Webfilter log support for CEF
Following is an example of a webfilter log on the FortiGate disk:
date=2016-02-12 time=11:40:47 logid=0316013056 type=utm subtype=webfilter eventtype=ftgd_blk level=warning vd="vdom1" sessionid=58014 user="" srcip=192.168.1.183 srcport=48676 srcintf="port15" dstip=202.46.41.172 dstport=80 dstintf="port19" proto=6 service=HTTP hostname="www.youku.com" profile="default" action=blocked reqtype=direct url="/" sentbyte=120 rcvdbyte=948 direction=outgoing msg="URL belongs to a denied category in policy" method=domain cat=25 catdesc="Streaming Media and Download" crscore=30 crlevel=high
Following is an example of a webfilter log sent in CEF format to a syslog server:
Feb 12 11:40:47 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|13056|utm:webfilter ftgd_blk blocked|4|FTNTFGTlogid=0316013056 cat=utm:webfilter FTNTFGTsubtype=webfilter FTNTFGTeventtype=ftgd_blk FTNTFGTlevel=warning FTNTFGTvd=vdom1 externalId=58014 duser= src=192.168.1.183 spt=48676 deviceInboundInterface=port15 dst=202.46.41.172 dpt=80 deviceOutboundInterface=port19 proto=6 app=HTTP dhost=www.youku.com FTNTFGTprofile=default act=blocked FTNTFGTreqtype=direct request=/ out=120 in=948 deviceDirection=1 msg=URL belongs to a denied category in policy FTNTFGTmethod=domain FTNTFGTcat=25 requestContext=Streaming Media and Download FTNTFGTcrscore=30 FTNTFGTcrlevel=high
The following table maps FortiOS log field names to CEF field names.
FortiOS Log Field Name |
CEF Field Name |
---|---|
hostname |
dhost |
catdesc |
requestContext |