Log message by type

securityevent > antiexploit

Log ID

Level

Sub Type

Event Type

Message

96548

warning

antiexploit

action

AntiExpoit has detected violation

Field	Field Description	Field Type
action	action taken for violation	enumeration string
ae_api	API used of the violation	string
ae_reason	reason of the violation	string
app	application	string
payload_process	payload process	string

securityevent > antiransomware

Log ID

Level

Sub Type

Event Type

Message

98000

warning

antiransomware

status

AntiRansomware has found a suspicious process

Field	Field Description	Field Type
file	file location	string
action	file action (1 = kill 2 = resume)	enumeration string
default_used	if process is handled by default action	int
checksum	file SHA256 checksum	string
PID	ID of the malicious process	int

98001

warning

antiransomware

status

AntiRansomware has recovered a file

Field	Field Description	Field Type
file	file location	string

98002

warning

antiransomware

status

AntiRansomware has quarantined a file

Field	Field Description	Field Type
file	file location	string
checksum	file SHA256 checksum	string

98003

info

antiransomware

status

AntiRansomware has completed the quarantine and restoration of relevant files

securityevent > applicationcontrol

Log ID

Level

Sub Type

Event Type

Message

96701

warning

applicationcontrol

error

Application Control found a rule violation

Field	Field Description	Field Type
path	path of process	string
username	username of process	string
domain	domain of user	string
ruleuuid	uuid of violated rule	string
action	block or monitor	string

securityevent > av

Log ID

Level

Sub Type

Event Type

Message

96530

warning

action

Found virus

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
viruscat	virus category	string
sigid	signature id	string
vid	virus id	int
from	email from	string
to	email to	string
service	network protocol	string
vpn	vpn tunnel name	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string
detectedin	where the virus is detected	enumeration string

96531

warning

action

Found malware

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string
detectedin	where the virus is detected	enumeration string

96534

warning

status

User disabled Realtime AntiVirus protection

96535

info

error

Communication error with other modules

96536

warning

action

AntiVirus realtime protection killed malware process

Field	Field Description	Field Type
processname	process name	string
detectedby	the security feature that detected virus	enumeration string

96537

info

status

av_task scan thread is suspended

96538

info

status

av_task scan thread is resumed

96540

info

error

Cannot start scan task, license expired

96541

info

status

av_task scan is started

96542

info

status

av_task scan is stopped

96543

error

Scheduled scan failed: Path to file/folder no longer exists

Field	Field Description	Field Type
file	file or directory does not exist	string

96550

error

Failed to restore quarantined file

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string

96551

info

action

A quarantined file was restored

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string

securityevent > cloudscan

Log ID

Level

Sub Type

Event Type

Message

97100

debug

cloudscan

status

file score received

Field	Field Description	Field Type
file	file location	string
score	file score	int
checksum	file SHA256 checksum	string

securityevent > firewall

Log ID	Level	Sub Type	Event Type	Message
96645	warning	firewall	error	The application firewall has been disabled because it's driver could not be loaded

securityevent > fsso

Log ID

Level

Sub Type

Event Type

Message

96980

info

fsso

status

Single Sign-On event

Field	Field Description	Field Type
action	action	enumeration string
domain	domain name	string
remotegw	remote gateway	string

96983

info

fsso

status

Single Sign-On Mobility Agent is starting

96984

info

fsso

status

Single Sign-On Mobility Agent is stopping

securityevent > ipsecvpn

Log ID

Level

Sub Type

Event Type

Message

96560

info

ipsecvpn

status

VPN tunnel status

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	vpn tunnel user name	string
remotegw	remote gateway	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96561

warning

ipsecvpn

error

No response from the peer, phase1 retransmit reaches maximum count

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96562

warning

ipsecvpn

error

No response from the peer, phase2 retransmit reaches maximum count

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96563

warning

ipsecvpn

status

Received delete payload from peer check xauth password

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96564

error

ipsecvpn

error

Failed to acquire an IP address for the virtual adapter

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96565

error

ipsecvpn

error

General error of IKE

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96566

info

ipsecvpn

status

negotiation information

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96567

error

ipsecvpn

error

negotiation error

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96568

error

ipsecvpn

status

replayed packet detected (packet dropped)

