Log fields by type
securityevent
|
Log Field Name |
Description |
Data Type |
Length |
|---|---|---|---|
|
action |
block or monitor |
string |
32 |
|
action |
action taken for the infected item |
enumeration string |
32 |
|
activity |
activity |
enumeration string |
64 |
|
ae_api |
API used of the violation |
string |
64 |
|
ae_reason |
reason of the violation |
string |
64 |
|
app |
application |
string |
96 |
|
appname |
application name |
string |
260 |
|
cat |
category id |
int |
20 |
|
category |
category name |
string |
260 |
|
channelurl |
channelurl |
string |
260 |
|
checksum |
file crc32 checksum |
int |
20 |
|
checksum |
file SHA256 checksum |
string |
16 |
|
date |
date |
string |
260 |
|
default_used |
if process is handled by default action |
int |
20 |
|
description |
description |
string |
260 |
|
detectedby |
the security feature that detected virus |
enumeration string |
64 |
|
detectedin |
where the virus is detected |
enumeration string |
64 |
|
detectedpath |
detected path(s) |
string |
260 |
|
deviceip |
device IP address |
string |
20 |
|
devicemac |
device MAC address |
string |
17 |
|
devid |
device ID |
string |
16 |
|
domain |
domain of user |
string |
256 |
|
emsserial |
EMS serial number |
string |
16 |
|
error_code |
reason of the failure |
int |
20 |
|
eventtype |
type of event |
enumeration string |
32 |
|
failed_reason |
reason of the failure |
string |
260 |
|
fctver |
FCT version |
string |
16 |
|
fgtserial |
FGT serial number |
string |
16 |
|
file |
file location |
string |
256 |
|
filesize |
file size |
int |
20 |
|
from |
email from |
string |
128 |
|
hostname |
host name of local machine |
string |
256 |
|
httpport |
http port number |
int |
20 |
|
id |
log id |
int |
20 |
|
ip |
IP address |
string |
260 |
|
level |
log level |
enumeration string |
20 |
|
locip |
local ip |
string |
20 |
|
locport |
local port |
int |
20 |
|
logver |
log protocol version |
int |
20 |
|
maxduration |
max-duration for secret |
int |
20 |
|
msg |
description of this log |
string |
512 |
|
os |
operating system |
string |
96 |
|
pamsessionid |
pam session-id |
int |
20 |
|
path |
path of process |
string |
260 |
|
payload_process |
payload process |
string |
260 |
|
pcdomain |
domain name of local machine |
string |
128 |
|
PID |
ID of the malicious process |
int |
20 |
|
processname |
process name |
string |
128 |
|
proxymode |
proxy mode enabled |
int |
20 |
|
recording |
video recording enabled |
int |
20 |
|
remip |
remote ip |
string |
20 |
|
remotegw |
remote gateway |
string |
256 |
|
remport |
remote port |
int |
20 |
|
ruleuuid |
uuid of violated rule |
string |
260 |
|
score |
file score |
int |
20 |
|
service |
network protocol |
string |
64 |
|
sigid |
signature id |
string |
260 |
|
site |
Multi-tenancy site |
string |
32 |
|
status |
scan status |
string |
16 |
|
status |
status |
enumeration string |
16 |
|
subtype |
AntiVirus, FireWall, WebFilter ... |
enumeration string |
32 |
|
time |
time |
string |
260 |
|
to |
email to |
string |
512 |
|
type |
Traffic, Security Event or System Event |
string |
16 |
|
uid |
FortiClient unique ID |
string |
32 |
|
url |
url |
string |
512 |
|
user |
current logged on user |
string |
256 |
|
username |
username of process |
string |
260 |
|
usingpolicy |
current policy name |
string |
64 |
|
vid |
virus id |
int |
20 |
|
videourl |
videourl |
string |
260 |
|
virus |
virus name |
string |
512 |
|
viruscat |
virus category |
string |
260 |
|
vpn |
vpn tunnel name |
string |
32 |
|
vpnstate |
tunnel status |
enumeration string |
64 |
|
vpntunnel |
tunnel name |
string |
128 |
|
vpnuser |
vpn tunnel user name |
string |
128 |
|
vulncat |
category |
string |
32 |
|
vulncvss |
cvss score |
string |
64 |
|
vulnengine |
engine version |
string |
64 |
|
vulnid |
id of the vulnerability |
int |
20 |
|
vulnname |
name of the vulnerability |
string |
128 |
|
vulnproducts |
name of the vulnerable product |
string |
2048 |
|
vulnref |
reference of the vulnerability |
string |
256 |
|
vulnseverity |
severity level |
string |
8 |
|
vulnsignature |
signature version |
string |
260 |
systemevent
|
Log Field Name |
Description |
Data Type |
Length |
|---|---|---|---|
|
appengine |
app DB engine |
string |
260 |
|
apppath |
process name |
string |
128 |
|
appsig |
app DB signature |
string |
11 |
|
avaleng |
AV allowlist engine version |
string |
260 |
|
avalsig |
AV allowlist signatures version |
string |
260 |
|
avengine |
AV engine |
string |
11 |
|
avsig |
