|
Event ID 10003 refers to a log deletion event that was performed through the Graphical User Interface (GUI). This indicates that an admin-privileged user manually deleted a log entry using the system’s frontend interface, rather than via automated scripts or backend processes. This log does not capture any subsequent actions such as adding or editing entries. It serves as a record of user-initiated 'delete' actions for auditing and traceability.
The sample system event message(s) will look like below:
- Deleting Web service access:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted Web Service Access: test" user="admin"
- Deleting Remote SAML user:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted Remote SAML User: test@fortinet.net" user="admin"
- Deleting SAML IDP active session:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted SAML IdP Active Session: test" user=""
- Deleting Remote LDAP user:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted Remote LDAP User: test" user=""
- Deleting FortiToken:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted FortiToken: FTKXXXXXXXXXXXXX" user="admin"
- Deleting disabled user accounts:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="" status="" msg="Purging user accounts that are disabled due to the following reasons: account expired" user=""
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="" status="" msg="Purging user accounts that are disabled due to the following reasons: manually disabled, account expired" user="test"
- Deleting user widget:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted User Widget: 'System Information' widget for user 'test'" user="admin"
- Deleting Local user:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted Local User: test" user="admin"
- Deleting Local user profile:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted Local User Profile: fortinet" user="admin"
- Deleting static route:
date=2025-06-04 time=20:13:33+0000 oid=8888 logid=10003 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Delete" status="" msg="Deleted Static Route: 0.0.0.0 via 192.168.1.254 (port1)" user="admin"
There are many other different events, and they will still share the same event IDs under 10003. They can be viewed under Log Access -> Logs -> filter '10003'.
|