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96569

info

ipsecvpn

status

The VPN user accept the banner warning

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96570

info

ipsecvpn

status

The VPN user reject the banner warning and disconnect the tunnel

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96571

info

ipsecvpn

status

Send sa to the IPsec driver

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96574

error

ipsecvpn

error

Logged when a VPN authorization rule failed

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96575

warning

ipsecvpn

error

VPN cannot connect because the specified application is not running

Field	Field Description	Field Type
app	application	string

96576

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96577

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

securityevent > pam

Log ID

Level

Sub Type

Event Type

Message

99000

info

pam

status

fortiPAM Agent started

Field	Field Description	Field Type
httpport	http port number	int

99001

info

pam

status

fortiPAM Agent stopped

99002

info

pam

status

fortiPAM Agent: received new request from browser

Field	Field Description	Field Type
pamsessionid	pam session-id	int

99003

info

pam

status

fortiPAM Agent: received a new Secret launch request

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

99008

info

pam

status

fortiPAM Agent: received invalid request from PAM Server

Field	Field Description	Field Type
pamsessionid	pam session-id	int

99004

info

pam

status

fortiPAM Agent: launched secret succesfully

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

99005

info

pam

status

fortiPAM Agent: failed to launch secret

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

99006

info

pam

status

fortiPAM Agent: secret terminated

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

securityevent > removablemediaaccess

Log ID

Level

Sub Type

Event Type

Message

96620

info

removablemediaaccess

status

usb storage activity

Field	Field Description	Field Type
action	action	enumeration string
activity	activity	enumeration string
description	description	string

securityevent > sandboxing

Log ID

Level

Sub Type

Event Type

Message

96545

debug

sandboxing

error

Failed to connect to FortiSandbox server

Field	Field Description	Field Type
failed_reason	reason of the failure	string

96556

warning

sandboxing

error

Failed to submit file to FortiSandbox server

Field	Field Description	Field Type
file	file location	string
error_code	reason of the failure	int

96557

warning

sandboxing

error

Failed to query checksum to FortiSandbox server

Field	Field Description	Field Type
file	file location	string
error_code	reason of the failure	int

96546

warning

sandboxing

action

Found virus

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string
detectedin	where the virus is detected	enumeration string

96547

info

sandboxing

error

Sandbox is not authorized

96554

info

sandboxing

status

file is submitted to Sandbox service

Field	Field Description	Field Type
file	file location	string
checksum	file SHA256 checksum	string

96555

debug

sandboxing

status

file score received

Field	Field Description	Field Type
file	file location	string
score	file score	int
checksum	file SHA256 checksum	string

securityevent > sslvpn

Log ID

Level

Sub Type

Event Type

Message

96600

info

sslvpn

status

SSLVPN tunnel status

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	vpn tunnel user name	string

96601

error

sslvpn

error

Telephony service (TapiSrv) is not running

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	tunnel user name	string
remotegw	remote gateway	string

96602

info

sslvpn

status

SSLVPN service started successfully

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	tunnel user name	string
remotegw	remote gateway	string

96603

error

sslvpn

error

SSLVPN tunnel connection failed

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	tunnel user name	string
remotegw	remote gateway	string

96605

warning

sslvpn

error

SSLVPN cannot connect because the specified application is not running

Field	Field Description	Field Type
app	application	string

96610

info

sslvpn

status

SSLVPN(DTLS) tunnel status

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string

securityevent > videofilter

Log ID

Level

Sub Type

Event Type

Message

96508

warning

videofilter

action

user's access to the video is blocked

Field	Field Description	Field Type
cat	category id	int
category	category name	string
videourl	videourl	string
channelurl	channelurl	string
status	status	enumeration string

