FortiGate Sample logs
Date: Day,month,andyearwhenthelog messagewasrecorded. > date=2017-11-15
Time: Hourclockwhenthelogmessage wasrecorded. > direction=incoming
Logid:The ID (logid) is a 10-digit field. It is a unique identifier for that specific log and includes the following information about
the log entry. >
"0000000013"
Type:Each log entry contains a Type (type) or category field that indicates its log type and which log file stores the log entry.
Subtype: The log sub-type: System manager event ,FortiAnalyzer event
>"forward"
Level : The log level: Debug,Error,Information
>level="notice"
VD:Virtual Domain (vd) Name of the virtual domain in which
the log message was recorded.
> vd="vdom1"
Eventtime:Epoch time the log was triggered by
FortiGate.
>eventtime=1510775056
srcip: IP address of the traffic’s origin. The
source varies by the direction:
l In HTTP requests, this is the
web browser or other client.
l In HTTP responses, this is the
physical server.
> srcip=10.1.100.155
srcport: Source Port (srcport) Port number of the traffic's origin.>srcport=40772
srcintf:Source Interface(srcintf) Interface name of the traffic's origin. srcintf="port12"
srcintfrole:Source Interface Name
(srcintfrole)
Name of the source interface.>srcintfrole="undefined"
dstip:IP (dstip) Destination IP address for the web >dstip=35.197.51.42
dstport:Port (dstport) Port number of the traffic's
destination.> dstport=443dstintf:Destination Interface(dstintf) Interface of the traffic's destination. > dstintf="port11"
dstintfrole:Destination InterfaceName (dstinfrole)
Name of the destination interface.> dstintfrole="undefined"sessionid:Session ID (sessionid) ID for the session.> sessionid=8058
proto:Protocol Number (proto) tcp: The protocol used by web traffic
(tcp by default)> proto=6
action:Status of the session. Uses >action=close
trandisp:NAT translation type. trandisp="snat"
app:Application Name (app) Name of the application. app="HTTPS.BROWSER"
duration:(seconds) Duration of the session, in seconds. duration=2
sentbyte:Sent bytes (sentbyte) Number of bytes sent. > sentbyte=1850
rcvdbyte:Number of bytes received >rcvdbyte=39898
sentpkt:Sent packets (sentpkt) Number of packets sent.>sentpkt=25
appcat: Category of the application. Thesecurityactionfromappcontrol > appcat="Web.Client"
Following is an example of a traffic log message in raw format:
date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic"subtype="forward" level="notice" vd="vdom1"eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined"dstip=35.197.51.42 dstname="fortiguard.com" dstport=443dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058proto=6 action="close" policyid=1policytype="policy" policymode="learn"service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat"transip=172.16.200.2 transport=40772 appid=40568app="HTTPS.BROWSER" appcat="Web.Client"apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898sentpkt=25 rcvdpkt=37utmaction="allow" countapp=1 devtype="Linux PC"osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586
Following is an example of a traffic log message in raw format:
date=2019-05-10 time=11:50:48 logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1" eventtime=1557514248379911176 srcip=172.16.200.254 srcport=62024 srcintf="port11" srcintfrole="undefined" dstip=172.16.200.2 dstport=443 dstintf="vdom1" dstintfrole="undefined" sessionid=107478 proto=6 action="server-rst" policyid=0 policytype="local-in-policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=5 sentbyte=1247 rcvdbyte=1719 sentpkt=5 rcvdpkt=6 appcat="unscanned"
#An example of a traffic log message
1: date=2021-12-20 time=16:43:54 eventtime=1640047434839814226 tz="-0800" logid="0100020214" type="event" subtype="system" level="warning" vd="root" logdesc="Locally generated traffic goes to IoC location" srcip=172.16.200.2 srcport=18047 dstip=223.205.1.54 dstport=514 session_id=23563 proto=6
#An example of a traffic log message
: date=2021-12-20 time=16:45:18 eventtime=1640047518959313316 tz="-0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=172.16.200.2 srcport=18116 srcintf="unknown-0" srcintfrole="undefined" dstip=223.205.1.54 dstport=514 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Thailand" sessionid=23632 proto=6 action="timeout" policyid=0 service="tcp/514" trandisp="noop" app="tcp/514" duration=17 sentbyte=240 rcvdbyte=0 sentpkt=4 rcvdpkt=0 appcat="unscanned" dsthwvendor="Fortinet" masterdstmac="e8:1c:ba:c2:86:63" dstmac="e8:1c:ba:c2:86:63" dstserver=0
#An example of a traffic log message
: date=2020-01-17 time=16:48:40 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1579308520544853557 tz="-0800" srcip=192.168.1.222 srcport=51530 srcintf="port10" srcintfrole="undefined" dstip=172.217.3.193 dstport=443 dstintf="port9" dstintfrole="undefined" sessionid=12654 proto=6 action="close" policyid=1 policytype="policy" poluuid="7d67e686-3924-51ea-c519-50884240bb75" policyname="1" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.1 transport=51530 appid=31077 app="YouTube" appcat="Video/Audio" apprisk="elevated" applist="g-wifi-default" duration=1 sentbyte=597 rcvdbyte=319 sentpkt=8 rcvdpkt=4 vwlid=2 vwlservice="YouTube" vwlquality="Seq_num(2), alive, selected" utmaction="allow" countapp=1 utmref=65422-94
#An example of a traffic log message
date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586
remip:IPsec VPN remote gateway IP address
srccountry:Country (srccountry) Name of the source country. srccountry="Reserved"
logdesc: Log Description > logdesc="Admin login failed"
tunnelid : IPsec VPN tunnel ID >tunnelid=0
tunneltype: IPsec VPN tunnel type >tunneltype="ssl-web"
อ้างอิง :
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
Investigation Outcomes 
THE Challenges Initially Faced
Initial analysis summary
Analysis of POI Devices
