Description |
This article explains the CEF (Common Event Format) version in log forwarding by FortiAnalyzer. |
Scope | FortiAnalyzer. |
Solution |
By default, FortiAnalyzer forwards log in CEF version 0 (CEF:0) when configured to forward log in Common Event Format (CEF) type. It is forwarded in version 0 format as shown below:
"MMM dd HH:mm:ss" "hostname of the fortigate" CEF:0|Fortinet|Fortigate|version|logid|type:subtype +[eventtype] +[action] +[status]|reversed level|...
Sample log:
Dec 08 17:00:55 Alza-kvm41 CEF:0|Fortinet|FortiGate-VM64|6.4.8,build1914 (GA)|0201009238|virus utm monitored|5|start=Dec 08 2022 17:00:55 logver=604081914 deviceExternalId=FGVM01000010XXXX dvchost=Alza-kvm41 ad.vd=root ad.eventtime=1670490056812274807 ad.tz=+0800 ad.logid=0201009238 cat=utm ad.subtype=virus ad.eventtype=analytics deviceSeverity=notice src=1.1.1.1 dst=2.2.2.2 spt=23456 dpt=80 act=monitored app=http fname=test-fsa.exe ad.fsaverdict=malicious ad.analyticscksum=47fd6cadce503e53ad2c543eb728ae2d017277afb3db6b16954e49ac1cf4cc20 ad.dtype=fortisandbox tz="+0800"...
Configuration Example:
CLI:
config system log-forward next
GUI:
Log Forwarding settings debug: Perform the following CLI diagnose command while configuring the log forward, that help in collect the connection and services errors:
diagnose debug application logfwd 255 diagnose debug enable |