96509

info

videofilter

action

user's access to the video is bypassed

Field	Field Description	Field Type
cat	category id	int
category	category name	string
videourl	videourl	string
channelurl	channelurl	string
status	status	enumeration string

securityevent > vulnerabilityscan

Log ID

Level

Sub Type

Event Type

Message

96520

info

vulnerabilityscan

status

The vulnerability scan status has changed

Field	Field Description	Field Type
status	scan status	string

96521

warning

vulnerabilityscan

status

A vulnerability scan result has been logged

Field	Field Description	Field Type
vulnid	id of the vulnerability	int
vulnname	name of the vulnerability	string
vulnseverity	severity level	string
vulncat	category	string
vulncvss	cvss score	string
vulnref	reference of the vulnerability	string
vulnengine	engine version	string
vulnsignature	signature version	string
vulnproducts	name of the vulnerable product	string
detectedpath	detected path(s)	string

96522

info

vulnerabilityscan

action

Applying patch for vulnerability found

Field	Field Description	Field Type
vulnid	id of the vulnerability	int
vulnname	name of the vulnerability	string
vulnseverity	severity level	string
vulncat	category	string
vulncvss	cvss score	string
vulnref	reference of the vulnerability	string
vulnengine	engine version	string
vulnsignature	signature version	string
vulnproducts	name of the vulnerable product	string

96523

info

vulnerabilityscan

action

Applying patch for Windows vulnerability

Field	Field Description	Field Type
vulnid	id of the vulnerability	int
vulnname	name of the vulnerability	string
vulnseverity	severity level	string
vulncat	category	string
vulncvss	cvss score	string
vulnref	reference of the vulnerability	string
vulnengine	engine version	string
vulnsignature	signature version	string
vulnproducts	name of the vulnerable product	string

securityevent > webfilter

Log ID

Level

Sub Type

Event Type

Message

96500

info

webfilter

status

User enabled Webfilter

96501

warning

webfilter

status

User disabled Webfilter

96502

warning

webfilter

action

user's access to the url is blocked

Field	Field Description	Field Type
cat	category id	int
category	category name	string
service	network protocol	string
ip	IP address	string
status	status	enumeration string
url	url	string

96503

info

webfilter

action

user's access to the url is bypassed

Field	Field Description	Field Type
cat	category id	int
category	category name	string
service	network protocol	string
ip	IP address	string
status	status	enumeration string
url	url	string

systemevent > endpoint

Log ID

Level

Sub Type

Event Type

Message

96953

info

endpoint

status

Endpoint Control Status Changed

Field	Field Description	Field Type
eponlinest	online status	enumeration string
epplace	EP place	enumeration string
emshostname	EMS host name	string
status	status description	string

96955

info

endpoint

status

Endpoint Control Registration Status Changed

Field	Field Description	Field Type
emshostname	EMS host name	string
status	status description	string
emsip	EMS IP	string
fctip	FCT IP	string

96956

info

endpoint

status

Endpoint Quarantine Status Changed

Field	Field Description	Field Type
epmgmtst	management status	enumeration string
emshostname	EMS host name	string
epquarmsg	quarant message	string

96957

info

endpoint

status

Endpoint Ext Log to FAZ

Field	Field Description	Field Type
epfeatures	installed features list	string
epenfeatures	enabled features list	string
ephbemsduration	EMS heart beat duration	int
ephbemslast	EMS heart beat last time	string
emshostname	EMS host name	string

96958

info

endpoint

status

User social media information

Field	Field Description	Field Type
social_srvc	social service	string
social_user	social user name	string
social_email	social email	string
social_phone	social phone number	string

96959

info

endpoint

status

Current AV allowlist engine/signatures this endpoint is using

Field	Field Description	Field Type
emshostname	EMS host name	string
avaleng	AV allowlist engine version	string
avalsig	AV allowlist signatures version	string

systemevent > system

Log ID

Level

Sub Type

Event Type

Message

96800

info

system

error

Forcefully kill a child process after grace period expires

Field	Field Description	Field Type
apppath	process name	string

96801

error

system

error

The scheduler cannot start the scheduled task because the task's license is expired

