I am under Security Fabric > Automation > New > Add Trigger > +Create > FortiOS Event Log.
Here is a looooooooong list of events that I can send to my SOC, but I do not know what is smart to send to them. Any suggestions?
List of events:
802.1x authentication failed
802.1x authentication succeeded
A device upgrade failed
A device upgrade was completed
A federated upgrade could not be completed by the root FortiGate
A federated upgrade failed
A federated upgrade was cancelled due to the CSF tree not being ready
A federated upgrade was completed
A federated upgrade was completed by the root FortiGate
A step in a multi-step federated upgrade was completed
Action performed
Add new entry to IPAM
Address allocated by FortiIPAM and applied to an interface
Address received from FortiIPAM could not be applied to the interface
Admin disconnected
Admin login disabled
Admin login failed
Admin login successful
Admin logout successful
Admin overrode VDOM
Admin password expired
Admin performed an action from GUI
Admin user set the current device as HA primary
Admin user unset the current device as HA primary
Alarm acknowledged
Alarm created
Alarm testing failure log for self-test
Alert email resent
Alert email send status failed
All FortiClient endpoint quarantines removed
AMC card entered bypass mode
AMC card exited bypass mode
An authorization request was added.
An authorization request was removed.
An authorization request was updated.
An error occurred in processing CIFS authentication
An error occurred in processing CIFS authentication.
Another DHCP server sent DHCP offer to wireless station
AntiVirus profile not found
AP as station failed in SAM authentication
AP as station failed in SAM CWP authentication
AP radio BSS color collision detected.
AP received partial login password
AP sent 1/2 message of group key handshake to wireless client
AP sent 1/4 message of 4 way handshake to wireless client
AP sent 3/4 message of 4 way handshake to wireless client
AP sent WNM action BSTM request
Application crashed
Association request from wireless station
Association response to wireless station
Attack Surface Security Rating Service license expiring
Attribute configured
Authentication error
Authentication failed
Authentication IPv4 logon flush
Authentication IPv6 logon flush
Authentication lockout
Authentication logon
Authentication logout
Authentication request from wireless station
Authentication response to wireless station
Authentication success
Authentication timed out
Auto IPsec status
Automatic firmware upgrade schedule changed
Automation stitch triggered
Autoscript backup result
Autoscript check status
Autoscript delete result
Autoscript start
Autoscript stop
Autoscript stop automatically
Autoscript stop due to limit reached
AV database updated by scanunit
AV package update by SCP failed
AV package update by SCP successful
AV updated by admin
AV, IPS, GeoIP, SRC-VIS, FortiFlow, URL White-list, Certificate databases updated
Batch mode command output backup via SCP successful
BGP neighbor status changed
Blade not ready to process traffic
Blade ready to process traffic
Bluetooth firmware check
Bluetooth firmware update
Bypass ports pair entered bypass mode
Bypass ports pair exited bypass mode
Captive-portal VAP disclaimer agreed
Captive-portal VAP disclaimer declined
Captive-portal VAP e-mail collect failed
Captive-portal VAP e-mail collect request sent
Captive-portal VAP e-mail collect success
CAPUTP session status
CAPUTP session status notification
CC entered error mode
Central Management connectivity is active
Central Management connectivity is inactive
Certificate error
Certificate exported
Certificate failed to auto-generate
Certificate failed to auto-update
Certificate loaded
Certificate pending to auto-generate
Certificate regenerated
Certificate removed
Certificate succeed to auto-generate
Certificate update failed
Certificate updated
Certificate will be auto-regenerated
Certificate will be auto-updated
Certificate will expire soon
Clear active sessions
Client associated
Client disassociated
Client supports 1X
Client supports 801.1X authentication
Client supports WPA authentication
CMDB lock deadlock is detected.
Command failed
Configuration changed
Configuration changed from LCD
Configuration changed information
Configuration changed via GUI
Configuration failed to restore
Configuration failed to restore warning
Configuration file name
Configuration list retrieval failed
Configuration manually saved
Configuration restored
Configuration restored by SCP
Configuration restored by USB
Configuration restored from management station
Configuration reverted due to timeout
Connected to SDN server
Connection with authorized Security Fabric member terminated.
Connection with Security Fabric member established and authorized.
CPU single core usage statistics
CPU usage statistics
Create PCP mapping
CRL certificate file is expired
CRL is expired
CRL update requested
CSF daemon files memory usage warning.
CSF root FSA configuration is not properly set
Daemon csfd has closed.
