Fortinet black logo

Log message by type

Copy Link
Copy Doc ID eef0cd25-4643-11ec-bdf2-fa163e15d75b:11
Download PDF

Log message by type

securityevent > antiexploit

Log ID

Level

Sub Type

Event Type

Message

96548

warning

antiexploit

action

AntiExpoit has detected violation

Field

Field Description

Field Type

action

action taken for violation

enumeration string

ae_api

API used of the violation

string

ae_reason

reason of the violation

string

app

application

string

securityevent > antiransomware

Log ID

Level

Sub Type

Event Type

Message

98000

warning

antiransomware

status

AntiRansomware has found suspicious process

Field

Field Description

Field Type

file

file location

string

action

file action (1 = kill 2 = resume)

enumeration string

default_used

if process is handled by default action

int

securityevent > applicationcontrol

Log ID

Level

Sub Type

Event Type

Message

96701

warning

applicationcontrol

error

Application Control found a rule violation

Field

Field Description

Field Type

path

path of process

string

username

username of process

string

domain

domain of user

string

ruleuuid

uuid of violated rule

string

action

block or monitor

string

securityevent > av

Log ID

Level

Sub Type

Event Type

Message

96530

warning

av

action

Found virus

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

viruscat

virus category

string

sigid

signature id

string

vid

virus id

int

from

email from

string

to

email to

string

service

network protocol

string

vpn

vpn tunnel name

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

detectedin

where the virus is detected

enumeration string

96531

warning

av

action

Found malware

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

detectedin

where the virus is detected

enumeration string

96534

warning

av

status

User disabled Realtime AntiVirus protection

96535

info

av

error

Communication error with other modules

96536

warning

av

action

AntiVirus realtime protection killed malware process

Field

Field Description

Field Type

processname

process name

string

detectedby

the security feature that detected virus

enumeration string

96537

info

av

status

av_task scan thread is suspended

96538

info

av

status

av_task scan thread is resumed

96540

info

av

error

Cannot start scan task, license expired

96541

info

av

status

av_task scan is started

96542

info

av

status

av_task scan is stopped

96543

error

av

error

Scheduled scan failed: Path to file/folder no longer exists

Field

Field Description

Field Type

file

file or directory does not exist

string

96550

error

av

error

Failed to restore quarantined file

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

96551

info

av

action

A quarantined file was restored

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

securityevent > cloudscan

Log ID

Level

Sub Type

Event Type

Message

97100

debug

cloudscan

status

file score received

Field

Field Description

Field Type

file

file location

string

score

file score

int

checksum

file SHA256 checksum

string

securityevent > firewall

Log ID

Level

Sub Type

Event Type

Message

96645

warning

firewall

error

The application firewall has been disabled because it's driver could not be loaded

securityevent > fsso

Log ID

Level

Sub Type

Event Type

Message

96980

info

fsso

status

Single Sign-On event

Field

Field Description

Field Type

action

action

enumeration string

domain

domain name

string

remotegw

remote gateway

string

96983

info

fsso

status

Single Sign-On Mobility Agent is starting

96984

info

fsso

status

Single Sign-On Mobility Agent is stopping

securityevent > ipsecvpn

Log ID

Level

Sub Type

Event Type

Message

96560

info

ipsecvpn

status

VPN tunnel status

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

vpn tunnel user name

string

remotegw

remote gateway

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96561

warning

ipsecvpn

error

No response from the peer, phase1 retransmit reaches maximum count

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96562

warning

ipsecvpn

error

No response from the peer, phase2 retransmit reaches maximum count

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96563

warning

ipsecvpn

status

Received delete payload from peer check xauth password

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96564

error

ipsecvpn

error

Failed to acquire an IP address for the virtual adapter

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96565

error

ipsecvpn

error

General error of IKE

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96566

info

ipsecvpn

status

negotiation information

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96567

error

ipsecvpn

error

negotiation error

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96568

error

ipsecvpn

status

replayed packet detected (packet dropped)