96812

info

system

error

Update allowed only if you have a valid license

96813

info

system

status

Software updates are disabled

96814

info

system

status

Software updates from FortiGuard have been disabled because this client is managed

96815

info

system

error

Software updates require administrative privileges

96816

info

system

status

Software update successful

96817

info

system

error

Software update failed

96818

info

system

error

Unable to perform software update. Registry does not contain image id to download

96820

error

system

error

Failed to load the av engine

96821

error

system

error

Error patching AV signatur

96822

error

system

error

Unable to load FASLE engine

96823

info

system

status

Checking for updates

96824

info

system

status

Software update started

96825

info

system

status

Update was successful, current engine/signature information recorded

Field	Field Description	Field Type
avengine	AV engine	string
avsig	AV signature	string
avsigext	AV extended signature	string
avsigetm	AV extreme signature	string
avsigheu	AV heuristic signature	string
appsig	app DB signature	string
appengine	app DB engine	string
vulnsig	vulnerability signature	string
vulnengine	vulnerability engine	string
ipseng	firewall engine	string
ipssig	firewall signature	string
irdbsig	irdb signature	string

96840

warning

system

status

Fortiproxy is disabled

96841

info

system

status

Fortiproxy is enabled

96851

info

system

status

FortiShield is enabled

96850

warning

system

status

FortiShield is disabled

96855

warning

system

action

FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient

Field	Field Description	Field Type
processname	blocked process	string
file	file or registry path	string

96873

info

system

status

FortiClient is shutting down

96882

info

system

status

Logged when push configuration is received

Field	Field Description	Field Type
policyname	policy name	string

systemevent > update

Log ID

Level

Sub Type

Event Type

Message

96650

info

update

status

Update was successful

Field	Field Description	Field Type
avengine	AV engine	string
avsig	AV signature	string
avsigext	AV extended signature	string
avsigetm	AV extreme signature	string
avsigheu	AV heuristic signature	string
avsigpallas	AV pallas signature	string
appsig	app DB signature	string
appengine	app DB engine	string
vulnsig	vulnerability signature	string
vulnengine	vulnerability engine	string
ipseng	firewall engine	string
ipssig	firewall signature	string
irdbsig	irdb signature	string
avsiglastupdate	last update time	string

96819

info

update

status

Update was successful to the given version for the given module

Field	Field Description	Field Type
avengine	AV engine	string
avsig	AV signature	string
avsigext	AV extended signature	string
avsigetm	AV extreme signature	string
avsigheu	AV heuristic signature	string
appsig	app DB signature	string
appengine	app DB engine	string
vulnsig	vulnerability signature	string
vulnengine	vulnerability engine	string
ipseng	firewall engine	string
ipssig	firewall signature	string
irdbsig	irdb signature	string

traffic > system

Log ID

Level

Sub Type

Event Type

Message

96900

info

system

traffic

Traffic log

Field	Field Description	Field Type
sessionid	network session	string
regip	regip	string
srcname	source name	string
srcproduct	source product	string
srcip	source IP	string
srcport	source port	int
direction	traffic direction	string
dstip	destination IP	string
remotename	remote name	string
dstport	destination port	int
proto	network protocol	int
rcvdbyte	data received (in bytes)	int
sentbyte	data sent (in bytes)	int
utmaction	utm action	string
utmevent	utm event	string
threat	threat	string
service	network protocol	string
userinitiated	if user initiated url request	int
browsetime	user browsing time of web page(in seconds)	int
url	url	string

Log message by type

securityevent > antiexploit

Log ID

Level

Sub Type

Event Type

Message

96548

warning

antiexploit

action

AntiExpoit has detected violation

Field	Field Description	Field Type
action	action taken for violation	enumeration string
ae_api	API used of the violation	string
ae_reason	reason of the violation	string
app	application	string
payload_process	payload process	string

securityevent > antiransomware

Log ID

Level

Sub Type

Event Type

Message

98000

warning

antiransomware

status

AntiRansomware has found a suspicious process

Field	Field Description	Field Type
file	file location	string
action	file action (1 = kill 2 = resume)	enumeration string
default_used	if process is handled by default action	int
checksum	file SHA256 checksum	string
PID	ID of the malicious process	int

