Skip to main content
juanc
juanc
Explorer
August 24, 2022
Solved

Fortinet UTM logs field country

  • August 24, 2022
  • 1 reply
  • 3873 views

Hello everyone,

I apologize because I am using the translator to request help.

 

I clarify that I do not have knowledge in fortinet not am I an administrator of one of these devices, I am an administrator of a SIEM and I am currently receiving the UTM type logs through Syslog and I see that within this log the origin country and destination country fields do not arrive .

 

I would like to know if there is any way for this field to be included to send the request to the administrator of said firewall

 

I exactly need to know which IPs are from Russia since I need to get a report of the incoming and outgoing connections from this country to the firewall

 

tnx

Best answer by lol

Hello,


Some fields are missing from syslog messages unless you enable the UTM extended logging.
This is possible when selecting mode reliable.

Refer to https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/496081/enabling-extended-logging

 

If there are still the country entries missing then please clarify which exact log item is affected.
i.e.
type="utm" subtype="ips" eventtype="botnet" level="warning"
type="utm" subtype="virus" eventtype="analytics" level="notice"

 


Sorry I am not a FortiSiem expert, but does the FortiSiem not have its own function to resolve IP addresses from logs to countries ?


Regards

1 reply

lol
Staff
lolAnswer
Staff
August 25, 2022

Hello,


Some fields are missing from syslog messages unless you enable the UTM extended logging.
This is possible when selecting mode reliable.

Refer to https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/496081/enabling-extended-logging

 

If there are still the country entries missing then please clarify which exact log item is affected.
i.e.
type="utm" subtype="ips" eventtype="botnet" level="warning"
type="utm" subtype="virus" eventtype="analytics" level="notice"

 


Sorry I am not a FortiSiem expert, but does the FortiSiem not have its own function to resolve IP addresses from logs to countries ?


Regards

    juanc
    juancAuthor
    Explorer
    August 25, 2022

    Hello, thank you very much for taking the time to answer my question.

    Yes, the SIEM has a command called iplocation that allows this data to be retrieved, but in this specific case I need it to arrive in the log from the source.

    Terms & ConditionsAccessibility statement