Technical Tip: Hostname and Destination name in traffic and UTM logs in FortiOS
Description
This article provides a clarification on the 'hostname' and 'destination name' fields used in FortiOS traffic and UTM logs.
Scope
FortiGate.
Solution
The raw traffic log does not contain a 'hostname' field, but may contain the field 'dstname'. 'dstname' is only available if 'resolve-ip' is 'enabled' under 'config log settings'. The data of 'dstname' is obtained by a reverse DNS query for the IP address of 'dstip', against the DNS servers configured under 'config system dns'.
If the system DNS servers return no response or no PTR record, 'dstname' will contain the same data as in 'dstip'.
The raw UTM logs do not contain a 'dstname' field, but do contain a 'hostname' field. The hostname field is provided by the respective UTM process, after inspecting the traffic. 'hostname' can be blank if no information is supplied.
If the system DNS servers return no response or no PTR record, 'dstname' will contain the same data as in 'dstip'.
The raw UTM logs do not contain a 'dstname' field, but do contain a 'hostname' field. The hostname field is provided by the respective UTM process, after inspecting the traffic. 'hostname' can be blank if no information is supplied.
Related documents:
Technical Tip: Configuring FortiGate and FortiAnalyzer to resolve IPs to hostname
Hostname/FQDN search in FortiAnalyzer log... - Fortinet Community