FortiOS Log Message Reference v5.0 - Fortinet Docs … · FortiGate Log Message Reference v5.0...

FortiGate Log Message Reference v5.0 Patch Release 10

FortiGate Log Message Reference - FortiOS 5.0.10

March 13, 2015

01-510-112804-20150313

Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and

FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and

other jurisdictions, and other Fortinet names herein may also be registered and/or common law

trademarks of Fortinet. All other product or company names may be trademarks of their

respective owners. Performance and other metrics contained herein were attained in internal

lab tests under ideal conditions, and actual performance and other results may vary.

Network variables, different network environments and other conditions may affect

performance results. Nothing herein represents any binding commitment by Fortinet, and

Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet

enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser

that expressly warrants that the identified product will perform according to certain

expressly-identified performance metrics and, in such event, only the specific

performance metrics expressly identified in such binding written contract shall be binding on

Fortinet. For absolute clarity, any such warranty will be limited to performance in the same

ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any

commitment related to future deliverables, features or development, and circumstances may

change such that any forward-looking statements herein are not accurate. Fortinet disclaims in

full any covenants, representations, and guarantees pursuant hereto, whether express or

implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this

publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Change Log

Date Change Description

2013-03-20 Initial Release.

2013-09-27 Patch 4 Release.

2014-04-01 Patch 6 Release. Added Variable Event Logs Addendum.

2015-01-16 Patch 9 Release. Complete corrections of all terminology.

2015-03-13 Patch 10 Release. Added new Variable Event Logs.

Log Field Name Changes in FortiOS 5.0

4.3 5 4.3 5app_cat appcat pri levelapp_list applist profile_group profilegroup

app_type apptype profile_type profiletypeasset_id assetid quota_exceeded quotaexceeded

asset_name assetname quota_max quotamaxattack_id attackid quota_used quotaused

attack_name attackname rcvd rcvdbytecarrier_ep carrierep rcvd_pkt rcvdpktcat_desc catdesc rem_ip remip

class_desc classdesc rem_port remportconn-mode connmode remote_ip remip

content_type contenttype req_type reqtypedec_spi decspi request_name requestname

dir direction rule_data ruledatadir_disp dirdisp rule_type ruletype

dlp_sensor dlpsensor sent sentbytedst dstip sent_pkt sentpkt

dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbytedst_int dstintf shaper_drop_sent shaperdropsentbyte

dst_port dstport shaper_rcvd_name shaperrcvdnameenc_spi encspi shaper_sent_name shapersentname

end-date enddate src srcipesp_auth espauth src_country srccountry

esp_transform esptransform src_int srcintffilter_type filtertype src_port srcporticmp_code icmpcode start-date startdate

icmp_id icmpid tran_disp trandispicmp_type icmptype tran_ip tranip

incident_serialno incidentserialno tran_port tranportlan_in lanin tran_sip transip

lan_out lanout tran_sport transportloc_ip locip url_type urltype

loc_port locport urlfilter_idx urlfilteridxlocal_ip locip urlfilter_list urlfilterlistlog_id logid voip_proto voipproto

malform_data malformdata vpn_tunnel vpntunnelmalform_desc malformdesc vpn_type vpntype

message msg vuln_cat vulncatmessage_type messagetype vuln_cnt vulncnt

os_family osfamily vuln_id vulnidos_gen osgen vuln_ref vulnref

os_vendor osvendor wan_in waninout_intf outintf wan_out wanoutovrd_id ovrdid wanopt_app_type wanoptapptypeovrd_tbl ovrdtbl xauth_group xauthgroup

perip_drop shaperperipdropbyte xauth_user xauthuserperip_name shaperperipname

Log Field Name Changes in FortiOS 5.0

4.3 5 4.3 5app_cat appcat pri levelapp_list applist profile_group profilegroup

app_type apptype profile_type profiletypeasset_id assetid quota_exceeded quotaexceeded

asset_name assetname quota_max quotamaxattack_id attackid quota_used quotaused

attack_name attackname rcvd rcvdbytecarrier_ep carrierep rcvd_pkt rcvdpktcat_desc catdesc rem_ip remip

class_desc classdesc rem_port remportconn-mode connmode remote_ip remip

content_type contenttype req_type reqtypedec_spi decspi request_name requestname

dir direction rule_data ruledatadir_disp dirdisp rule_type ruletype

dlp_sensor dlpsensor sent sentbytedst dstip sent_pkt sentpkt

dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbytedst_int dstintf shaper_drop_sent shaperdropsentbyte

dst_port dstport shaper_rcvd_name shaperrcvdnameenc_spi encspi shaper_sent_name shapersentname

end-date enddate src srcipesp_auth espauth src_country srccountry

esp_transform esptransform src_int srcintffilter_type filtertype src_port srcporticmp_code icmpcode start-date startdate

