FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
RuiChang
Staff
Staff
Description

This article explains the CEF (Common Event Format) version in log forwarding by FortiAnalyzer.

Scope FortiManager / FortiAnalyzer.
Solution

By default, FortiAnalyzer forward log in CEF version 0 (CEF:0) when configured to forward log in Common Event Format (CEF) type. It is forwarded in version 0 format as shown below:

 

"MMM dd HH:mm:ss" "hostname of the fortigate" CEF:0|Fortinet|Fortigate|version|logid|type:subtype +[eventtype] +[action] +[status]|reversed level|...

 

Sample log:

 

Dec 08 17:00:55 Alza-kvm41 CEF:0|Fortinet|FortiGate-VM64|6.4.8,build1914 (GA)|0201009238|virus utm monitored|5|start=Dec 08 2022 17:00:55 logver=604081914 deviceExternalId=FGVM01000010XXXX dvchost=Alza-kvm41 ad.vd=root ad.eventtime=1670490056812274807 ad.tz=+0800 ad.logid=0201009238 cat=utm ad.subtype=virus ad.eventtype=analytics deviceSeverity=notice src=1.1.1.1 dst=2.2.2.2 spt=23456 dpt=80 act=monitored app=http fname=test-fsa.exe ad.fsaverdict=malicious ad.analyticscksum=47fd6cadce503e53ad2c543eb728ae2d017277afb3db6b16954e49ac1cf4cc20 ad.dtype=fortisandbox tz="+0800"...

 

Configuration Example:

 

CLI:

 

# config system log-forward
    edit 1
        set mode forwarding
        set fwd-max-delay realtime
        set server-name "log_server"
        set server-addr "10.219.2.63"
        set fwd-server-type cef
        set fwd-reliable enable
        set signature 902148044239999678

    next
end

 

GUI:

 

RuiChang_0-1670490509535.png