Settings

Settings

Attack logs Export

Attack logs provide detailed insights for individual applications, helping track and analyze security events.

Export attack logs to a log server

Please note, you can configure up to five log servers for attack log export at one time.

Navigate to Threat Analytics > Settings.
Click Add Log Server.
Select move applicable WAF Applications from the Available list to the Selected list.
- Moves all applications from the Available to the Selected list.
- Moves selected applications from the Available to the Selected list.
- Moves all applications from the Selected list to the Available list.
- Moves selected applications from the Selected list to the Available list.

Configure the following settings.

Name

Enter a name for the log server.

Server Type

Select whether to export the logs to a log server, an ElasticSearch service, FortiAnalyzer, or FortiSIEM.

See the following instructions for FortiAnalyzer, FortiSIEM, Syslog, and ElasticSearch.

If you selected FortiAnalyzer, configure the following.

FortiAnalyzer is a powerful log management, analytics, and reporting platform that provides centralized logging and analysis, plus end-to-end visibility.

FortiAnalyzer is supported. However, FortiAnalyzer Cloud is not.
When configuring the corresponding ADOM on FortiAnalyzer, please set the Type to FortiWeb.
FortiAnalyzer supports assigning devices to different ADOMs, provided that each OU’s master account is associated with a distinct contract (i.e., a unique serial number).
However, if the organization has enabled Contract Sharing Mode, all OU accounts share the same contract and serial number. In this case, FortiAnalyzer treats them as a single device, which prevents assigning them to different ADOMs.

When configuring FortiAnalyzer as the log server, supported versions depend on the FortiAppSec Cloud serial number prefix and contract type. Refer to the table below for the corresponding FortiAnalyzer versions.

Serial Number Prefix	Contract Type	Supported FortiAnalyzer Versions
UCAPFW	Fortinet Contacts	7.4.7, 7.6.2
UCAPFE	FortiFlex Contracts (Pre-Paid)	7.6.5
UCAPFM	FortiFlex Contracts (Post-Paid)
FUCAPP	Fortinet Private Cloud Contracts
APPSEC	Public Cloud Subscription

IP/Domain and Port	Enter the IP/Domain and Port of the log server.
Protocol	Select the protocol used for log transfer.
Server Certificate Verification	This option is only available when you select SSL under Protocol. When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
Log Format Preview	This box shows a preview of the log format, and is not editable.
Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

If you selected FortiSIEM, configure the following:

IP/Domain and Port	Enter the IP/Domain and Port of the log server.
Protocol	Select the protocol used for log transfer.
Server Certificate Verification	This option is only available when you select SSL under Protocol. When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
Log Format	This box shows a preview of the log format, and is not editable.
Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

If you selected Syslog, configure the following:

IP/Domain and Port	Enter the IP/Domain and Port of the log server.
Protocol	Select the protocol used for log transfer.
Server Certificate Verification	When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
Custom Certificate and Key	Off:FortiAppSec Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiAppSec Cloud. On: Manually enter the SSL certificate. Available only if you select SSL in Protocol.
Client Certificate	Fill in the Certificate field. Available only if you enabled Custom Certificate and Key.
Private Key	Fill in the Private Key field. Available only if you enabled Custom Certificate and Key.
Password	Enter the password of the private key. Available only if you enabled Custom Certificate and Key.
Log Format	Default: Export logs in default format. Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others. See Custom Log Fields Splunk: Export logs to Splunk log server. CEF:0 (ArcSight): Export logs in CEF:0 format. Microsoft Azure OMS: Export logs in Microsoft Azure OMS format. LEEF1.0(QRadar): Export logs in LEEF1.0 format.
Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

If you selected ElasticSearch, configure the following.

ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

Address and Port

Enter the address and port to access your ElasticSearch service.

The default port for ElasticSearch service is 9200.

User Name

Enter the user name of the ElasticSearch service.

Password

Enter the password of the ElasticSearch service user.

Click OK. The system exports newly generated attack logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiAppSec Cloud. The source IPs are as follows:

3.226.2.163
3.123.68.65

Custom Log Fields

Below is a list of all supported log fields when Log Format is set to Custom.

Field Name	Placeholder	Example
Date and Time	dt	2025-02-19T19:34:05-05:00
Date	date	2025-02-27
Time	tm	19:34:05
Time Zone	tz	-05:00
UTC Date	utc	2025-02-20T00:34:05
Timestamp	ts	1740011645000
Log Type ID	li	20000007
Message ID	mid	098765432123
Application ID	eid	1234567890
Application Name	an	ftnt-app1
Application Domain	ed	docs.fortinet.com
Template Name	tn	My Template
Source IP	si	0.00.000.00
Source Port	sp	80
Destination IP	ds	123.456.789.0
Destination Port	dp	443
Source Country	sc	Canada
Service	svc	https/tls1.3
Login User	lu	Unknown
Main Type of Threat	mt	Known Attacks
Sub Type of Threat	st	Cross Site Scripting
Threat Level	tl	Severe
Threat Weight	tw	10
Action	act	Block
HTTP Host	hh	fortinet.com
HTTP URL	hu	/ContactUs.aspx
HTTP Version	hv	1.x
HTTP Method	hm	POST
HTTP Agent	ha	gp-vcloud-director
HTTP Refer	hr	none
Signature ID	sid	010000009
Signature CVE ID	sci	N/A
OWASP Top10	ott	A03:2021-Injection
Message	msg	Parameter(emailID) triggered signature ID 010000009 of Signatures
Packet	pkt	"packet string"

Settings

Attack logs Export

Attack logs provide detailed insights for individual applications, helping track and analyze security events.