Daemon shutdown
Daemon started
DARRP optimization start
DARRP optimization stop
Database updated by admin
DDNS update failed
Deallocate IP pool PBA
Defect antenna detection
Delete broken symbolic link
Delete entry from IPAM
Delete PCP mapping
Device detection storage limit reached
Device in the Security Fabric was updated.
Device joined the Security Fabric.
Device left the Security Fabric.
Device rebooted
Device set as HA master information
Device set as HA primary
Device shutdown
Device vulnerability lookup on FortiGuard
Device's authorization privilege changed.
DHCP Ack log
DHCP client blocked log
DHCP client lease granted
DHCP DDNS add query
DHCP DDNS delete query
DHCP DDNS query completed
DHCP lease usage full
DHCP lease usage high
DHCP Release log
DHCP server sent DHCP ACK
DHCP server sent DHCP NAK
DHCP server sent DHCP OFFER
DHCP Starvation detected
DHCP statistics
DHCP6 server sent DHCP6 ADVERTISE
DHCP6 server sent DHCP6 RECONFIGURE
DHCP6 server sent DHCP6 REPLY
DHCPv6 Ack log
DHCPv6 Release log
Disable FortiSwitch Discovery
Disclaimer accepted
Disclaimer declined
Disconnected from SDN server
Disk full
Disk log access failed
Disk log directory deleted
Disk log file deleted
Disk log full over first warning
Disk log rolled
Disk log status changed
Disk logs backed up
Disk logs backed up to USB
Disk logs failed to back up
Disk logs failed to back up to USB
Disk logs upload started
Disk logs viewed successfully
Disk partitioning or formatting Error
Disk scan is needed
Disk unavailable
DLP archive full
DLP database space alarm
DLP fingerprint database failed to update by SCP
DLP fingerprint database update via SCP failed
Domain name of alert email sender unresolvable
DP channel RX drop detected.
DPDK early initialization failed.
DPP device addition
DPP device deletion
DPP device Max Limit Error
DPP device modify
DPP interface tags add
DPP interface tags delete
Duplicate license detected
Dynamic address added
Dynamic address can't be added
Dynamic address can't be removed
Dynamic address removed
Dynamic address updated.
Dynamic SDN address channel closed
Dynamic SDN address channel opened
ELBC channel active
ELBC channel failover
ELBC channel inactive
ELBC chassis active
ELBC chassis inactive
Email collecting failed
Email collecting succeeded
EMS Cloud entitlement lost and connection dropped
EMS entry could not be upgraded
EMS file-hash list is no longer truncated
EMS file-hash list is truncated
EMS file-hash list loaded
EMS REST API error
EMS REST API recovered from an error
EMS Tag dynamic firewall address cannot be removed
EMS WebSocket connection error
EMS WebSocket notification
Error output backup via SCP successful
ESPD connection initialized
ESPD connection reset
Explicit proxy authentication failed
Explicit proxy authentication no response
Explicit proxy authentication successful
Explicit proxy authentication timed out
Explicit proxy authentication user concurrent check failed
Explicit proxy authentication user limit reached
Explicit proxy user group query failed
Export port to pool
Export port to vdom
External blocklist list is no longer truncated
External blocklist list is truncated
Extreme low memory mode entered
Extreme low memory mode exited
Fabric ADVPN configuration synchronized from root.
Factory settings reset
Fake AP detected
Fake AP on air
Fan anomaly
Fan normal
FCEMS entry has been unverified
FCEMS entry has been verified
FCEMS entry has failed to be verified
FCEMS shared memory missing query statistics
FCNACD has suffered a critical error
FDS statistics sent
FGSP member joined
FGSP member left
File descriptor conserve mode entered
File descriptor conserve mode exited
File restore failed
Files dropped by quarantine daemon
Files dropped due to poor network connection
Filesystem Mount Violation
FIPS ALL CC self-tests initiated
FIPS CC decryption failed
FIPS CC encryption failed
FIPS CC entered error mode
FIPS CC error mode exited
FIPS CC self-test initiated
Firewall policy expired
Firewall policy expiring
Firmware image backed up successfully
Firmware image backup failed
Firmware image loaded incorrect
Firmware image with invalid RSA signature loaded
Firmware image without valid RSA signature loaded
Flag IPAM entry as conflict
Format disk requested
FortiAnalyzer Cloud license expiring
FortiAnalyzer Cloud premium license expiring
FortiAnalyzer connection down
FortiAnalyzer connection failed
FortiAnalyzer connection up
FortiAnalyzer is not configured for Security Fabric service
FortiAnalyzer log access failed
FortiAnalyzer logs viewed successfully
FortiAP applies the apcfg
FortiAP is validating the apcfg
FortiAP receives the apcfg
FortiAP rejects the apcfg
FortiClient compliance state changed
