Levels | Description |
0 - Emergency | The system has become unstable. |
1 - Alert | Immediate action is required. |
2 - Critical | Functionality is affected. |
3 - Error | An error condition exists and functionality could be affected. |
4 - Warning | Functionality could be affected. |
5 - Notification | Information about normal events. |
6 - Information | General information about system operations. |
Log header | |
date=(2010-08-03) | The year, month and day of when the event occurred in yyyy-mm-dd format. |
time=(12:55:06) | The hour, minute and second of when the event occurred in the format hh:mm:ss. |
log_id=(2457752353) | A five or ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message. |
type=(dlp) | The section of system where the event occurred. |
subtype=(dlp) | The subtype category of the log message. |
level=(notice) | The priority level of the event. See Table 58. |
vd=(root) | The name of the virtual domain where the action/event occurred in. If no virtual domains exist, this field always contains root. |
Log body | |
policyid=(1) | The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. |
identidx=(0) | The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. |
sessionid=(311) | The serial number of the firewall session of which the event happened. |
srcip=(10.10.10.1) | The source IP address. |
srcport=(1190) | The source port number. |
srcintf=(internal) | The source interface name. |
dstip=(192.168.1.122) | The destination IP address. |
dstport=(80) | The destination port number. |
dstintf=(wan1) | The destination interface name. |
service=(https) | The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. |
status=(detected) | The action the FortiGate unit took. |
hostname=(example.com) | The home page of the web site. |
url=(/image/trees_pine_forest/) | The URL address of the web page that the user was viewing. |
msg=(data leak detected(Data Leak Prevention Rule matched) | Explains the FortiGate activity that was recorded. In this example, the data leak that was detected matched the rule, All-HTTP, in the DLP sensor. |
rulename=(All-HTTP) | The name of the DLP rule within the DLP sensor. |
action=(log-only) | The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no action type is specified, this field display log-only. |
severity=(1) | The level of severity for that specific rule. |