Export attack logs to a log server

Please note, you can configure up to five log servers for attack log export at one time.

Navigate to Threat Analytics > Settings.
Click Add Log Server.
Select move applicable WAF Applications from the Available list to the Selected list.
- Moves all applications from the Available to the Selected list.
- Moves selected applications from the Available to the Selected list.
- Moves all applications from the Selected list to the Available list.
- Moves selected applications from the Selected list to the Available list.

Configure the following settings.

Name

Enter a name for the log server.

Server Type

Select whether to export the logs to a log server, an ElasticSearch service, FortiAnalyzer, or FortiSIEM.

See the following instructions for FortiAnalyzer, FortiSIEM, Syslog, and ElasticSearch.

If you selected FortiAnalyzer, configure the following.

FortiAnalyzer is a powerful log management, analytics, and reporting platform that provides centralized logging and analysis, plus end-to-end visibility.

FortiAnalyzer is supported. However, FortiAnalyzer Cloud is not.
When configuring the corresponding ADOM on FortiAnalyzer, please set the Type to FortiWeb.
FortiAnalyzer supports assigning devices to different ADOMs, provided that each OU’s master account is associated with a distinct contract (i.e., a unique serial number).
However, if the organization has enabled Contract Sharing Mode, all OU accounts share the same contract and serial number. In this case, FortiAnalyzer treats them as a single device, which prevents assigning them to different ADOMs.

Serial Number Prefix	Contract Type	Supported FortiAnalyzer Versions
UCAPFW	Fortinet Contacts	7.4.7, 7.6.2
UCAPFE	FortiFlex Contracts (Pre-Paid)	7.6.5
UCAPFM	FortiFlex Contracts (Post-Paid)
FUCAPP	Fortinet Private Cloud Contracts
APPSEC	Public Cloud Subscription

IP/Domain and Port	Enter the IP/Domain and Port of the log server.
Protocol	Select the protocol used for log transfer.
Server Certificate Verification	This option is only available when you select SSL under Protocol. When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
Log Format Preview	This box shows a preview of the log format, and is not editable.
Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

If you selected FortiSIEM, configure the following:

IP/Domain and Port	Enter the IP/Domain and Port of the log server.
Protocol	Select the protocol used for log transfer.
Server Certificate Verification	This option is only available when you select SSL under Protocol. When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
Log Format	This box shows a preview of the log format, and is not editable.
Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

If you selected Syslog, configure the following:

IP/Domain and Port	Enter the IP/Domain and Port of the log server.
Protocol	Select the protocol used for log transfer.
Server Certificate Verification	When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
Custom Certificate and Key	Off:FortiAppSec Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiAppSec Cloud. On: Manually enter the SSL certificate. Available only if you select SSL in Protocol.
Client Certificate	Fill in the Certificate field. Available only if you enabled Custom Certificate and Key.
Private Key	Fill in the Private Key field. Available only if you enabled Custom Certificate and Key.
Password	Enter the password of the private key. Available only if you enabled Custom Certificate and Key.
Log Format	Default: Export logs in default format. Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others. See Custom Log Fields Splunk: Export logs to Splunk log server. CEF:0 (ArcSight): Export logs in CEF:0 format. Microsoft Azure OMS: Export logs in Microsoft Azure OMS format. LEEF1.0(QRadar): Export logs in LEEF1.0 format.
Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

If you selected ElasticSearch, configure the following.

ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

Address and Port

Enter the address and port to access your ElasticSearch service.

The default port for ElasticSearch service is 9200.

User Name

Enter the user name of the ElasticSearch service.

Password

Enter the password of the ElasticSearch service user.

Click OK. The system exports newly generated attack logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiAppSec Cloud. The source IPs are as follows:

3.226.2.163
3.123.68.65

Custom Log Fields

Below is a list of all supported log fields when Log Format is set to Custom.

Field Name	Placeholder	Example
Date and Time	dt	2025-02-19T19:34:05-05:00
Date	date	2025-02-27
Time	tm	19:34:05
Time Zone	tz	-05:00
UTC Date	utc	2025-02-20T00:34:05
Timestamp	ts	1740011645000
Log Type ID	li	20000007
Message ID	mid	098765432123
Application ID	eid	1234567890
Application Name	an	ftnt-app1
Application Domain	ed	docs.fortinet.com
Template Name	tn	My Template
Source IP	si	0.00.000.00
Source Port	sp	80
Destination IP	ds	123.456.789.0
Destination Port	dp	443
Source Country	sc	Canada
Service	svc	https/tls1.3
Login User	lu	Unknown
Main Type of Threat	mt	Known Attacks
Sub Type of Threat	st	Cross Site Scripting
Threat Level	tl	Severe
Threat Weight	tw	10
Action	act	Block
HTTP Host	hh	fortinet.com
HTTP URL	hu	/ContactUs.aspx
HTTP Version	hv	1.x
HTTP Method	hm	POST
HTTP Agent	ha	gp-vcloud-director
HTTP Refer	hr	none
Signature ID	sid	010000009
Signature CVE ID	sci	N/A
OWASP Top10	ott	A03:2021-Injection
Message	msg	Parameter(emailID) triggered signature ID 010000009 of Signatures
Packet	pkt	"packet string"

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

Settings

Attack logs Export

Export attack logs to a log server

Custom Log Fields

Settings

Settings

Attack logs Export

Export attack logs to a log server

Custom Log Fields