Audit trail
The following table describes the fields in audit trails. The order that the fields are listed reflects the order of the fields in audit trails syslog messages.
|
Syslog Field |
LEEF Field |
CEF Field1 |
CEF custom label value |
Description |
Data Type |
Length |
|---|---|---|---|---|---|---|
|
Organization |
Organization |
cs1 |
cs1Label=Organization |
Name of the organization the system event belongs to. |
String |
100 |
|
Message Type |
MessageType |
cs2 |
cs2Label=MessageType |
Type of the message, such as audit record, security event, or system event. |
String |
One of the following fixed values:
|
|
Server Name |
Servername |
cs4 |
cs4Label=Servername |
Name or address of the FortiEDR Manager that initiated the message. |
String |
128 |
|
Date and Time |
Date |
deviceCustomDate1 |
deviceCustomDate1Label=Date and Time |
Time of the occurrence of the audited action in UTC format: DD-MM-YYYY, hh:mm:ss. FortiEDR uses the Central Manager’s time when tracking audit trails. |
Timestamp |
18 |
|
Sub-system |
Subsystem |
cs3 |
cs3Label=Sub-system |
Name of the FortiEDR module where the audited action was performed. For example: Administration, System, System Events. |
String |
25 |
|
User Name |
usrName |
suser |
— |
Name of the user performing the audited action. |
String |
250 |
|
Description |
Description |
reason |
— |
Details of the audited action. |
String |
1500 |
|
Custom fields in CEF format (such as cs1 and deviceCustomDate1) should be sent with the matching CEF custom label value in order to define the display label for this custom field to the consumer system. The message then includes the following two fields:
For example, for Organization “Marketing”, FortiEDR sends the following two CEF fields in the message: "cs1Label=Organization” and “cs1=Marketing”. |
||||||