Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
RuiChang
Staff
Staff

Created on ‎12-08-2022 01:19 AM Edited on ‎08-20-2024 12:03 AM By Moderator

Article Id 239189

Technical Tip: FortiAnalyzer log forwarding CEF version

Description

This article explains the CEF (Common Event Format) version in log forwarding by FortiAnalyzer.
Scope FortiAnalyzer.
Solution

By default, FortiAnalyzer forwards log in CEF version 0 (CEF:0) when configured to forward log in Common Event Format (CEF) type. It is forwarded in version 0 format as shown below:

 

"MMM dd HH:mm:ss" "hostname of the fortigate" CEF:0|Fortinet|Fortigate|version|logid|type:subtype +[eventtype] +[action] +[status]|reversed level|...

 

Sample log:

 

Dec 08 17:00:55 Alza-kvm41 CEF:0|Fortinet|FortiGate-VM64|6.4.8,build1914 (GA)|0201009238|virus utm monitored|5|start=Dec 08 2022 17:00:55 logver=604081914 deviceExternalId=FGVM01000010XXXX dvchost=Alza-kvm41 ad.vd=root ad.eventtime=1670490056812274807 ad.tz=+0800 ad.logid=0201009238 cat=utm ad.subtype=virus ad.eventtype=analytics deviceSeverity=notice src=1.1.1.1 dst=2.2.2.2 spt=23456 dpt=80 act=monitored app=http fname=test-fsa.exe ad.fsaverdict=malicious ad.analyticscksum=47fd6cadce503e53ad2c543eb728ae2d017277afb3db6b16954e49ac1cf4cc20 ad.dtype=fortisandbox tz="+0800"...

 

Configuration Example:

 

CLI:

 

config system log-forward
    edit 1
        set mode forwarding
        set fwd-max-delay realtime
        set server-name "log_server"
        set server-addr "10.219.2.63"
        set fwd-server-type cef
        set fwd-reliable enable
        set signature 902148044239999678

    next
end

 

GUI:

 

RuiChang_0-1670490509535.png
3098
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.