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96569

info

ipsecvpn

status

The VPN user accept the banner warning

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96570

info

ipsecvpn

status

The VPN user reject the banner warning and disconnect the tunnel

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96571

info

ipsecvpn

status

Send sa to the IPsec driver

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96574

error

ipsecvpn

error

Logged when a VPN authorization rule failed

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96575

warning

ipsecvpn

error

VPN cannot connect because the specified application is not running

Field

Field Description

Field Type

app

application

string

96576

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96577

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

securityevent > removablemediaaccess

Log ID

Level

Sub Type

Event Type

Message

96620

info

removablemediaaccess

status

usb storage activity

Field

Field Description

Field Type

action

action

enumeration string

activity

activity

enumeration string

description

description

string

securityevent > sandboxing

Log ID

Level

Sub Type

Event Type

Message

96545

debug

sandboxing

error

Failed to connect to FortiSandbox server

Field

Field Description

Field Type

failed_reason

reason of the failure

string

96556

warning

sandboxing

error

Failed to submit file to FortiSandbox server

Field

Field Description

Field Type

file

file location

string

error_code

reason of the failure

int

96557

warning

sandboxing

error

Failed to query checksum to FortiSandbox server

Field

Field Description

Field Type

file

file location

string

error_code

reason of the failure

int

96546

warning

sandboxing

action

Found virus

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

detectedin

where the virus is detected

enumeration string

96547

info

sandboxing

error

Sandbox is not authorized

96554

info

sandboxing

status

file is submitted to Sandbox service

Field

Field Description

Field Type

file

file location

string

checksum

file SHA256 checksum

string

96555

debug

sandboxing

status

file score received

Field

Field Description

Field Type

file

file location

string

score

file score

int

checksum

file SHA256 checksum

string

securityevent > sslvpn

Log ID

Level

Sub Type

Event Type

Message

96600

info

sslvpn

status

SSLVPN tunnel status

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

96601

error

sslvpn

error

Telephony service (TapiSrv) is not running

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

tunnel user name

string

remotegw

remote gateway

string

96602

info

sslvpn

status

SSLVPN service started successfully

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

tunnel user name

string

remotegw

remote gateway

string

96603

error

sslvpn

error

SSLVPN tunnel connection failed

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

tunnel user name

string

remotegw

remote gateway

string

96605

warning

sslvpn

error

SSLVPN cannot connect because the specified application is not running

Field

Field Description

Field Type

app

application

string

96610

info

sslvpn

status

SSLVPN(DTLS) tunnel status

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

securityevent > vulnerabilityscan

Log ID

Level

Sub Type

Event Type

Message

96520

info

vulnerabilityscan

status

The vulnerability scan status has changed

Field

Field Description

Field Type

status

scan status

string

96521

info

vulnerabilityscan

status

A vulnerability scan result has been logged

Field

Field Description

Field Type

vulnid

id of the vulnerability

int

vulnname

name of the vulnerability

string

vulnseverity

severity level

string

vulncat

category

string

vulncvss

cvss score

string

vulnref

reference of the vulnerability

string

vulnengine

engine version

string

vulnsignature

signature version

string

vulnproducts

name of the vulnerable product

string

96522

info

vulnerabilityscan

action