FortiClient configuration distributed
FortiClient connection added
FortiClient connection closed
FortiClient connection closed by type
FortiClient deregistered
FortiClient disconnected
FortiClient EMS Cloud license expiring
FortiClient endpoint quarantine removed
FortiClient endpoint quarantined
FortiClient license limit reached
FortiClient logged off
FortiClient not compliant
FortiClient not compliant debug message
FortiClient registered
FortiClient registration blocked
FortiClient registration failed
FortiClient registration failed due to blocked UID
FortiClient registration failed due to unsupported route
FortiClient registration failed due to version too low
FortiClient registration failed due to wrong registration key
FortiClient registration license upgraded
FortiClient registration renewed
FortiClient registration unblocked
FortiClient signatures details
FortiClient synchronization disabled
FortiClient synchronization failed
FortiClient unregistered
FortiClient VPN connected
FortiClient VPN disconnected
FortiClient Vulnerability Scan
FortiConverter ticket has a result file ready
FortiExtender controller activity
FortiExtender controller activity error
FortiExtender system activity
FortiGate Cloud activation failed
FortiGate Cloud activation successful
FortiGate Cloud auto-join attempted
FortiGate Cloud daily quota full
FortiGate Cloud license expiring
FortiGate Cloud logout
FortiGate Cloud server changed
FortiGate Cloud server connected
FortiGate Cloud server connection failed
FortiGate Cloud server disconnected
FortiGate database signature invalid
FortiGate database without signature installed
FortiGate Manual License is invalid
FortiGate Manual License update
FortiGate started
FortiGate update failed
FortiGate update succeeded
FortiGSLB Cloud Account Level license expiring
FortiGuard AI-Based Sandbox Service license expiring
FortiGuard antispam license expired
FortiGuard antispam license expiring
FortiGuard antivirus license expired
FortiGuard antivirus license expiring
FortiGuard authentication override failed
FortiGuard authentication override successful
FortiGuard Data leak server prevention license expiring
FortiGuard hostname unresolvable
FortiGuard IPS license expiring
FortiGuard management service license expiring
FortiGuard Message Service controller status
FortiGuard Message Service status
FortiGuard override failed
FortiGuard override successful
FortiGuard override table full
FortiGuard SD-WAN Overlay as a Service license expiring
FortiGuard service failed to restore
FortiGuard service restored
FortiGuard web filter category list updated
FortiGuard web filter license expired
FortiGuard web filter license expiring
FortiGuard webfilter reachable
FortiGuard webfilter unreachable
FortiIPAM indicated that the address was no longer allocated to the interface
FortiManager Cloud Account Level license expiring
FortiManager Cloud license expiring
FortiSandbox AV database updated
FortiSandbox Cloud Account Level license expiring
FortiSandbox Cloud license expiring
FortiSASE LAN Extension license expiring
FortiSASE Secure Private Access license expiring
FortiSwitch link
FortiSwitch MAC add
FortiSwitch MAC delete
FortiSwitch MAC move
FortiSwitch PoE
FortiSwitch router
FortiSwitch spanning Tree
FortiSwitch switch
FortiSwitch switch controller
FortiSwitch system
FortiToken activation failed
FortiToken activation requested
FortiToken activation successful
FortiToken mobile push message failed
FortiToken mobile push message succeeded
FortiToken re-synchronization failed
FortiToken re-synchronized
FortiToken synchronized
FPC down due to PSU action
FPC up due to PSU action
FSSO Active Directory server authentication status
FSSO authentication failed
FSSO authentication successful
FSSO log off authentication status
FSSO logon authentication status
FSSO logon successful
FSSO logout successful
FSSO server connected
FSSO server disconnected
FT action response was sent to wireless client
FT auth response was sent to wireless client
FT reassociation response was sent to wireless client
GeoIP object updated
Global resource limit exceeded
Global setting changed
Global time setting changed by NTP
Global time setting changed by PTP
Global time setting changed by user
Guest user account login information sent as SMS
Guest user account login information sent to email
Guest user account login information sent to phone
Guest user added
Guest user deleted
HA clear history
HA device interface failed
HA device interface peer information
HA device interface ready
HA failover failed
HA failover success
HA reset uptime
HA secondary synchronization failed
HA secondary synchronization URL database
HA secondary synchronized AntiVirus package
