Event ID 10001 refers to a log entry addition event that was performed through the Graphical User Interface (GUI). This indicates that an admin-privileged user manually created or submitted a log entry using the system’s frontend interface, rather than via automated scripts or backend processes. This log does not capture any subsequent actions such as editing or removing entries. It serves as a record of user-initiated "add" actions for auditing and traceability.

The sample system event message(s) will look like below:

1. Added Remote LDAP User:
   
   

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Remote LDAP User: test" user="admin"

2. Added LDAP Server:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added LDAP Server: test-LDAP (fortinet.net)" user="admin"

3. Added Remote SAML User:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Remote SAML User: no-reply@fortinet.net" user="admin"

4. Added SAML IdP Active Session:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added SAML IdP Active Session: no-reply@fortinet.net" user=""

5. Added Guest User:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Guest User: testtest" user="admin"

6. Added Certificate Enrollment Request:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Certificate Enrollment Request: C=DE, CN=fortinet" user=""

7. Added User Certificate:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added User Certificate: User_Cert_32 [C=DE, CN=userpki]" user=""

8. Added Local User Profile:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Local User Profile: testprofile" user=""

9. Added Local User:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Local User: test" user=""

10. Added User RADIUS Attribute:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added User RADIUS Attribute: Fortinet-Group-Name (SSLVPNGroup)" user="admin"

11. Added FortiToken:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added FortiToken: FTK200XXXXXXXXXX" user="admin"

12. Added Static Route:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Static Route: 192.168.1.0/24 via 10.10.10.1 (port2)" user="admin"

13. Added High Availability (HA) Setting:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Setting: ha_monitor_ifaces" user="admin"

14. Added Remote TACACS+ User:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Remote TACACS+ User: test" user="admin"

15. Added User Widget:

date=2025-04-14 time=20:13:33+0000 oid=8888 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added User Widget: 'User Inventory' widget for user 'test'" user="admin"

There are many other different events, and they will still share the same event IDs under 10001. They can be viewed under Log Access -> Logs -> filter '10001'.