Applying patch for vulnerability found

Field

Field Description

Field Type

vulnid

id of the vulnerability

int

vulnname

name of the vulnerability

string

vulnseverity

severity level

string

vulncat

category

string

vulncvss

cvss score

string

vulnref

reference of the vulnerability

string

vulnengine

engine version

string

vulnsignature

signature version

string

vulnproducts

name of the vulnerable product

string

96523

info

vulnerabilityscan

action

Applying patch for Windows vulnerability

Field

Field Description

Field Type

vulnid

id of the vulnerability

int

vulnname

name of the vulnerability

string

vulnseverity

severity level

string

vulncat

category

string

vulncvss

cvss score

string

vulnref

reference of the vulnerability

string

vulnengine

engine version

string

vulnsignature

signature version

string

vulnproducts

name of the vulnerable product

string

securityevent > webfilter

Log ID

Level

Sub Type

Event Type

Message

96500

info

webfilter

status

User enabled Webfilter

96501

warning

webfilter

status

User disabled Webfilter

96502

warning

webfilter

action

user's access to the url is blocked

Field

Field Description

Field Type

cat

category id

int

category

category name

string

service

network protocol

string

ip

IP address

string

status

status

enumeration string

96503

info

webfilter

action

user's access to the url is bypassed

Field

Field Description

Field Type

cat

category id

int

category

category name

string

service

network protocol

string

ip

IP address

string

status

status

enumeration string

systemevent > endpoint

Log ID

Level

Sub Type

Event Type

Message

96953

info

endpoint

status

Endpoint Control Status Changed

Field

Field Description

Field Type

eponlinest

online status

enumeration string

epplace

EP place

enumeration string

emshostname

EMS host name

string

status

status description

string

96955

info

endpoint

status

Endpoint Control Registration Status Changed

Field

Field Description

Field Type

emshostname

EMS host name

string

status

status description

string

emsip

EMS IP

string

fctip

FCT IP

string

96956

info

endpoint

status

Endpoint Quarantine Status Changed

Field

Field Description

Field Type

epmgmtst

management status

enumeration string

emshostname

EMS host name

string

epquarmsg

quarant message

string

96957

info

endpoint

status

Endpoint Ext Log to FAZ

Field

Field Description

Field Type

epfeatures

installed features list

string

epenfeatures

enabled features list

string

ephbemsduration

EMS heart beat duration

int

ephbemslast

EMS heart beat last time

string

emshostname

EMS host name

string

96958

info

endpoint

status

User social media information

Field

Field Description

Field Type

social_srvc

social service

string

social_user

social user name

string

social_email

social email

string

social_phone

social phone number

string

96959

info

endpoint

status

Current AV allowlist engine/signatures this endpoint is using

Field

Field Description

Field Type

emshostname

EMS host name

string

avaleng

AV allowlist engine version

string

avalsig

AV allowlist signatures version

string

systemevent > system

Log ID

Level

Sub Type

Event Type

Message

96800

info

system

error

Forcefully kill a child process after grace period expires

Field

Field Description

Field Type

apppath

process name

string

96801

error

system

error

The scheduler cannot start the scheduled task because the task's license is expired

96812

info

system

error

Update allowed only if you have a valid license

96813

info

system

status

Software updates are disabled

96814

info

system

status

Software updates from FortiGuard have been disabled because this client is managed

96815

info

system

error

Software updates require administrative privileges

96816

info

system

status

Software update successful

96817

info

system

error

Software update failed

96818

info

system

error

Unable to perform software update. Registry does not contain image id to download

