Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Log Message Reference

    Home FortiDeceptor 6.2.0 Log Message Reference
    6.2.0
    6.2.0
    6.1.0
    6.0.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0

    Raw Elog Format

    Raw Elog Format

    Sample {"logid": 3003761664159323711, "msg": "{\"protocol\": 10, \"dport\": 22, \"unique_id\": \"9dad1304-9e6a-11ed-9c13-5253c2c5478a\", \"service\": 100, \"logtype\": 1, \"service_name\": \"SSH\", \"optype\": 103, \"trapid\": 3003737929141591102, \"dip\": \"10.95.6.10\", \"compromised\": true, \"timestamp\": 1212, \"sip\": \"10.95.6.11\", \"version\": 1, \"instance_id\": \"3003737905335958931\", \"gateway\": \"10.95.6.1\", \"direction\": 0, \"sport\": 48070, \"tagkey\": \"10.95.6.11-48070\",  \"netmask\": \"255.255.255.0\"}", "trapid": "3003737929141591102", "sn": "FDC-VM0000069086", "caddr": "10.254.254.10"}
    {"sn":"FDC-VMTM21000123", "logid":2981810861599983867, "caddr":null, "trapid":2948983245847949350, "instance_id":2948983232583473085, "msg":"{\"sip\":\"10.10.1.117\", \"sport\":null, \"dip\":\"255.255.255.255\", \"dport\":null, \"optype\":20401, \"log_type\":0, \"timestamp\":1673564235, \"protocol\":239, \"vifname\":\"bp2\", \"vlanid\":0, \"service\":2600,\"service_name\":\"ARP\", \"sn\":\"FDC-VMTM21000123\", \"trapid\":2948983245847949350, \"instance_id\":2948983232583473085, \"desc\":\"The MAC address for 10.10.1.117 flipflopped: 52:4A:DF:AC:C1:DE and 52:0E:D2:51:15:99\"}"}
    Log Field Name

    Description

    Data Type

    Logid

    Log ID

    int
    msg

    event detail

    map

    trapid

    Trap ID

    int/string

    sn

    Fortideceptor Serial Number

    string

    caddr

    callback server ip address

    string

    Message content table
    Msg field name Description Data type
    protocol Event protocol int
    dport Destination port int
    unique_id Unique id string
    service raw coding, will be translated to services you see on GUI int
    logtype Log type number int
    service_name Name of service string
    optype Event action type int
    log_type Type of log int
    trapid Decoy id int
    dip Destination IP string
    compromised Has decoy been attacked bool
    timestamp Time stamp int
    sip Source IP int
    version Log format version int
    instance_id Vm instance id string/int
    gateway Gateway ip stirng
    direction traffic inbound or outbound int
    sport Source port int
    tagkey Key for event grouping string
    unique_id Key for event grouping/addition to tagkey string
    netmask netmask string
    desc Event detail, will show on gui string
    Previous
    Next

    Raw Elog Format

    Raw Elog Format

    Sample {"logid": 3003761664159323711, "msg": "{\"protocol\": 10, \"dport\": 22, \"unique_id\": \"9dad1304-9e6a-11ed-9c13-5253c2c5478a\", \"service\": 100, \"logtype\": 1, \"service_name\": \"SSH\", \"optype\": 103, \"trapid\": 3003737929141591102, \"dip\": \"10.95.6.10\", \"compromised\": true, \"timestamp\": 1212, \"sip\": \"10.95.6.11\", \"version\": 1, \"instance_id\": \"3003737905335958931\", \"gateway\": \"10.95.6.1\", \"direction\": 0, \"sport\": 48070, \"tagkey\": \"10.95.6.11-48070\",  \"netmask\": \"255.255.255.0\"}", "trapid": "3003737929141591102", "sn": "FDC-VM0000069086", "caddr": "10.254.254.10"}
    {"sn":"FDC-VMTM21000123", "logid":2981810861599983867, "caddr":null, "trapid":2948983245847949350, "instance_id":2948983232583473085, "msg":"{\"sip\":\"10.10.1.117\", \"sport\":null, \"dip\":\"255.255.255.255\", \"dport\":null, \"optype\":20401, \"log_type\":0, \"timestamp\":1673564235, \"protocol\":239, \"vifname\":\"bp2\", \"vlanid\":0, \"service\":2600,\"service_name\":\"ARP\", \"sn\":\"FDC-VMTM21000123\", \"trapid\":2948983245847949350, \"instance_id\":2948983232583473085, \"desc\":\"The MAC address for 10.10.1.117 flipflopped: 52:4A:DF:AC:C1:DE and 52:0E:D2:51:15:99\"}"}
    Log Field Name

    Description

    Data Type

    Logid

    Log ID

    int
    msg

    event detail

    map

    trapid

    Trap ID

    int/string

    sn

    Fortideceptor Serial Number

    string

    caddr

    callback server ip address

    string

    Message content table
    Msg field name Description Data type
    protocol Event protocol int
    dport Destination port int
    unique_id Unique id string
    service raw coding, will be translated to services you see on GUI int
    logtype Log type number int
    service_name Name of service string
    optype Event action type int
    log_type Type of log int
    trapid Decoy id int
    dip Destination IP string
    compromised Has decoy been attacked bool
    timestamp Time stamp int
    sip Source IP int
    version Log format version int
    instance_id Vm instance id string/int
    gateway Gateway ip stirng
    direction traffic inbound or outbound int
    sport Source port int
    tagkey Key for event grouping string
    unique_id Key for event grouping/addition to tagkey string
    netmask netmask string
    desc Event detail, will show on gui string
    Previous
    Next