Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff

Created on ‎10-20-2020 01:52 AM Edited on ‎01-29-2024 02:29 AM By Moderator

Article Id 191334

Technical Tip: Log ID definitions

Description


This article explains the meaning of the log ID (logid) field in FortiOS log messages.

 

Scope

 

FortiGate.

Solution

 

In the context of Fortinet's FortiGate firewall devices, 'log ID' refers to a unique identifier associated with specific log messages generated by the device. Each log type (such as traffic, event, or security logs) and specific incidents have their unique log ID.

 

When logs are visible on a FortiGate or FortiAnalyzer, each entry will typically have a log ID that tells the type of the log message. This ID can help administrators quickly understand the nature of the message, especially if they are familiar with common log IDs.

 

For example, it is possible to see a log ID that pertains to a successful VPN connection, another for detected malware, another for a web filter block, and so on.

To understand each log ID, refer to Fortinet's documentation or knowledge base. They provide details about what each log ID represents, what it might mean, and sometimes even how to respond to or troubleshoot issues related to that log entry.

 

In a practical scenario, when troubleshooting an issue or monitoring specific events, knowing the associated log ID can be very helpful in filtering out unwanted log messages and focusing only on relevant data.


Following are the definitions for the log type IDs and subtype IDs:

The log ID (logid) is a 10-digit field, and includes the following information about the log entry:

 

  • First 2 digits: Log Type.

  • Second 2 digits: Sub Type or Event Type.
    Link to Log Type and Sub Type or Event Type: Log ID numbers.

  • The last 6 digits: Message ID.
    Link to Message IDs: Log Messages.

 

Example of traffic log message:

 

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

This example shows logid='0000000013'.

 

  • First 2 digits: "00" => 'traffic' log type

  • Second 2 digits: "00" => 'forward' subtype.

  • The last 6 digits: "000013" => 'Forward traffic' message ID (13 - LOG_ID_TRAFFIC_END_FORWARD).

 

Related articles:
Technical Tip: Duplicate session logs are seen in the forward traffic logs for long live session pac...

Technical Tip: Notes on Traffic log generation and logging support for ongoing sessions

3056
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.