96820

error

system

error

Failed to load the av engine

96821

error

system

error

Error patching AV signatur

96822

error

system

error

Unable to load FASLE engine

96823

info

system

status

Checking for updates

96824

info

system

status

Software update started

96825

info

system

status

Update was successful, current engine/signature information recorded

Field

Field Description

Field Type

avengine

AV engine

string

avsig

AV signature

string

avsigext

AV extended signature

string

avsigetm

AV extreme signature

string

avsigheu

AV heuristic signature

string

rootkitengine

anti-rootkit engine

string

rootkitsig

anti-rootkit signature

string

appsig

app DB signature

string

appengine

app DB engine

string

vulnsig

vulnerability signature

string

vulnengine

vulnerability engine

string

ipseng

firewall engine

string

ipssig

firewall signature

string

irdbsig

irdb signature

string

96840

warning

system

status

Fortiproxy is disabled

96841

info

system

status

Fortiproxy is enabled

96851

info

system

status

FortiShield is enabled

96850

warning

system

status

FortiShield is disabled

96855

warning

system

action

FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient

Field

Field Description

Field Type

processname

blocked process

string

file

file or registry path

string

96873

info

system

status

FortiClient is shutting down

96882

info

system

status

Logged when push configuration is received

Field

Field Description

Field Type

policyname

policy name

string

systemevent > update

Log ID

Level

Sub Type

Event Type

Message

96650

info

update

status

Update was successful

Field

Field Description

Field Type

avengine

AV engine

string

avsig

AV signature

string

avsigext

AV extended signature

string

avsigetm

AV extreme signature

string

avsigheu

AV heuristic signature

string

avsigpallas

AV pallas signature

string

rootkitengine

anti-rootkit engine

string

rootkitsig

anti-rootkit signature

string

appsig

app DB signature

string

appengine

app DB engine

string

vulnsig

vulnerability signature

string

vulnengine

vulnerability engine

string

ipseng

firewall engine

string

ipssig

firewall signature

string

irdbsig

irdb signature

string

avsiglastupdate

last update time

string

96819

info

update

status

Update was successful to the given version for the given module

Field

Field Description

Field Type

avengine

AV engine

string

avsig

AV signature

string

avsigext

AV extended signature

string

avsigetm

AV extreme signature

string

avsigheu

AV heuristic signature

string

rootkitengine

anti-rootkit engine

string

rootkitsig

anti-rootkit signature

string

appsig

app DB signature

string

appengine

app DB engine

string

vulnsig

vulnerability signature

string

vulnengine

vulnerability engine

string

ipseng

firewall engine

string

ipssig

firewall signature

string

irdbsig

irdb signature

string

traffic > system

Log ID

Level

Sub Type

Event Type

Message

96900

info

system

traffic

Traffic log

Field

Field Description

Field Type

sessionid

network session

string

regip

regip

string

srcname

source name

string

srcproduct

source product

string

srcip

source IP

string

srcport

source port

int

direction

traffic direction

string

dstip

destination IP

string

remotename

remote name

string

dstport

destination port

int

proto

network protocol

int

rcvdbyte

data received (in bytes)

int

sentbyte

data sent (in bytes)

int

utmaction

utm action

string

utmevent

utm event

string

threat

threat

string

service

network protocol

string

userinitiated

if user initiated url request

int

browsetime

user browsing time of web page(in seconds)

int

url

url

string

Log message by type

securityevent > antiexploit

Log ID

Level

Sub Type

Event Type

Message

96548

warning

antiexploit

action

AntiExpoit has detected violation

Field

Field Description

Field Type

action

action taken for violation

enumeration string

ae_api

API used of the violation

string

ae_reason

reason of the violation

string

app

application

string

securityevent > antiransomware

Log ID

Level

Sub Type

Event Type

Message

98000

warning

antiransomware

status

AntiRansomware has found suspicious process

Field

Field Description

Field Type

file

file location

string

action

file action (1 = kill 2 = resume)

enumeration string

default_used

if process is handled by default action

int

securityevent > applicationcontrol

Log ID

Level

Sub Type

Event Type

Message

96701

warning

applicationcontrol

error

Application Control found a rule violation

Field

Field Description

Field Type

path

path of process

string

username

username of process

string

domain

domain of user

string

ruleuuid

uuid of violated rule

string

action

block or monitor

string

securityevent > av

Log ID

Level

Sub Type

Event Type

Message

96530

warning

av

action

Found virus

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

viruscat

virus category

string

sigid

signature id

string

vid

virus id

int

from

email from

string

to

email to

string

service

network protocol

string

vpn

vpn tunnel name

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

detectedin

where the virus is detected

enumeration string

96531

warning

av

action

Found malware

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

detectedin

where the virus is detected

enumeration string

96534

warning

av

status

User disabled Realtime AntiVirus protection

96535

info

av

error

Communication error with other modules

96536

warning

av

action

AntiVirus realtime protection killed malware process

Field

Field Description

Field Type

processname

process name

string

detectedby

the security feature that detected virus

enumeration string

96537

info

av

status

av_task scan thread is suspended

96538

info

av

status

av_task scan thread is resumed

96540

info

av

error

Cannot start scan task, license expired

96541

info

av

status

av_task scan is started

96542

info

av

status

av_task scan is stopped

96543

error

av

error

Scheduled scan failed: Path to file/folder no longer exists

Field

Field Description

Field Type

file

file or directory does not exist

string

96550

error

av

error

Failed to restore quarantined file

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

96551

info

av

action

A quarantined file was restored

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

securityevent > cloudscan

Log ID

Level

Sub Type

Event Type

Message

97100

debug

cloudscan

status

file score received

Field

Field Description

Field Type

file

file location

string

score

file score

int

checksum

file SHA256 checksum

string

securityevent > firewall

Log ID

Level

Sub Type

Event Type

Message

96645

warning

firewall

error

The application firewall has been disabled because it's driver could not be loaded

