System event
The following table describes the fields in system events. The order that the fields are listed reflects the order of the fields in system event syslog messages.
|
Syslog Field |
LEEF Field |
CEF Field1 |
CEF custom label value |
Description
|
Data Type
|
Length
|
|---|---|---|---|---|---|---|
|
Organization |
Organization |
cs1 |
cs1Label=Organization |
Name of the organization the system event belongs to. |
String |
100 |
|
Message Type |
MessageType |
cs2 |
cs2Label=MessageType |
Type of the message, such as audit record, security event, or system event. |
String |
One of the following fixed values:
|
|
Server Name |
Servername |
cs4 |
cs4Label=Servername |
Name or address of the FortiEDR Manager that initiated the message. |
String |
128 |
|
Date and Time |
Date |
deviceCustomDate1 |
deviceCustomDate1Label=Date |
Time of the occurrence of the event in UTC format: DD-MM-YYYY, hh:mm:ss. FortiEDR uses the Central Manager’s time when tracking system events. |
Timestamp |
18 |
|
Component |
Component |
cs6 |
cs6Label=Component |
FortiEDR component type. It can be one of the following:
|
String |
100 |
|
Component Name |
ComponentName |
cs5 |
cs5Label=Component Name |
Name of the component. |
String |
150 |
|
Description |
Description |
reason |
— |
Details of the event. |
String |
300 |
|
Custom fields in CEF format (such as cs1 and deviceCustomDate1) should be sent with the matching CEF custom label value in order to define the display label for this custom field to the consumer system. The message then includes the following two fields:
For example, for Organization “Marketing”, FortiEDR sends the following two CEF fields in the message: "cs1Label=Organization” and “cs1=Marketing”. |
||||||