AV signature |
string |
11 |
|
avsigetm |
AV extreme signature |
string |
11 |
|
avsigext |
AV extended signature |
string |
11 |
|
avsigheu |
AV heuristic signature |
string |
11 |
|
avsiglastupdate |
last update time |
string |
260 |
|
avsigpallas |
AV pallas signature |
string |
260 |
|
date |
date |
string |
260 |
|
deviceip |
device IP address |
string |
20 |
|
devicemac |
device MAC address |
string |
17 |
|
devid |
device ID |
string |
16 |
|
emshostname |
EMS host name |
string |
64 |
|
emsip |
EMS IP |
string |
20 |
|
emsserial |
EMS serial number |
string |
16 |
|
epenfeatures |
enabled features list |
string |
128 |
|
epfeatures |
installed features list |
string |
128 |
|
ephbemsduration |
EMS heart beat duration |
int |
20 |
|
ephbemslast |
EMS heart beat last time |
string |
64 |
|
epmgmtst |
management status |
enumeration string |
64 |
|
eponlinest |
online status |
enumeration string |
32 |
|
epplace |
EP place |
enumeration string |
32 |
|
epquarmsg |
quarant message |
string |
260 |
|
eventtype |
type of event |
enumeration string |
32 |
|
fctip |
FCT IP |
string |
20 |
|
fctver |
FCT version |
string |
16 |
|
fgtserial |
FGT serial number |
string |
16 |
|
file |
file or registry path |
string |
256 |
|
hostname |
host name of local machine |
string |
256 |
|
id |
log id |
int |
20 |
|
ipseng |
firewall engine |
string |
11 |
|
ipssig |
firewall signature |
string |
11 |
|
irdbsig |
irdb signature |
string |
260 |
|
level |
log level |
enumeration string |
20 |
|
logver |
log protocol version |
int |
20 |
|
msg |
description of this log |
string |
512 |
|
os |
operating system |
string |
96 |
|
pcdomain |
domain name of local machine |
string |
128 |
|
policyname |
policy name |
string |
64 |
|
processname |
blocked process |
string |
128 |
|
site |
Multi-tenancy site |
string |
32 |
|
social_email |
social email |
string |
128 |
|
social_phone |
social phone number |
string |
64 |
|
social_srvc |
social service |
string |
64 |
|
social_user |
social user name |
string |
256 |
|
status |
status description |
string |
16 |
|
subtype |
AntiVirus, FireWall, WebFilter ... |
enumeration string |
32 |
|
time |
time |
string |
260 |
|
type |
Traffic, Security Event or System Event |
string |
16 |
|
uid |
FortiClient unique ID |
string |
32 |
|
user |
current logged on user |
string |
256 |
|
usingpolicy |
current policy name |
string |
64 |
|
vulnengine |
vulnerability engine |
string |
64 |
|
vulnsig |
vulnerability signature |
string |
11 |
traffic
|
Log Field Name |
Description |
Data Type |
Length |
|---|---|---|---|
|
browsetime |
user browsing time of web page(in seconds) |
int |
20 |
|
date |
date |
string |
260 |
|
deviceip |
device IP address |
string |
20 |
|
devicemac |
device MAC address |
string |
17 |
|
devid |
device ID |
string |
16 |
|
direction |
traffic direction |
string |
8 |
|
dstip |
destination IP |
string |
20 |
|
dstport |
destination port |
int |
20 |
|
emsserial |
EMS serial number |
string |
16 |
|
eventtype |
type of event |
enumeration string |
32 |
|
fctver |
FCT version |
string |
16 |
|
fgtserial |
FGT serial number |
string |
16 |
|
hostname |
host name of local machine |
string |
256 |
|
id |
log id |
int |
20 |
|
level |
log level |
enumeration string |
20 |
|
logver |
log protocol version |
int |
20 |
|
msg |
description of this log |
string |
512 |
|
os |
operating system |
string |
96 |
|
pcdomain |
domain name of local machine |
string |
128 |
|
proto |
network protocol |
int |
20 |
|
rcvdbyte |
data received (in bytes) |
int |
20 |
|
regip |
regip |
string |
64 |
|
remotename |
remote name |
string |
256 |
|
sentbyte |
data sent (in bytes) |
int |
20 |
|
service |
network protocol |
string |
64 |
|
sessionid |
network session |
string |
64 |
|
site |
Multi-tenancy site |
string |
32 |
|
srcip |
source IP |
string |
20 |
|
srcname |
source name |
string |
256 |
|
srcport |
source port |
int |
20 |
|
srcproduct |
source product |
string |
256 |
|
subtype |
AntiVirus, FireWall, WebFilter ... |
enumeration string |
32 |
|
threat |
threat |
string |
128 |
|
time |
time |
string |
260 |
|
type |
Traffic, Security Event or System Event |
string |
16 |
|
uid |
FortiClient unique ID |
string |
32 |
|
url |
url |
string |
512 |
|
user |
current logged on user |
string |
256 |
|
userinitiated |
if user initiated url request |
int |
20 |
|
usingpolicy |
current policy name |
string |
64 |
|
utmaction |
utm action |
string |
32 |
|
utmevent |
utm event |
string |
32 |