HA secondary synchronized CID package
HA secondary synchronized Extended database
HA secondary synchronized Extreme database
HA secondary synchronized FLDB
HA secondary synchronized IDS package
HA secondary synchronized VCM package
HA secondary synchronized Virus database
HA socket creation failed
Hard Link Creation Violation
Heartbeat device interface deleted
Heartbeat device interface down
Heartbeat device interface up
Heartbeat packet lost
HTTPS connection error
Hyper-V SR-IOV VF secondary is hot plugged
Hyper-V SR-IOV VF secondary is hot unplugged
Icap remote server stat
Image failed to load
Image loaded successfully
Image push to FortiSwitch
Image restore confirmed by user
Image restored
Image restored from FortiGuard Management
Image restored from FortiGuard Management notification
Image restored from USB
Image stage to FortiSwitch
Image updated
Image with invalid CC signature loaded
Image with invalid CC signature restored
Image with invalid RSA signature loaded
Image with valid RSA signature loaded
Inbound bandwidth rate exceeded
Insufficient system resource notification
Integrity check of Run/loading Excutable File failed with mismatched measure
Integrity check of Run/loading Excutable File failed without Integrity measure
Interface AdvPreferredLifetime on our interface does not agree with a remote site
Interface link status changed
Interface status changed
Internet Service name update
Internet Service name update failed
Internet Service obsolete
Invalid image loaded
Invalid update license
IoT device identification license expiring
IP Geography DB initialization failed
IP offered has been used by another wireless station
IP pool PBA block exhausted
IP pool PBA created
IP pool PBA NAT IP exhausted
IPAM Controller license expiring
IPS archive full
IPS custom signatures backup failed
IPS custom signatures backup success
IPS custom signatures restored
IPS custom signatures restored critical
IPS database updated
IPS package - Admin update successful
IPS package failed to update via SCP
IPS package updated via SCP
IPS session scan paused
IPS session scan resumed
IPSA database download failed
IPSA disabled: self test failed
IPSA driver update failed
IPsec connection failed
IPsec connection status changed
IPsec DPD failed
IPsec ESP
IPsec ESP
IPsec no state error
IPsec phase 1 error
IPsec phase 1 SA deleted
IPsec phase 2 error
IPsec phase 2 SA deleted
IPsec phase 2 status changed
IPsec SA installed
IPsec tunnel statistics
IPsec VPN tunnel down
IPsec VPN tunnel statistics
IPsec VPN tunnel up
IPv4 firewall local in policy added
IPv4 firewall local in policy deleted
IPv4 firewall local in policy's setting changed
IPv6 firewall local in policy added
IPv6 firewall local in policy deleted
IPv6 firewall local in policy setting changed
IPv6 policy too big for installation
KAT tests succeeded
Kernel error
L2TP client connected
L2TP client connection failed
L2TP client disconnected
L2TP daemon exited
L2TP daemon started
L2TP service disconnected
L2TP tunnel down
L2TP tunnel status
L2TP tunnel up
Learning mode policy is converted to accept policy during upgrade.
License status changed
License validation failure
Link monitor fail detect
Link monitor status
Link monitor status warning
Load Kernel/Kernel Module/Firmware Violation
Local user added
Locally generated traffic goes to IoC location
Log deleted by user
Log disk failure imminent
Log disk full
Log disk unavailable
Log file downloaded from GUI
Log file on disk is corrupted
Log rate limit exceeded
Log rotation requested by FortiCron
Log upload completed
Log upload error
Log upload to FortiGate Cloud skipped
Looped configuration in Security Fabric service
LPM ERROR MSG
LPM INFO MSG
LTE billing data purged
LTE billing data usage reached configured threshold
LTE billing data usage reached data limit
LTE billing time passed, refresh billing date counter
LTE modem active SIM card slot flipped back and forth in short time
LTE modem active SIM card switch event
LTE modem active SIM card switched: data plan reached
LTE modem active SIM card switched: link monitor probe failure detected
LTE modem active SIM card switched: modem disconnection detected
LTE modem bearer event
LTE modem billing daemon started or stopped
LTE modem data link connection event
LTE modem detection
LTE modem firmware upgrade event
LTE modem GPS daemon started or stopped
LTE modem GPS location acquisition
LTE modem ip address event
LTE modem manual handover event
LTE modem operation mode
LTE modem powered on or powered off
LTE modem QDL device detection event
LTE modem reboot event
LTE modem SIM card state event
LTE modem stop network due to data plan reached
LTE unlock SIM PIN failed.
