Fortinet FortiGate Security Gateway sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Fortinet FortiGate Security Gateway sample messages when you use the Syslog or the Syslog Redirect protocol
Important: Due to formatting, paste the message format into a text editor and then
remove any carriage return or line feed characters.
Sample 1: The following sample shows an attempt to use a remote-access vulnerability that affects Microsoft Exchange Server. A remote attacker uses the vulnerability by sending an email with a meeting request that contains specially crafted vCal and iCal calendar data. As a result, the attacker might be able to take control of a vulnerable system.
<185>date=2011-05-09 time=14:31:07 devname=exampleDeviceName device_id=EXAMPLEDEVID2 log_id=0987654321 type=ips subtype=signature pri=alert severity=high carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="Example_Profile" src=10.10.10.10 dst=10.20.20.20 src_int=exampleVlan2 dst_int=exampleVlan1 policyid=4 identidx=0 serial=123456 status=detected proto=6 service=smtp vd="exampleDomain" count=1 src_port=50000 dst_port=8080 attack_id=11897 sensor=exampleSensor ref=url.example.test user="N/A" group=Example_Group incident_serialno=1234567890 msg="email: MS.Exchange.Mail.Calender.Buffer.Overflow"
QRadar field name | Highlighted payload field name |
---|---|
Event ID | attack_id |
Source IP | src |
Source Port | src_port |
Destination IP | dst |
Destination Port | dst_port |
Protocol | proto |
Policy | policyid |
Device Time | date + time |
Sample 2: The following sample shows that routing information has changed.
date=2020-09-17 time=01:36:20 logid="0100022921" type="event"subtype="system" level="critical" vd="root" eventtime=1600331781108372788 tz="-0700" logdesc="Routing information changed" name="Google_Ping" interface="TEST-INF1" status="down" msg="Static route on interface TEST-INF1 may be removed by health-check Google_Ping. Route: (10.10.10.27->10.10.8.8 ping-down)"
QRadar field name | Highlighted payload field name |
---|---|
Event ID | logdesc + level |
Device Time | date + time |
Sample 3: The following sample shows that a firewall is allowed.
date=2020-09-10 time=05:01:35 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1599739296076496743 tz="-0700" srcip=192.168.14.111 srcport=54923 srcintf="internal" srcintfrole="lan" dstip=192.168.14.112 dstport=80 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Test Country" sessionid=53159 proto=6 action="close" policyid=1 policytype="policy" poluuid="a9b81e06-c6a0-51e8-e434-a05c75d5ad74" policyname="Internet_Access" service="HTTP" trandisp="snat" transip=172.16.72.26 transport=54923 appid=17735 app="Facebook_Apps" appcat="Social.Media" apprisk="medium" applist="default" duration=187 sentbyte=2333 rcvdbyte=2585 sentpkt=42 rcvdpkt=42 vwlid=6 vwlservice="Facebook-Instagram" vwlquality="Seq_num(1 wan1), alive, sla(0x1), cfg_order(0), cost(10), selected" utmaction="allow" countapp=1 sentdelta=1092 rcvddelta=780 utmref=65515-3302
QRadar field name | Highlighted payload field name |
---|---|
Event ID | utmaction |
Source IP | srcip |
Source Port | srcport |
Destination IP | dstip |
Destination Port | dstport |
Pre NAT Source IP | srcip |
Pre NAT Source Port | srcport |
Post NAT Source IP | transip |
Post NAT Source Port | transport |
Protocol | proto |
Policy | policyid |
Duration Seconds | duration |
Device Time | date + time |