Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Log Reference

    Home FortiRecorder 7.2.6 Log Reference
    7.2.6
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4

    Schema

    Schema

    All FortiRecorder log messages have a timestamp and then key-value pair fields. Fields are organized into a header and a body.

    fields in the log message header and body

    • Header — Located at the start of all log messages. Contains the event timestamp, a log identifier (log_id) , the type and subtype, and then the severity level (pri) of the event. Some fields (devid and log_part) vary by remote storage of logs, and by log message length.
    • Body — Located after the header fields. Contains the message (msg) field. Other body fields vary by type or subtype, such as the associated user name (if any), and actions (if any) that the FortiRecorder appliance took to respond to the event

    For example, in the following log message, the fields in bold are the header. The remaining fields are the body.

    2023-10-20 13:53:59.297 log_id=0801000001 type=kevent subtype=admin pri=information user=admin ui=ssh(172.20.130.28) action=login status=success reason=none msg="User admin logged in successfully from ssh(172.20.130.28)"

    This chapter describes the log message schema: each field and when it occurs.

    Note

    Fields are listed in the order of appearance in raw log messages. If you use a table format instead — for example, the FortiRecorder GUI, a SIEM, or spreadsheet software — columns can be hidden and/or rearranged. Fields may appear in a different order than in this document.

    Some fields may be hidden in the table view. Fields that vary by subtype do not exist for all log messages, and do not have corresponding columns in the FortiRecorder GUI. Show/Hide Column does not have options to enable them. To view these hidden fields, either:

    • Download the raw log messages. Open the log file in a plain text editor.
    • In the GUI, select a log message and then click View. A dialog will appear that shows all fields for that log message.
    Previous
    Next

    Schema

    Schema

    All FortiRecorder log messages have a timestamp and then key-value pair fields. Fields are organized into a header and a body.

    fields in the log message header and body

    • Header — Located at the start of all log messages. Contains the event timestamp, a log identifier (log_id) , the type and subtype, and then the severity level (pri) of the event. Some fields (devid and log_part) vary by remote storage of logs, and by log message length.
    • Body — Located after the header fields. Contains the message (msg) field. Other body fields vary by type or subtype, such as the associated user name (if any), and actions (if any) that the FortiRecorder appliance took to respond to the event

    For example, in the following log message, the fields in bold are the header. The remaining fields are the body.

    2023-10-20 13:53:59.297 log_id=0801000001 type=kevent subtype=admin pri=information user=admin ui=ssh(172.20.130.28) action=login status=success reason=none msg="User admin logged in successfully from ssh(172.20.130.28)"

    This chapter describes the log message schema: each field and when it occurs.

    Note

    Fields are listed in the order of appearance in raw log messages. If you use a table format instead — for example, the FortiRecorder GUI, a SIEM, or spreadsheet software — columns can be hidden and/or rearranged. Fields may appear in a different order than in this document.

    Some fields may be hidden in the table view. Fields that vary by subtype do not exist for all log messages, and do not have corresponding columns in the FortiRecorder GUI. Show/Hide Column does not have options to enable them. To view these hidden fields, either:

    • Download the raw log messages. Open the log file in a plain text editor.
    • In the GUI, select a log message and then click View. A dialog will appear that shows all fields for that log message.
    Previous
    Next