Max sta count limit for the PSK was reached
Memory conserve mode entered
Memory conserve mode exited
Memory log access failed
Memory log full over final warning level
Memory log full over first warning level
Memory log full over second warning level
Memory logs backed up
Memory logs failed to back up
Memory logs viewed successfully
Message Authentication Code corrupted
MMSC hostname unresolvable
Modem exceeded redial limit
Modem failed to open
Modem PPP link down
Modem PPP link up
NAC anomaly quarantine
NAC device addition
NAC device deletion
NAC device dynamic address addition
NAC device dynamic address deletion
NAC device Max Limit Error
NAC device modify
NAC MAC cache sync
NAC quarantine
NAT mode enabled from LCD
Negotiate IPsec phase 1
Negotiate IPsec phase 1
Negotiate IPsec phase 2
Negotiate IPsec phase 2
Neighbor table changed
New firmware available on FortiGuard
No DHCP ACK from server
Notification message send failed
Notification message sent
NP6 HPE is dropping packets
NP6 HPE under a packets flood
NP6 IPsec engine is busy
NP6 IPsec engine is locked up
NP6 IPsec engine is possibly locked up
NP6XLITE HPE is dropping packets
NP6XLITE HPE under a packets flood
NPD ERROR MSG
NPD INFO
NPD WARNING MSG
NPU HPE is dropping packets
NPU HPE under packet flood
NTLM authentication failed
NTLM authentication successful
NTP server status changes to reachable
NTP server status changes to resolvable
NTP server status changes to unreachable
NTP server status changes to unresolvable
Object attribute configured
Object configured
Offending AP detected
Offending AP on air
One time schedule expiring
Optional power supply not detected
OSPF neighbor status changed
OSPF6 neighbor status changed
Outbound bandwidth rate exceeded
Packet debug flow event received.
Packet length mismatch
Path configured
Physical AP activity
Physical AP add
Physical AP add failure
Physical AP add XSS
Physical AP config error
Physical AP delete
Physical AP error
Physical AP fail
Physical AP image receive success
Physical AP join
Physical AP kick
Physical AP leave
Physical AP radio activity
Physical AP radio channel removed from NOL
Physical AP radio config TX power
Physical AP radio country config success
Physical AP radio DARRP channel change
Physical AP radio DARRP start
Physical AP radio DARRP stop
Physical AP radio DRMA mode
Physical AP radio DRMA start
Physical AP radio DRMA stop
Physical AP radio error activity
Physical AP radio NOL added
Physical AP radio operation channel change
Physical AP radio operation country
Physical AP radio operation TX power
Physical AP radio radar detected
Physical AP radio ssid down
Physical AP radio ssid up
Physical AP reset
Physical AP SN mismatch
Physical AP update
PKCS12 certificate imported
PoE device status reported
Policy attribute fixed port changed during upgrade
Policy packet capture file deleted
Policy packet capture full
Policy too big for installation
Power supply failed
Power supply failed warning
Power Supply Redundancy Degrade
Power Supply Redundancy Lost
Power supply restored
Power supply restored notification
PPP authentication failed
PPP authentication successful
PPP daemon exited
PPP daemon started
PPP execution failed
PPP received invalid local IP
PPP received invalid peer IP
PPP status
PPP status debug message
PPP status error message
PPPoE status report
PPTP client connected
PPTP client connection limit reached
PPTP client disconnected
PPTP config list insufficient memory
PPTP daemon disconnected
PPTP daemon exited
PPTP daemon failed to start
PPTP daemon started
PPTP IP addresses unavailable
PPTP not configured in VDOM
PPTP tunnel down
PPTP tunnel status
PPTP tunnel up
Primary blade changed
Primary blade found
Primary blade lost
Probe request from wireless station
Probe request from wireless station failed due to low rssi
Probe response to wireless station
Progress IPsec phase 1
Progress IPsec phase 1
Progress IPsec phase 2
Progress IPsec phase 2
Protocol version unsupported
Provisioning of latest firmware failed
Provisioning of latest firmware was completed
PSK is out of any valid schedules
Quarantine full
RADIUS accounting event
RADIUS accounting event summary
RADIUS accounting profile not found
RADIUS accounting protocol error
RADIUS accounting stop message missing
RADIUS accounting stop message missing summary
RADIUS endpoint block event
RADIUS endpoint block event or other event summary
RADIUS other accounting event
RADIUS profile CTX not found summary
RADIUS profile not found summary
RADIUS protocol error summary
RADVD AdvCurHopLimit out of range
RADVD AdvCurHopLimit too big
RADVD AdvHomeAgentFlag not set
RADVD AdvLinkMTU out of range
RADVD AdvLinkMTU too small
RADVD AdvReachableTime too small
RADVD AdvValidLifetime less than AdvPreferredLifetime
