Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LUQSON
New Contributor

Different log fields order

Hello, I found that there might be some differences between log fields order for different fortiOS implementations. For example (using log from doc: https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/357866/log-message-...) if we have log:

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

some fields may change their order. In the example above, you can see dstcountry before srccountry, but I've also seen implementations which sent logs with a srccountry field before dstcountry. Such reordering affects almost every field that may appear in the log, e.g. field "service" might be earlier or later in log. Does anyone know - what makes that the order of log fields changes? The question is about parsing, but different order of log fields makes this type of task much more difficult

3 REPLIES 3
emnoc
Esteemed Contributor III

What OS version are you seeing reordering in ? (Fortios version ) 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

LUQSON
New Contributor

it was FortiAnalyzer-3000F v6.4.0. GA build2002

but I was getting logs from different versions and for different fortiOS versions there was fields reordering seen

is it somehow possible to make fields order universal/common?

emnoc
Esteemed Contributor III

I never heard of that but you still haven't answer the question, what fortios versions? If you running something older , then I would upgrade. I check like our fortios 6.4 and 7.0 and do not see any fields out of order fwiw.

 

Ken Felix

PCNSE 

NSE 

StrongSwan