK_IP

IP is public and related interface role is not LAN.

102

EPEU_ID_UNTRACK_LOGID

Log ID is not identified.

103

EPEU_ID_UNTRACK_TOOMANYIP

Too many IPs on one MAC.

104

EPEU_ID_UNTRACK_VPN_IP

Do not track VPN IP.

Note

When a device has FortiClient installed and FortiAnalyzer is able to retrieve endpoint information, all interfaces of this device will belong to a single endpoint with the FCT-UID as the key. For devices without FortiClient that have multiple NICs, each interface appears as a separate endpoint.

Note

The User ID and UEBA User ID fields are interchangeable and contain the same information.

The Endpoint ID and UEBA Endpoint ID fields are interchangeable and contain the same information.

User and endpoint ID log fields

Log information about user and endpoint IDs is available in Log View and can be viewed by configuring these fields as displayed columns. See Customizing displayed columns.

UEBA User ID and UEBA Endpoint ID fields with values below 1024 are special cases which are tracked by FortiAnalyzer's UEBA. See the table below for information on what each value represents.

Value

Name

Description

1

EPEU_NOT_IMPL_DEVTYPE EP and EU not implemented for this devtype.

2

EPEU_NOT_IMPL_LOGTYPE EP and EU not implemented for this logtype.

3

EPEU_NO_ENOUGH_INFO Not enough information to identify an EP or EU.

4

EPEU_CANNOT_GET_UID Cannot get a UID range (max limit reached).

5

EPEU_INTERNAL_ERROR Internal error (e.g. cannot allocate memory).

6

EPEU_HA_BACKUP_ASK_FAIL Ask primary failed and could not recover.

7

EPEU_HA_REBUILD_THROTTLE Prevent too many EP and EU requests during database rebuilding.

8

EPEU_CLIENT_ASK_FAIL Ask server failed and could not recover.

10

EPEU_NOT_SUPPORT_LOGVER

Log version is not supported.

100

EPEU_ID_LOCAL_HOST

Local host event, such as a local host event in FortiGate.

101

EPEU_ID_UNTRACK_IP

IP is public and related interface role is not LAN.

102

EPEU_ID_UNTRACK_LOGID

Log ID is not identified.

103

EPEU_ID_UNTRACK_TOOMANYIP

Too many IPs on one MAC.

104

EPEU_ID_UNTRACK_VPN_IP

Do not track VPN IP.

Note

When a device has FortiClient installed and FortiAnalyzer is able to retrieve endpoint information, all interfaces of this device will belong to a single endpoint with the FCT-UID as the key. For devices without FortiClient that have multiple NICs, each interface appears as a separate endpoint.

Note

The User ID and UEBA User ID fields are interchangeable and contain the same information.

The Endpoint ID and UEBA Endpoint ID fields are interchangeable and contain the same information.