securityevent > fsso

Log ID

Level

Sub Type

Event Type

Message

96980

info

fsso

status

Single Sign-On event

Field

Field Description

Field Type

action

action

enumeration string

domain

domain name

string

remotegw

remote gateway

string

96983

info

fsso

status

Single Sign-On Mobility Agent is starting

96984

info

fsso

status

Single Sign-On Mobility Agent is stopping

securityevent > ipsecvpn

Log ID

Level

Sub Type

Event Type

Message

96560

info

ipsecvpn

status

VPN tunnel status

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

vpn tunnel user name

string

remotegw

remote gateway

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96561

warning

ipsecvpn

error

No response from the peer, phase1 retransmit reaches maximum count

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96562

warning

ipsecvpn

error

No response from the peer, phase2 retransmit reaches maximum count

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96563

warning

ipsecvpn

status

Received delete payload from peer check xauth password

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96564

error

ipsecvpn

error

Failed to acquire an IP address for the virtual adapter

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96565

error

ipsecvpn

error

General error of IKE

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96566

info

ipsecvpn

status

negotiation information

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96567

error

ipsecvpn

error

negotiation error

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96568

error

ipsecvpn

status

replayed packet detected (packet dropped)

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96569

info

ipsecvpn

status

The VPN user accept the banner warning

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96570

info

ipsecvpn

status

The VPN user reject the banner warning and disconnect the tunnel

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96571

info

ipsecvpn

status

Send sa to the IPsec driver

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96574

error

ipsecvpn

error

Logged when a VPN authorization rule failed

Field

Field Description

Field Type

vpntunnel

tunnel name

string

96575

warning

ipsecvpn

error

VPN cannot connect because the specified application is not running

Field

Field Description

Field Type

app

application

string

96576

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

96577

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field

Field Description

Field Type

vpntunnel

tunnel name

string

locip

local ip

string

locport

local port

int

remip

remote ip

string

remport

remote port

int

securityevent > removablemediaaccess

Log ID

Level

Sub Type

Event Type

Message

96620

info

removablemediaaccess

status

usb storage activity

Field

Field Description

Field Type

action

action

enumeration string

activity

activity

enumeration string

description

description

string

securityevent > sandboxing

Log ID

Level

Sub Type

Event Type

Message

96545

debug

sandboxing

error

Failed to connect to FortiSandbox server

Field

Field Description

Field Type

failed_reason

reason of the failure

string

96556

warning

sandboxing

error

Failed to submit file to FortiSandbox server

Field

Field Description

Field Type

file

file location

string

error_code

reason of the failure

int

96557

warning

sandboxing

error

Failed to query checksum to FortiSandbox server

Field

Field Description

Field Type

file

file location

string

error_code

reason of the failure

int

96546

warning

sandboxing

action

Found virus

Field

Field Description

Field Type

action

action taken for the infected item

enumeration string

file

file location

string

virus

virus name

string

sigid

signature id

string

filesize

file size

int

checksum

file crc32 checksum

int

detectedby

the security feature that detected virus

enumeration string

detectedin

where the virus is detected

enumeration string

96547

info

sandboxing

error

Sandbox is not authorized

96554

info

sandboxing

status

file is submitted to Sandbox service

Field

Field Description

Field Type

file

file location

string

checksum

file SHA256 checksum

string

96555

debug

sandboxing

status

file score received

Field

Field Description

Field Type

file

file location

string

score

file score

int

checksum

file SHA256 checksum

string

securityevent > sslvpn

Log ID

Level

Sub Type

Event Type

Message

96600

info

sslvpn

status

SSLVPN tunnel status

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

96601

error

sslvpn

error

Telephony service (TapiSrv) is not running

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

tunnel user name

string

remotegw

remote gateway

string

96602

info

sslvpn

status

SSLVPN service started successfully

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