RADVD all-routers membership check failed
RADVD daemon started
RADVD extra data in RA packet found
RADVD found invalid option in RA packet from remote site
RADVD HomeAgentLifetime out of range
RADVD interface not found
RADVD invalid prefix length
RADVD local AdvCurHopLimit disagrees with remote site
RADVD local AdvLinkMTU disagrees with remote site
RADVD local AdvManagedFlag disagrees with remote site
RADVD local AdvOtherConfigFlag disagrees with remote site
RADVD local AdvReachableTime disagrees with remote site
RADVD local AdvRetransTimer disagrees with remote site
RADVD local AdvValidLifetime disagrees with remote site
RADVD MaxRtrAdvInterval out of range
RADVD MinRtrAdvInterval out of range
RADVD mobile IPv6 extensions used
RADVD mobile IPv6 MaxRtrAdvInterval out of range
RADVD mobile IPv6 MinRtrAdvInterval out of range
RADVD out of memory
RADVD RA packet option length greater than total length
RADVD RA packet option length zero
RADVD receive message failed
RADVD received ICMPv6 packet with invalid length
RADVD received ICMPv6 RA packet with invalid length
RADVD received ICMPv6 RA packet with non-link local source address
RADVD received ICMPv6 RS packet with invalid length
RADVD received ICMPv6 RS/RA packet with invalid code
RADVD received ICMPv6 RS/RA packet with invalid hop limit
RADVD received invalid IPv6 hop limit
RADVD received invalid IPv6 packet info
RADVD received packet with no information
RADVD received unwanted ICMPv6 packet
RADVD send message failed
RAID disabled
RAID disk formatted
RAID enabled
Reassociation request from wireless station
Reassociation response to wireless station
Registration for CMDB events failed
Remote FortiExtender alert activity
Remote FortiExtender critical activity
Remote FortiExtender debug activity
Remote FortiExtender emergency activity
Remote FortiExtender error activity
Remote FortiExtender info activity
Remote FortiExtender notify activity
Remote FortiExtender warning activity
Renew PCP mapping
Report chart widget added
Report chart widget deleted
Report data set added
Report data set deleted
Report database recreated
Report db data full
Report deleted
Report deleted from GUI
Report generated successfully
Report generation failed
Report image file uploaded
Request port from pool
Request type not supported
Resource per mapping allocation
REST API request failed
REST API request success
Return port to pool
Revision Database deletion
Revision database reset due to data corruption
Revision deleted
Revision uploaded to flash disk
Rogue AP activity
Rogue AP change detected
Rogue AP detected
Rogue AP off air
Rogue AP off wire
Rogue AP on air
Rogue AP on wire
Rogue AP status configured
Rogue AP status configured as accepted
Rogue AP status configured as rogue
Rogue AP status configured as suppressed
Rogue AP status configured as unclassified
Rogue AP suppressed
Rogue AP unsuppressed
Router cleared
Routing information changed
Routing log critical event
Routing log error
Routing log information
Routing log warning
SAM iperf test result
SAM ping test result
Sandbox limit reached
Scan disk requested
Scan error - traffic blocked
Scan error - traffic passed
Scan services session failed
Scanunit AV Database load error
Scanunit AV Database reload error
Scanunit DLP signature update error
Scanunit is reloading AV engine
Scanunit loaded AV Database
Scanunit reloaded AV Database
Scheduled daily reboot started
Script restored by user
Script restored from management station
SD-WAN Bandwidth monitoring result
SD-WAN fail detect
SD-WAN Monitoring license expiring
SD-WAN Overlay Controller license expiring
SDN Connector API failed
SDWAN application performance metrics via FortiMonitor
SDWAN internet service passive quality information
SDWAN Neighbor primary
SDWAN Neighbor secondary
SDWAN Neighbor standalone
SDWAN Neighbor status
SDWAN SLA information
SDWAN SLA information warning
SDWAN SLA notification
SDWAN status
SDWAN status debug
SDWAN status information
SDWAN status warning
SDWAN volume status
Secondary sync failed
Security Fabric settings changed during upgrade
Security Rating license expiring
Security Rating result change
Security Rating summary
Seeding from entropy source
Serial number of upstream is changed
Server list updated
Server logging status changed
Server side WAN Optimization FortiGate configured incorrectly
Session clashed
Settings modified by Security Fabric service
Signal handler setup failed
SMS quota reached
SNMP query failed
Socket creation failed
Socket creation retry failed
Socket is exhausted
Source visibility signature package updated
Spare blocks availability low
Specified HA group was deleted
SRC-VIS object updated
SSD TRIM finished
SSD TRIM started
SSH host keys regenerated.