98001

warning

antiransomware

status

AntiRansomware has recovered a file

Field	Field Description	Field Type
file	file location	string

98002

warning

antiransomware

status

AntiRansomware has quarantined a file

Field	Field Description	Field Type
file	file location	string
checksum	file SHA256 checksum	string

98003

info

antiransomware

status

AntiRansomware has completed the quarantine and restoration of relevant files

securityevent > applicationcontrol

Log ID

Level

Sub Type

Event Type

Message

96701

warning

applicationcontrol

error

Application Control found a rule violation

Field	Field Description	Field Type
path	path of process	string
username	username of process	string
domain	domain of user	string
ruleuuid	uuid of violated rule	string
action	block or monitor	string

securityevent > av

Log ID

Level

Sub Type

Event Type

Message

96530

warning

action

Found virus

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
viruscat	virus category	string
sigid	signature id	string
vid	virus id	int
from	email from	string
to	email to	string
service	network protocol	string
vpn	vpn tunnel name	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string
detectedin	where the virus is detected	enumeration string

96531

warning

action

Found malware

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string
detectedin	where the virus is detected	enumeration string

96534

warning

status

User disabled Realtime AntiVirus protection

96535

info

error

Communication error with other modules

96536

warning

action

AntiVirus realtime protection killed malware process

Field	Field Description	Field Type
processname	process name	string
detectedby	the security feature that detected virus	enumeration string

96537

info

status

av_task scan thread is suspended

96538

info

status

av_task scan thread is resumed

96540

info

error

Cannot start scan task, license expired

96541

info

status

av_task scan is started

96542

info

status

av_task scan is stopped

96543

error

Scheduled scan failed: Path to file/folder no longer exists

Field	Field Description	Field Type
file	file or directory does not exist	string

96550

error

Failed to restore quarantined file

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string

96551

info

action

A quarantined file was restored

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string

securityevent > cloudscan

Log ID

Level

Sub Type

Event Type

Message

97100

debug

cloudscan

status

file score received

Field	Field Description	Field Type
file	file location	string
score	file score	int
checksum	file SHA256 checksum	string

securityevent > firewall

Log ID	Level	Sub Type	Event Type	Message
96645	warning	firewall	error	The application firewall has been disabled because it's driver could not be loaded

securityevent > fsso

Log ID

Level

Sub Type

Event Type

Message

96980

info

fsso

status

Single Sign-On event

Field	Field Description	Field Type
action	action	enumeration string
domain	domain name	string
remotegw	remote gateway	string

96983

info

fsso

status

Single Sign-On Mobility Agent is starting

96984

info

fsso

status

Single Sign-On Mobility Agent is stopping

securityevent > ipsecvpn

Log ID

Level

Sub Type

Event Type

Message

96560

info

ipsecvpn

status

VPN tunnel status

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	vpn tunnel user name	string
remotegw	remote gateway	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96561

warning

ipsecvpn

error

No response from the peer, phase1 retransmit reaches maximum count

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96562

warning

ipsecvpn

error

No response from the peer, phase2 retransmit reaches maximum count

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96563

warning

ipsecvpn

status

Received delete payload from peer check xauth password

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96564

error

ipsecvpn

error

Failed to acquire an IP address for the virtual adapter

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96565

error

ipsecvpn

error

General error of IKE

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96566

info

ipsecvpn

status

negotiation information

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96567

error

ipsecvpn

error

negotiation error

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96568

error

ipsecvpn

status

replayed packet detected (packet dropped)

