Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
heng
Staff
Staff

Created on ‎05-22-2025 11:08 PM Edited on ‎05-29-2025 05:50 AM By Staff

Article Id 393159

Technical Tip: Identifying FortiGate and FortiAnalyzer Log Messages

 

Description This article discusses the log field and the log message format that is sent by the FortiGate to the FortiAnalyzer for logging purposes.
Scope FortiGate and FortiAnalyzer.
Solution

The log message format and log field received by the FortiAnalyzer from the FortiGate will have the same log content.

The following log messages collected from both devices will yield the same information, except the log messages in FortiAnalyzer may have extra log fields and content due to the log field enrichment and the comparison between FortiGate and FortiAnalyzer with the System Event log as an example.

 

Log Message from FortiGate:

 

date=2025-05-23 time=01:47:30 eventtime=1747936050339390425 tz="+0800" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin2" ui="https(10.253.0.1)" method="https" srcip=10.253.0.1 dstip=192.168.33.212 action="login" status="failed" reason="name_invalid" msg="Administrator admin2 login failed from https(10.253.0.1) because of invalid user name"


Log Message from FortiAnalyzer (Raw Log):

 

logver=0706033510 idseq=19424059657814016 itime=2025-05-23 01:47:30 devid=FGVMELTM99999999 vd=root date=2025-05-23 time=01:47:30 eventtime=1747936050339390425 tz=+0800 logid=0100032002 type=event subtype=system level=alert logdesc=Admin login failed sn=0 user=admin2 ui=https(10.253.0.1) method=https srcip=10.253.0.1 dstip=192.168.33.212 action=login status=failed reason=name_invalid msg=Administrator admin2 login failed from https(10.253.0.1) because of invalid user name dtime=2025-05-23 01:47:30 itime_t=1747936050 devname=fgt01 offset_idx=0


Log Message from FortiAnalyzer (Analytic Log):

 

date=2025-05-23 time=01:47:30 id=7507328170266198016 itime=2025-05-23 01:47:30 euid=3 epid=3 dsteuid=3 dstepid=3 logver=706033510 logid=0100032002 type=event subtype=system level=alert srcip=10.253.0.1 dstip=192.168.33.212 action=login msg=Administrator admin2 login failed from https(10.253.0.1) because of invalid user name logdesc=Admin login failed sn=0 user=admin2 ui=https(10.253.0.1) status=failed reason=name_invalid method=https eventtime=1747936050339390425 tz=+0800 devid=FGVMELTM99999999 vd=root csf=fabricHeng dtime=2025-05-23 01:47:30 itime_t=1747936050 devname=fgt01

 

364
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.