Fortinet FortiGate Security Gateway sample event messages

Use these sample event messages to verify a successful integration with the QRadar® product.

Fortinet FortiGate Security Gateway sample messages when you use the Syslog or the Syslog Redirect connector

Important: Due to formatting, paste the message format into a text editor and then remove any carriage return or line feed characters.

Sample 1: The following sample shows an attempt to use a remote-access vulnerability that affects Microsoft Exchange Server. A remote attacker uses the vulnerability by sending an email with a meeting request that contains specially crafted vCal and iCal calendar data. As a result, the attacker might be able to take control of a vulnerable system.

<185>date=2011-05-09 time=14:31:07 devname=exampleDeviceName device_id=EXAMPLEDEVID2 log_id=0987654321 type=ips subtype=signature pri=alert severity=high carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="Example_Profile" src= dst= src_int=exampleVlan2 dst_int=exampleVlan1 policyid=4 identidx=0 serial=123456 status=detected proto=6 service=smtp vd="exampleDomain" count=1 src_port=50000 dst_port=8080 attack_id=11897 sensor=exampleSensor ref=url.example.test user="N/A" group=Example_Group incident_serialno=1234567890 msg="email: MS.Exchange.Mail.Calender.Buffer.Overflow"
Table 1. Highlighted fields
QRadar product field name Highlighted payload field name
Event ID attack_id
Source IP src
Source Port src_port
Destination IP dst
Destination Port dst_port
Connector proto
Policy policyid
Device Time date + time

Sample 2: The following sample shows that routing information has changed.

date=2020-09-17 time=01:36:20 logid="0100022921" type="event"subtype="system" level="critical" vd="root" eventtime=1600331781108372788 tz="-0700" logdesc="Routing information changed" name="Google_Ping" interface="TEST-INF1" status="down" msg="Static route on interface TEST-INF1 may be removed by health-check Google_Ping. Route:  (> ping-down)"
Table 2. Highlighted fields
QRadar product field name Highlighted payload field name
Event ID logdesc + level
Device Time date + time

Sample 3: The following sample shows that a firewall is allowed.

date=2020-09-10 time=05:01:35 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1599739296076496743 tz="-0700" srcip= srcport=54923 srcintf="internal" srcintfrole="lan" dstip= dstport=80 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Test Country" sessionid=53159 proto=6 action="close" policyid=1 policytype="policy" poluuid="a9b81e06-c6a0-51e8-e434-a05c75d5ad74" policyname="Internet_Access" service="HTTP" trandisp="snat" transip= transport=54923 appid=17735 app="Facebook_Apps" appcat="Social.Media" apprisk="medium" applist="default" duration=187 sentbyte=2333 rcvdbyte=2585 sentpkt=42 rcvdpkt=42 vwlid=6 vwlservice="Facebook-Instagram" vwlquality="Seq_num(1 wan1), alive, sla(0x1), cfg_order(0), cost(10), selected" utmaction="allow" countapp=1 sentdelta=1092 rcvddelta=780 utmref=65515-3302
Table 3. Highlighted fields
QRadar product field name Highlighted payload field name
Event ID utmaction
Source IP srcip
Source Port srcport
Destination IP dstip
Destination Port dstport
Pre NAT Source IP srcip
Pre NAT Source Port srcport
Post NAT Source IP transip
Post NAT Source Port transport
Connector proto
Policy policyid
Duration Seconds duration
Device Time date + time