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96569

info

ipsecvpn

status

The VPN user accept the banner warning

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96570

info

ipsecvpn

status

The VPN user reject the banner warning and disconnect the tunnel

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96571

info

ipsecvpn

status

Send sa to the IPsec driver

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96574

error

ipsecvpn

error

Logged when a VPN authorization rule failed

Field	Field Description	Field Type
vpntunnel	tunnel name	string

96575

warning

ipsecvpn

error

VPN cannot connect because the specified application is not running

Field	Field Description	Field Type
app	application	string

96576

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

96577

info

ipsecvpn

error

IKE phase1 authentication fail as peer's certificate is not verified

Field	Field Description	Field Type
vpntunnel	tunnel name	string
locip	local ip	string
locport	local port	int
remip	remote ip	string
remport	remote port	int

securityevent > pam

Log ID

Level

Sub Type

Event Type

Message

99000

info

pam

status

fortiPAM Agent started

Field	Field Description	Field Type
httpport	http port number	int

99001

info

pam

status

fortiPAM Agent stopped

99002

info

pam

status

fortiPAM Agent: received new request from browser

Field	Field Description	Field Type
pamsessionid	pam session-id	int

99003

info

pam

status

fortiPAM Agent: received a new Secret launch request

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

99008

info

pam

status

fortiPAM Agent: received invalid request from PAM Server

Field	Field Description	Field Type
pamsessionid	pam session-id	int

99004

info

pam

status

fortiPAM Agent: launched secret succesfully

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

99005

info

pam

status

fortiPAM Agent: failed to launch secret

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

99006

info

pam

status

fortiPAM Agent: secret terminated

Field	Field Description	Field Type
pamsessionid	pam session-id	int
appname	application name	string
maxduration	max-duration for secret	int
recording	video recording enabled	int
proxymode	proxy mode enabled	int

securityevent > removablemediaaccess

Log ID

Level

Sub Type

Event Type

Message

96620

info

removablemediaaccess

status

usb storage activity

Field	Field Description	Field Type
action	action	enumeration string
activity	activity	enumeration string
description	description	string

securityevent > sandboxing

Log ID

Level

Sub Type

Event Type

Message

96545

debug

sandboxing

error

Failed to connect to FortiSandbox server

Field	Field Description	Field Type
failed_reason	reason of the failure	string

96556

warning

sandboxing

error

Failed to submit file to FortiSandbox server

Field	Field Description	Field Type
file	file location	string
error_code	reason of the failure	int

96557

warning

sandboxing

error

Failed to query checksum to FortiSandbox server

Field	Field Description	Field Type
file	file location	string
error_code	reason of the failure	int

96546

warning

sandboxing

action

Found virus

Field	Field Description	Field Type
action	action taken for the infected item	enumeration string
file	file location	string
virus	virus name	string
sigid	signature id	string
filesize	file size	int
checksum	file crc32 checksum	int
detectedby	the security feature that detected virus	enumeration string
detectedin	where the virus is detected	enumeration string

96547

info

sandboxing

error

Sandbox is not authorized

96554

info

sandboxing

status

file is submitted to Sandbox service

Field	Field Description	Field Type
file	file location	string
checksum	file SHA256 checksum	string

96555

debug

sandboxing

status

file score received

Field	Field Description	Field Type
file	file location	string
score	file score	int
checksum	file SHA256 checksum	string

securityevent > sslvpn

Log ID

Level

Sub Type

Event Type

Message

96600

info

sslvpn

status

SSLVPN tunnel status

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	vpn tunnel user name	string

96601

error

sslvpn

error

Telephony service (TapiSrv) is not running

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	tunnel user name	string
remotegw	remote gateway	string

96602

info

sslvpn

status

SSLVPN service started successfully

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	tunnel user name	string
remotegw	remote gateway	string

96603

error

sslvpn

error

SSLVPN tunnel connection failed

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string
vpnuser	tunnel user name	string
remotegw	remote gateway	string

96605

warning

sslvpn

error

SSLVPN cannot connect because the specified application is not running

Field	Field Description	Field Type
app	application	string

96610

info

sslvpn

status

SSLVPN(DTLS) tunnel status

Field	Field Description	Field Type
vpnstate	tunnel status	enumeration string
vpntunnel	tunnel name	string

securityevent > videofilter

Log ID

Level

Sub Type

Event Type

Message

96508

warning

videofilter

action

user's access to the video is blocked

Field	Field Description	Field Type
cat	category id	int
category	category name	string
videourl	videourl	string
channelurl	channelurl	string
status	status	enumeration string

