Thursday, November 5, 2020

FortiGate Sample logs

FortiGate Sample logs 

Sample logs  analysis


Date: Day,month,andyearwhenthelog messagewasrecorded. > date=2017-11-15

Time: Hourclockwhenthelogmessage wasrecorded. > direction=incoming

Logid:The ID (logid) is a 10-digit field. It is a unique identifier for that specific log and includes the following information about the log entry. >  "0000000013"
FortiGate Sample logs


Type:Each log entry contains a Type (type) or category field that indicates its log type and which log file stores the log entry.

Subtype: The log sub-type: System manager event ,FortiAnalyzer event >"forward"
FortiGate Sample logs

Level : The log level:  Debug,Error,Information >level="notice"
FortiGate Sample logs


VD:Virtual Domain (vd) Name of the virtual domain in which the log message was recorded. > vd="vdom1"
FortiGate Sample logs


Eventtime:Epoch time the log was triggered by FortiGate. >eventtime=1510775056
FortiGate Sample logs

srcip: IP address of the traffic’s origin. The source varies by the direction: l In HTTP requests, this is the web browser or other client. l In HTTP responses, this is the physical server. > srcip=10.1.100.155
FortiGate Sample logs

srcport: Source Port (srcport) Port number of the traffic's origin.>srcport=40772

srcintf:Source Interface(srcintf) Interface name of the traffic's origin. srcintf="port12"

srcintfrole:Source Interface Name (srcintfrole) Name of the source interface.>srcintfrole="undefined"

dstip:IP (dstip) Destination IP address for the web >dstip=35.197.51.42
FortiGate Sample logs
dstport:Port (dstport) Port number of the traffic's
destination.> dstport=443
FortiGate Sample logs
dstintf:Destination Interface(dstintf) Interface of the traffic's destination. > dstintf="port11"

dstintfrole:Destination InterfaceName (dstinfrole)
Name of the destination interface.> dstintfrole="undefined"
FortiGate Sample logs
sessionid:Session ID (sessionid) ID for the session.> sessionid=8058
FortiGate Sample logs

proto:Protocol Number (proto) tcp: The protocol used by web traffic
(tcp by default)> proto=6


action:Status of the session. Uses  >action=close
FortiGate Sample logs

trandisp:NAT translation type. trandisp="snat"
FortiGate Sample logs

app:Application Name (app) Name of the application. app="HTTPS.BROWSER"
FortiGate Sample logs

duration:(seconds) Duration of the session, in seconds. duration=2

sentbyte:Sent bytes (sentbyte) Number of bytes sent. > sentbyte=1850

rcvdbyte:Number of bytes received >rcvdbyte=39898

sentpkt:Sent packets (sentpkt) Number of packets sent.>sentpkt=25

appcat: Category of the application. Thesecurityactionfromappcontrol > appcat="Web.Client"


Following is an example of a traffic log message in raw format: 

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic"subtype="forward" level="notice" vd="vdom1"eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined"dstip=35.197.51.42 dstname="fortiguard.com" dstport=443dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058proto=6 action="close" policyid=1policytype="policy" policymode="learn"service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat"transip=172.16.200.2 transport=40772 appid=40568app="HTTPS.BROWSER" appcat="Web.Client"apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898sentpkt=25 rcvdpkt=37utmaction="allow" countapp=1 devtype="Linux PC"osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

FortiGate Sample logs
Following is an example of a traffic log message in raw format: 
date=2019-05-10 time=11:50:48 logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1" eventtime=1557514248379911176 srcip=172.16.200.254 srcport=62024 srcintf="port11" srcintfrole="undefined" dstip=172.16.200.2 dstport=443 dstintf="vdom1" dstintfrole="undefined" sessionid=107478 proto=6 action="server-rst" policyid=0 policytype="local-in-policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=5 sentbyte=1247 rcvdbyte=1719 sentpkt=5 rcvdpkt=6 appcat="unscanned"

#An example of a traffic log message
1: date=2021-12-20 time=16:43:54 eventtime=1640047434839814226 tz="-0800" logid="0100020214" type="event" subtype="system" level="warning" vd="root" logdesc="Locally generated traffic goes to IoC location" srcip=172.16.200.2 srcport=18047 dstip=223.205.1.54 dstport=514 session_id=23563 proto=6

FortiGate Sample logs

#An example of a traffic log message

FortiGate Sample logs
: date=2021-12-20 time=16:45:18 eventtime=1640047518959313316 tz="-0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=172.16.200.2 srcport=18116 srcintf="unknown-0" srcintfrole="undefined" dstip=223.205.1.54 dstport=514 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Thailand" sessionid=23632 proto=6 action="timeout" policyid=0 service="tcp/514" trandisp="noop" app="tcp/514" duration=17 sentbyte=240 rcvdbyte=0 sentpkt=4 rcvdpkt=0 appcat="unscanned" dsthwvendor="Fortinet" masterdstmac="e8:1c:ba:c2:86:63" dstmac="e8:1c:ba:c2:86:63" dstserver=0

#An example of a traffic log message
: date=2020-01-17 time=16:48:40 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1579308520544853557 tz="-0800" srcip=192.168.1.222 srcport=51530 srcintf="port10" srcintfrole="undefined" dstip=172.217.3.193 dstport=443 dstintf="port9" dstintfrole="undefined" sessionid=12654 proto=6 action="close" policyid=1 policytype="policy" poluuid="7d67e686-3924-51ea-c519-50884240bb75" policyname="1" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.1 transport=51530 appid=31077 app="YouTube" appcat="Video/Audio" apprisk="elevated" applist="g-wifi-default" duration=1 sentbyte=597 rcvdbyte=319 sentpkt=8 rcvdpkt=4 vwlid=2 vwlservice="YouTube" vwlquality="Seq_num(2), alive, selected" utmaction="allow" countapp=1 utmref=65422-94
FortiGate Sample logs



#An example of a traffic log message
date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs
FortiGate Sample logs


remip:IPsec VPN remote gateway IP address
FortiGate Sample logs

FortiGate Sample logs


srccountry:Country (srccountry) Name of the source country. srccountry="Reserved"

logdesc: Log Description > logdesc="Admin login failed"
FortiGate Sample logs

FortiGate Sample logs
tunnelid : IPsec VPN tunnel ID >tunnelid=0
tunneltype: IPsec VPN tunnel type >tunneltype="ssl-web" 
FortiGate Sample logs




อ้างอิง :

        


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud

No comments:

Post a Comment