tunnel user name

string

remotegw

remote gateway

string

96603

error

sslvpn

error

SSLVPN tunnel connection failed

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

vpnuser

tunnel user name

string

remotegw

remote gateway

string

96605

warning

sslvpn

error

SSLVPN cannot connect because the specified application is not running

Field

Field Description

Field Type

app

application

string

96610

info

sslvpn

status

SSLVPN(DTLS) tunnel status

Field

Field Description

Field Type

vpnstate

tunnel status

enumeration string

vpntunnel

tunnel name

string

securityevent > vulnerabilityscan

Log ID

Level

Sub Type

Event Type

Message

96520

info

vulnerabilityscan

status

The vulnerability scan status has changed

Field

Field Description

Field Type

status

scan status

string

96521

info

vulnerabilityscan

status

A vulnerability scan result has been logged

Field

Field Description

Field Type

vulnid

id of the vulnerability

int

vulnname

name of the vulnerability

string

vulnseverity

severity level

string

vulncat

category

string

vulncvss

cvss score

string

vulnref

reference of the vulnerability

string

vulnengine

engine version

string

vulnsignature

signature version

string

vulnproducts

name of the vulnerable product

string

96522

info

vulnerabilityscan

action

Applying patch for vulnerability found

Field

Field Description

Field Type

vulnid

id of the vulnerability

int

vulnname

name of the vulnerability

string

vulnseverity

severity level

string

vulncat

category

string

vulncvss

cvss score

string

vulnref

reference of the vulnerability

string

vulnengine

engine version

string

vulnsignature

signature version

string

vulnproducts

name of the vulnerable product

string

96523

info

vulnerabilityscan

action

Applying patch for Windows vulnerability

Field

Field Description

Field Type

vulnid

id of the vulnerability

int

vulnname

name of the vulnerability

string

vulnseverity

severity level

string

vulncat

category

string

vulncvss

cvss score

string

vulnref

reference of the vulnerability

string

vulnengine

engine version

string

vulnsignature

signature version

string

vulnproducts

name of the vulnerable product

string

securityevent > webfilter

Log ID

Level

Sub Type

Event Type

Message

96500

info

webfilter

status

User enabled Webfilter

96501

warning

webfilter

status

User disabled Webfilter

96502

warning

webfilter

action

user's access to the url is blocked

Field

Field Description

Field Type

cat

category id

int

category

category name

string

service

network protocol

string

ip

IP address

string

status

status

enumeration string

96503

info

webfilter

action

user's access to the url is bypassed

Field

Field Description

Field Type

cat

category id

int

category

category name

string

service

network protocol

string

ip

IP address

string

status

status

enumeration string

systemevent > endpoint

Log ID

Level

Sub Type

Event Type

Message

96953

info

endpoint

status

Endpoint Control Status Changed

Field

Field Description

Field Type

eponlinest

online status

enumeration string

epplace

EP place

enumeration string

emshostname

EMS host name

string

status

status description

string

96955

info

endpoint

status

Endpoint Control Registration Status Changed

Field

Field Description

Field Type

emshostname

EMS host name

string

status

status description

string

emsip

EMS IP

string

fctip

FCT IP

string

96956

info

endpoint

status

Endpoint Quarantine Status Changed

Field

Field Description

Field Type

epmgmtst

management status

enumeration string

emshostname

EMS host name

string

epquarmsg

quarant message

string

96957

info

endpoint

status

Endpoint Ext Log to FAZ

Field

Field Description

Field Type

epfeatures

installed features list

string

epenfeatures

enabled features list

string

ephbemsduration

EMS heart beat duration

int

ephbemslast

EMS heart beat last time

string

emshostname

EMS host name

string

96958

info

endpoint

status

User social media information

Field

Field Description

Field Type

social_srvc

social service

string

social_user

social user name

string

social_email

social email

string

social_phone

social phone number

string

96959

info

endpoint

status

Current AV allowlist engine/signatures this endpoint is using

Field

Field Description

Field Type

emshostname

EMS host name

string

avaleng

AV allowlist engine version

string

avalsig

AV allowlist signatures version

string

systemevent > system

Log ID

Level

Sub Type

Event Type

Message

96800

info

system

error

Forcefully kill a child process after grace period expires

Field

Field Description

Field Type

apppath

process name

string

96801

error

system

error

The scheduler cannot start the scheduled task because the task's license is expired