96509

info

videofilter

action

user's access to the video is bypassed

Field	Field Description	Field Type
cat	category id	int
category	category name	string
videourl	videourl	string
channelurl	channelurl	string
status	status	enumeration string

securityevent > vulnerabilityscan

Log ID

Level

Sub Type

Event Type

Message

96520

info

vulnerabilityscan

status

The vulnerability scan status has changed

Field	Field Description	Field Type
status	scan status	string

96521

warning

vulnerabilityscan

status

A vulnerability scan result has been logged

Field	Field Description	Field Type
vulnid	id of the vulnerability	int
vulnname	name of the vulnerability	string
vulnseverity	severity level	string
vulncat	category	string
vulncvss	cvss score	string
vulnref	reference of the vulnerability	string
vulnengine	engine version	string
vulnsignature	signature version	string
vulnproducts	name of the vulnerable product	string
detectedpath	detected path(s)	string

96522

info

vulnerabilityscan

action

Applying patch for vulnerability found

Field	Field Description	Field Type
vulnid	id of the vulnerability	int
vulnname	name of the vulnerability	string
vulnseverity	severity level	string
vulncat	category	string
vulncvss	cvss score	string
vulnref	reference of the vulnerability	string
vulnengine	engine version	string
vulnsignature	signature version	string
vulnproducts	name of the vulnerable product	string

96523

info

vulnerabilityscan

action

Applying patch for Windows vulnerability

Field	Field Description	Field Type
vulnid	id of the vulnerability	int
vulnname	name of the vulnerability	string
vulnseverity	severity level	string
vulncat	category	string
vulncvss	cvss score	string
vulnref	reference of the vulnerability	string
vulnengine	engine version	string
vulnsignature	signature version	string
vulnproducts	name of the vulnerable product	string

securityevent > webfilter

Log ID

Level

Sub Type

Event Type

Message

96500

info

webfilter

status

User enabled Webfilter

96501

warning

webfilter

status

User disabled Webfilter

96502

warning

webfilter

action

user's access to the url is blocked

Field	Field Description	Field Type
cat	category id	int
category	category name	string
service	network protocol	string
ip	IP address	string
status	status	enumeration string
url	url	string

96503

info

webfilter

action

user's access to the url is bypassed

Field	Field Description	Field Type
cat	category id	int
category	category name	string
service	network protocol	string
ip	IP address	string
status	status	enumeration string
url	url	string

systemevent > endpoint

Log ID

Level

Sub Type

Event Type

Message

96953

info

endpoint

status

Endpoint Control Status Changed

Field	Field Description	Field Type
eponlinest	online status	enumeration string
epplace	EP place	enumeration string
emshostname	EMS host name	string
status	status description	string

96955

info

endpoint

status

Endpoint Control Registration Status Changed

Field	Field Description	Field Type
emshostname	EMS host name	string
status	status description	string
emsip	EMS IP	string
fctip	FCT IP	string

96956

info

endpoint

status

Endpoint Quarantine Status Changed

Field	Field Description	Field Type
epmgmtst	management status	enumeration string
emshostname	EMS host name	string
epquarmsg	quarant message	string

96957

info

endpoint

status

Endpoint Ext Log to FAZ

Field	Field Description	Field Type
epfeatures	installed features list	string
epenfeatures	enabled features list	string
ephbemsduration	EMS heart beat duration	int
ephbemslast	EMS heart beat last time	string
emshostname	EMS host name	string

96958

info

endpoint

status

User social media information

Field	Field Description	Field Type
social_srvc	social service	string
social_user	social user name	string
social_email	social email	string
social_phone	social phone number	string