SSH protocol cannot be negotiated
SSH server re-key
SSH server received bad length packet
SSL connection closed
SSL connection established
SSL connection failed
SSL Message Authentication Code corrupted
SSL Proxy CA initialization failed
SSL setting changed
SSL VPN alert
SSL VPN certificate OK
SSL VPN close
SSL VPN deny
SSL VPN enter conserve mode
SSL VPN exit error
SSL VPN exit fail
SSL VPN leave conserve mode
SSL VPN login fail
SSL VPN new connection
SSL VPN pass
SSL VPN statistics
SSL VPN statistics
SSL VPN system busy
SSL VPN timeout
SSL VPN tunnel down
SSL VPN tunnel down
SSL VPN tunnel error
SSL VPN tunnel up
SSL VPN tunnel up
SSL VPN unknown tag
Startup validation of IPAM addresses was completed
Store config failed - first line error
Store config failed - not enough flash space
Super admin entered VDOM
Super admin left VDOM
Support license expiring
Switch-Controller
Switch-Controller authorized
Switch-Controller Daemon Log (Critical)
Switch-Controller Daemon Log (Notification)
Switch-Controller deauthorized
Switch-Controller deleted
Switch-Controller discovered
Switch-controller FortilinkLite connection down
Switch-controller FortilinkLite new connection
Switch-controller FortilinkLite received bootstrap
Switch-controller FortilinkLite tunnel offline
Switch-controller FortilinkLite tunnel online
Switch-controller split-port related configuration change detected
Switch-Controller Switch Sync Complete
Switch-Controller Switch Sync Error
Switch-Controller Switch Sync State
Switch-Controller Switch Upgrade Error
Switch-Controller Switch Upgrade Status
Switch-Controller Tunnel Down
Switch-Controller Tunnel Up
Switch-Controller warning
Synchronization of global object failed.
Synchronization of global object report.
Synchronization status with primary
System configuration backed up
System configuration backed up alert
System configuration backed up by SCP
System configuration backed up error
System operating in USB mode
System performance statistics
System upgrade failed due to file operation failure
Temperature normal
Temperature too high
Temperature too low
Template restored
Test
Threat feed debug
Threat feed loaded
Threat feed update failed
Threat feed updated
Token activation code sent
Traffic stats for station with bridge wlan
Transparent mode enabled from LCD
Two-factor authentication code sent
UDP socket creation to relay URL request failed
Unable to authenticate with the CIFS Domain Controller
Unable to connect to the CIFS Domain Controller
Unexpected application type for WAN Optimization
Unflag IPAM entry as conflict
Updating virus database
Upload and run a script
Uploaded local config to a FortiConverter ticket
URL filter packet send failure
USB LTE modem detected
USB LTE modem removed
USB modem detected
USB modem removed
User changed
User quarantine MAC added
User quarantine MAC bounce port hit
User quarantine MAC bounce port miss
User quarantine MAC deleted
VCM plugin updated
VDOM added
VDOM deleted
VDOM disabled
VDOM enabled
VDOM license status changed
VDOM limit reached
VDOM resource limit exceeded
VIP real server disabled
VIP real server down
VIP real server enabled
VIP real server entered hold-down
VIP real server health check failed
VIP real server health check failed during hold-down
VIP real server up
Virtual cluster added HA device interface
Virtual cluster deleted
Virtual cluster deleted HA device interface
Virtual cluster member dead
Virtual cluster member joined
Virtual cluster member state moved
Virtual cluster VDOM added
Virtual cluster VDOM moved
VLAN detected
VLAN heartbeat lost
VLAN heartbeat lost summary
VLAN heartbeat started
VLAN not detected
VM license expired
VM license expiring
VM license failed to install via SCP
VM license failed to restore
VM license installed via SCP
VM license restored
VM-S license expiring
VMX instance successfully attached
VMX instance successfully denied
VMX instance successfully detached
VNE provision server update completed
VNE provision server update failed
VNP primary process failed to initialize
VNP primary process started
VNP primary process stopped
VNP Primary restarted
VoIP SCCP call blocked
VoIP SCCP call information
VoIP SCCP registered
VoIP SCCP unregistered
VoIP SIP
VoIP SIP blocked
VoIP SIP fuzzing
Voltage anomaly
Voltage normal
VRRP state changed
Wake on LAN device
WAN Optimization peer authentication failed
WAN Optimization peer certificate authentication failed
WAN Optimization peer PSK authentication failed
WANOPT Tunnel closed
WANOPT Tunnel successfully created
Web proxy forward server error
Wireless addrgrp address apply
Wireless addrgrp duplicate mac
Wireless addrgrp reached firewal address maximum number
Wireless Asleap attack detected
Wireless ble dev detection
Wireless bridge intrusion detected
Wireless broadcasting deauthentication detected
Wireless client 4 way handshake failed with invalid 2/4 message