96812

info

system

error

Update allowed only if you have a valid license

96813

info

system

status

Software updates are disabled

96814

info

system

status

Software updates from FortiGuard have been disabled because this client is managed

96815

info

system

error

Software updates require administrative privileges

96816

info

system

status

Software update successful

96817

info

system

error

Software update failed

96818

info

system

error

Unable to perform software update. Registry does not contain image id to download

96820

error

system

error

Failed to load the av engine

96821

error

system

error

Error patching AV signatur

96822

error

system

error

Unable to load FASLE engine

96823

info

system

status

Checking for updates

96824

info

system

status

Software update started

96825

info

system

status

Update was successful, current engine/signature information recorded

Field

Field Description

Field Type

avengine

AV engine

string

avsig

AV signature

string

avsigext

AV extended signature

string

avsigetm

AV extreme signature

string

avsigheu

AV heuristic signature

string

rootkitengine

anti-rootkit engine

string

rootkitsig

anti-rootkit signature

string

appsig

app DB signature

string

appengine

app DB engine

string

vulnsig

vulnerability signature

string

vulnengine

vulnerability engine

string

ipseng

firewall engine

string

ipssig

firewall signature

string

irdbsig

irdb signature

string

96840

warning

system

status

Fortiproxy is disabled

96841

info

system

status

Fortiproxy is enabled

96851

info

system

status

FortiShield is enabled

96850

warning

system

status

FortiShield is disabled

96855

warning

system

action

FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient

Field

Field Description

Field Type

processname

blocked process

string

file

file or registry path

string

96873

info

system

status

FortiClient is shutting down

96882

info

system

status

Logged when push configuration is received

Field

Field Description

Field Type

policyname

policy name

string

systemevent > update

Log ID

Level

Sub Type

Event Type

Message

96650

info

update

status

Update was successful

Field

Field Description

Field Type

avengine

AV engine

string

avsig

AV signature

string

avsigext

AV extended signature

string

avsigetm

AV extreme signature

string

avsigheu

AV heuristic signature

string

avsigpallas

AV pallas signature

string

rootkitengine

anti-rootkit engine

string

rootkitsig

anti-rootkit signature

string

appsig

app DB signature

string

appengine

app DB engine

string

vulnsig

vulnerability signature

string

vulnengine

vulnerability engine

string

ipseng

firewall engine

string

ipssig

firewall signature

string

irdbsig

irdb signature

string

avsiglastupdate

last update time

string

96819

info

update

status

Update was successful to the given version for the given module

Field

Field Description

Field Type

avengine

AV engine

string

avsig

AV signature

string

avsigext

AV extended signature

string

avsigetm

AV extreme signature

string

avsigheu

AV heuristic signature

string

rootkitengine

anti-rootkit engine

string

rootkitsig

anti-rootkit signature

string

appsig

app DB signature

string

appengine

app DB engine

string

vulnsig

vulnerability signature

string

vulnengine

vulnerability engine

string

ipseng

firewall engine

string

ipssig

firewall signature

string

irdbsig

irdb signature

string

traffic > system

Log ID

Level

Sub Type

Event Type

Message

96900

info

system

traffic

Traffic log

Field

Field Description

Field Type

sessionid

network session

string

regip

regip

string

srcname

source name

string

srcproduct

source product

string

srcip

source IP

string

srcport

source port

int

direction

traffic direction

string

dstip

destination IP

string

remotename

remote name

string

dstport

destination port

int

proto

network protocol

int

rcvdbyte

data received (in bytes)

int

sentbyte

data sent (in bytes)

int

utmaction

utm action

string

utmevent

utm event

string

threat

threat

string

service

network protocol

string

userinitiated

if user initiated url request

int

browsetime

user browsing time of web page(in seconds)

int

url

url

string