96959

info

endpoint

status

Current AV allowlist engine/signatures this endpoint is using

Field	Field Description	Field Type
emshostname	EMS host name	string
avaleng	AV allowlist engine version	string
avalsig	AV allowlist signatures version	string

systemevent > system

Log ID

Level

Sub Type

Event Type

Message

96800

info

system

error

Forcefully kill a child process after grace period expires

Field	Field Description	Field Type
apppath	process name	string

96801

error

system

error

The scheduler cannot start the scheduled task because the task's license is expired

96812

info

system

error

Update allowed only if you have a valid license

96813

info

system

status

Software updates are disabled

96814

info

system

status

Software updates from FortiGuard have been disabled because this client is managed

96815

info

system

error

Software updates require administrative privileges

96816

info

system

status

Software update successful

96817

info

system

error

Software update failed

96818

info

system

error

Unable to perform software update. Registry does not contain image id to download

96820

error

system

error

Failed to load the av engine

96821

error

system

error

Error patching AV signatur

96822

error

system

error

Unable to load FASLE engine

96823

info

system

status

Checking for updates

96824

info

system

status

Software update started

96825

info

system

status

Update was successful, current engine/signature information recorded

Field	Field Description	Field Type
avengine	AV engine	string
avsig	AV signature	string
avsigext	AV extended signature	string
avsigetm	AV extreme signature	string
avsigheu	AV heuristic signature	string
appsig	app DB signature	string
appengine	app DB engine	string
vulnsig	vulnerability signature	string
vulnengine	vulnerability engine	string
ipseng	firewall engine	string
ipssig	firewall signature	string
irdbsig	irdb signature	string

96840

warning

system

status

Fortiproxy is disabled

96841

info

system

status

Fortiproxy is enabled

96851

info

system

status

FortiShield is enabled

96850

warning

system

status

FortiShield is disabled

96855

warning

system

action

FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient

Field	Field Description	Field Type
processname	blocked process	string
file	file or registry path	string

96873

info

system

status

FortiClient is shutting down

96882

info

system

status

Logged when push configuration is received

Field	Field Description	Field Type
policyname	policy name	string

systemevent > update

Log ID

Level

Sub Type

Event Type

Message

96650

info

update

status

Update was successful

Field	Field Description	Field Type
avengine	AV engine	string
avsig	AV signature	string
avsigext	AV extended signature	string
avsigetm	AV extreme signature	string
avsigheu	AV heuristic signature	string
avsigpallas	AV pallas signature	string
appsig	app DB signature	string
appengine	app DB engine	string
vulnsig	vulnerability signature	string
vulnengine	vulnerability engine	string
ipseng	firewall engine	string
ipssig	firewall signature	string
irdbsig	irdb signature	string
avsiglastupdate	last update time	string

96819

info

update

status

Update was successful to the given version for the given module

Field	Field Description	Field Type
avengine	AV engine	string
avsig	AV signature	string
avsigext	AV extended signature	string
avsigetm	AV extreme signature	string
avsigheu	AV heuristic signature	string
appsig	app DB signature	string
appengine	app DB engine	string
vulnsig	vulnerability signature	string
vulnengine	vulnerability engine	string
ipseng	firewall engine	string
ipssig	firewall signature	string
irdbsig	irdb signature	string

traffic > system

Log ID

Level

Sub Type

Event Type

Message

96900

info

system

traffic

Traffic log

Field	Field Description	Field Type
sessionid	network session	string
regip	regip	string
srcname	source name	string
srcproduct	source product	string
srcip	source IP	string
srcport	source port	int
direction	traffic direction	string
dstip	destination IP	string
remotename	remote name	string
dstport	destination port	int
proto	network protocol	int
rcvdbyte	data received (in bytes)	int
sentbyte	data sent (in bytes)	int
utmaction	utm action	string
utmevent	utm event	string
threat	threat	string
service	network protocol	string
userinitiated	if user initiated url request	int
browsetime	user browsing time of web page(in seconds)	int
url	url	string

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Log Message Reference

Log message by type

Log message by type

securityevent > antiexploit

securityevent > antiransomware

securityevent > applicationcontrol

securityevent > av

securityevent > cloudscan

securityevent > firewall

securityevent > fsso

securityevent > ipsecvpn

securityevent > pam