Wireless client 4 way handshake failed with invalid 4/4 message
Wireless client activity
Wireless client associated
Wireless client authenticated
Wireless client authenticates through inter AC OKC success
Wireless client authenticates through inter AP OKC success
Wireless client authenticates through local OKC success
Wireless client authenticates through OKC failed with no match
Wireless client deauthenticated
Wireless client denied
Wireless client denied by DHCP enforcement for using static IP address
Wireless client disassociated
Wireless client idle
Wireless client IP assigned
Wireless client kicked
Wireless client layer3 roaming rehome
Wireless client left WTP
Wireless client load balancing
Wireless client load balancing denied
Wireless client load balancing retry
Wireless client RADIUS authentication failure
Wireless client RADIUS authentication server not responding
Wireless client RADIUS authentication success
Wireless client RADIUS MAC authentication failure
Wireless client RADIUS MAC authentication server not responding
Wireless client RADIUS MAC authentication success
Wireless client sent 2/2 message of group key handshake
Wireless client sent 2/4 message of 4 way handshake
Wireless client sent 4/4 message of 4 way handshake
Wireless client sent FT action reqeust
Wireless client sent FT auth request
Wireless client sent FT reassociation request
Wireless client sent invalid FT action request
Wireless client sent invalid FT auth request
Wireless client sent invalid FT reassociation request
Wireless client sent WNM action BSTM response accept
Wireless client sent WNM action BSTM response reject
Wireless client WTP disconnected
Wireless controller configuration loaded
Wireless controller IPsec setup failed
Wireless controller start
Wireless EAPOL packet flooding detected
Wireless invalid MAC OUI detected
Wireless long duration attack detected
Wireless management flooding detected
Wireless null SSID probe response detected
Wireless set command failed
Wireless spoofed deauthentication detected
Wireless station association failed
Wireless station CMCC MAC auth success
Wireless station CMCC sign on failed
Wireless station CMCC sign on success
Wireless station CMCC sign on timeout
Wireless station DHCP process failed with no server response
Wireless station DNS process failed due to non-existing domain
Wireless station DNS process failed due to server failure
Wireless station DNS process failed with no server response
Wireless station DNS process success
Wireless station is using self-assigned IP
Wireless station presence detection
Wireless station sent DHCP DECLINE
Wireless station sent DHCP DISCOVER
Wireless station sent DHCP INFORM
Wireless station sent DHCP RELEASE
Wireless station sent DHCP REQUEST
Wireless station sent DHCP6 CONFIRM
Wireless station sent DHCP6 RELEASE
Wireless station sent DHCP6 RENEW
Wireless station sent DHCP6 REQUEST
Wireless station sent DHCP6 SOLICIT
Wireless station sign on
Wireless station sign on failed
Wireless station sign on success
Wireless station WPA key reinstallation attack on FT reassociation
Wireless system activity
Wireless system hostapd down
Wireless system hostapd up
Wireless system restarted
Wireless Weak WEP IV detected
Wireless wtp data channel changed
Wireless WTP profile has been adjusted
Write Permission Violation
WTP is probing vlan
xh0 crashed
Zombie daemon cleanup
Hello @solo1 , I think the first question you should ask yourself is: which features am I using on Fortigate?
More or less features are:
- Wifi and AP management
- VDOM
- Fortiswitch management and switch controller
- UTM profiles (e.g. AV, Web profile, App control)
- IPS
-VPN
- System (Voltage, CPU, Disk)
- AAA and FSSO
- Certificates
So, first step should be to identify features implemented (System -> Feature Visibility) could be a good option to check it and then send only event logs required.
Another approach could be to forward to SOC ony the warning and critical errors (you can configure the severity from the CLI under global syslogd forwarding setting).
In addition to mnovelli's excellent advice, you can refer to the FortiOS Log Message Reference:
https://docs.fortinet.com/document/fortigate/7.4.4/fortios-log-message-reference/398/event
That lists all event log messages a FortiGate could generate and gives a bit more insight into what the log messages contain, if you want to tailor it to your needs.
Make sure you look at the log message reference for the correct firmware version, though!
Cheers,
Debbie
Thank you @mnovelli. I will set this up right away and hope it will give something for the SOC.
you're welcome.
Hi solo1,
As far as I know, you normally don't need select which logs you will forward to them. You just need to send all of the logs to them via Syslog. Their SIEM solution should be able to handle the logs for threat hunting.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.