Windows Event logs
FortiAnalyzer supports normalizing Windows Event logs as Fabric logs.
The following field mapping applies:
|
Windows Event Log Field |
Normalized Fabric Log Field |
|---|---|
| loguid,id | loguid |
| epid | epid |
| euid | euid |
| devid | data_sourceid |
| data_sourcename | data_sourcename |
| data_sourcetype | data_sourcetype |
| data_timestamp | data_timestamp |
| app_cat,channel | app_cat |
| app_name,provider_name | app_name |
| execution_pid | app_proc |
| app_ref | app_ref |
| version | app_ver |
| sys_keywords | event_action |
| event_id | event_id |
| event_log,event_json | event_message |
| event_data_return_code | event_outcome |
| event_profile | event_profile |
| event_record_id | event_ref |
| event_severity,level | event_severity |
| event_subtype,provider_name | event_subtype |
| event_type,channel | event_type |
| host_classification | host_classification |
| host_hwvendor | host_hwvendor |
| host_hwver | host_hwver |
| host_ip | host_ip |
| host_mac | host_mac |
| host_name | host_name |
| os_family | host_osfamily |
| host_osname | host_osname |
| host_osver | host_osver |
| host_type | host_type |
| host_uid | host_uid |
| user_domain,event_data_subj_domain_name | user_domain |
| user_group | user_group |
| user_id,event_data_subj_user_sid | user_id |
| user_name,event_data_subj_user_name | user_name |