Fortigate log samples
Jon Whittington
I sent an e-mail to Daniel last week asking about the process to get new devices supported and he asked I send some log samples to the mailing list…these are not complete but here is a start. I grabbed this from our central log server:
1. Simple traffic logs from a Fortigate 100A (firmware 3.00-b0559(MR5))
Note: Sensitive info. replaced by x’s
Jul 19 23:59:58 [HOSTNAME] date=2007-07-19 a5 [local4.notice] date=2007-07-19 time=22:59:58 devname=xxxxx device_id=FGTxxxxx log_id=xxxxx type=traffic subtype=allowed pri=notice vd=root SN=xxxxx duration=130 user=N/A group=N/A policyid=1 proto=6 service=8080/tcp app_type=N/A status=accept src=xxx.xxx.xxx.xxx srcname=xxxxxx dst=xxx.xxx.xxx.xxx dstname=xxx.xxx.xxx.xxx src_int=xxxxx dst_int=xxxxx sent=299 rcvd=1759 sent_pkt=7 rcvd_pkt=6 src_port=56297 dst_port=8080 vpn=N/A tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Jul 19 23:59:59 [HOSTNAME] date=2007-07-19 a5 [local4.notice] date=2007-07-19 time=23:00:00 devname=XXXX device_id=FGTxxxxx log_id=xxxxx type=traffic subtype=allowed pri=notice vd=root SN=xxxxx duration=130 user=N/A group=N/A policyid=1 proto=6 service=8080/tcp app_type=N/A status=accept src=xxx.xxx.xxx.xxx srcname=xxxxxx dst=xxx.xxx.xxx.xxx dstname=xxx.xxx.xxx.xxx src_int=xxxxx dst_int=xxxxx sent=299 rcvd=1759 sent_pkt=7 rcvd_pkt=6 src_port=56298 dst_port=8080 vpn=N/A tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
2. A warning message regarding licensing of anti-virus component
Jul 23 06:30:22 [HOSTNAME] date=2007-07-23 a2 [local4.crit] date=2007-07-23 time=05:30:23 devname=XXXX device_id=FGTxxxxx log_id=xxxxx type=event subtype=system pri=critical vd=root msg=\"FortiGuard Web Filter license is expired\"
As I get more messages I will send them along – we are currently not in production so the IPS isn’t seeing anything
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.19/917 - Release Date: 7/25/2007 1:16 AM