icmp_id icmpid tran_disp trandispicmp_type icmptype tran_ip tranip

incident_serialno incidentserialno tran_port tranportlan_in lanin tran_sip transip

lan_out lanout tran_sport transportloc_ip locip url_type urltype

loc_port locport urlfilter_idx urlfilteridxlocal_ip locip urlfilter_list urlfilterlistlog_id logid voip_proto voipproto

malform_data malformdata vpn_tunnel vpntunnelmalform_desc malformdesc vpn_type vpntype

message msg vuln_cat vulncatmessage_type messagetype vuln_cnt vulncnt

os_family osfamily vuln_id vulnidos_gen osgen vuln_ref vulnref

os_vendor osvendor wan_in waninout_intf outintf wan_out wanoutovrd_id ovrdid wanopt_app_type wanoptapptypeovrd_tbl ovrdtbl xauth_group xauthgroup

perip_drop shaperperipdropbyte xauth_user xauthuserperip_name shaperperipname

4.3 subtypes 5.0 subtypestraffic allowed forward/local/multicast

webcache-traffic, wanopt-traffic, explicit-proxy-traffic forwardfailed-conn, violation, other forward

event ipsec, sslvpn-user, sslvpn-admin, sslvpn-session vpn

system

dns, dhcp, l2tp/pptp/pppoe router

auth, radius userwireless wirelesswad wadvoip moved to voip logs section

virus infected infectedfilename filenameoversize oversizedscanerror scanerror----- analytics----- switchproto

webfilter content contenturlfilter urlfilterftgd_blk ftgd_blkftgd_allow ftgd_allowftgd_err ftgd_erractivexfilter activexfiltercookiefilter cookiefilterappletfilter appletfilterftgd_quota_counting ftgd_quota_countingftgd_quota ftgd_quota----- ftgd_quota_expired----- webfilter_command_block

ips signature signatureanomaly anomaly

emailfilter msn-hotmail msnyahoo-mail yahoosmtp smtppop3 pop3imap imapcarrier-endpoint-filter endpointfiltermass-mms mms----- google----- mapi

ha, gtp, nac-quarantine, config, notification, perf-historical, forticlient, mms-stats, amc-intf-bypass, admin, ldb-monitor, pattern

Log Subtype Name Changes in FortiOS 5.0

netscan discovery discoveryvulnerability vulnerability

dlp dlp dlp----- dlp-docsource

app-ctrl app-ctrl-all app-ctrl-all

content http httpftp ftpsmtp smtppop3 pop3imap imaphttps httpsim-all im-allnntp nntpvoip voipmm1 mm1mm3 mm3mm4 mm4mm7 mm7smtps smtpspop3s pop3simaps imaps

voip ----- voip

0

Traffic2

Message ID: 000002Message Description: allowed messageType (type): trafficSubtype (subtype): forwardLevel/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).

duration Time value in seconds.

1

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

2

3Message ID: 000003Message Description: violation messageType (type): trafficSubtype (subtype): invalidLevel/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning
























3

















user User name.








4

4Message ID: 000004Message Description: other messageType (type): trafficSubtype (subtype): invalidLevel/Severity: notice

Log field Meaning

type traffic

subtype invalid

level notice
























5





















user User name.








6

5Message ID: 000005Message Description: allowed icmp messageType (type): trafficSubtype (subtype): invalidLevel/Severity: notice

Log field Meaning

type traffic

subtype invalid

level notice
























7






















user User name.








8

6Message ID: 000006Message Description: deny internal icmp messageType (type): trafficSubtype (subtype): invalidLevel/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning
























9

















user User name.








10

7Message ID: 000007Message Description: deny external icmp messageType (type): trafficSubtype (subtype): invalidLevel/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning
























11

















user User name.








12

8Message ID: 000008Message Description: WAN optimization trafficType (type): trafficSubtype (subtype): forwardLevel/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice












wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.



indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.

wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.






13


14

9Message ID: 000009Message Description: webcache trafficType (type): trafficSubtype (subtype): forwardLevel/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice
















wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.






15


16

10Message ID: 000010Message Description: explicit proxy trafficType (type): trafficSubtype (subtype): forwardLevel/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice
















wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.






17


18

11Message ID: 000011Message Description: failed connection attemptsType (type): trafficSubtype (subtype): invalidLevel/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning
















user User name.




19

12Message ID: 000012Message Description: multicast allowed messageType (type): trafficSubtype (subtype): multicastLevel/Severity: notice

Log field Meaning

type traffic

subtype multicast

level notice
























20






















user User name.








21

13Message ID: 000013Message Description: traffic forward messageType (type): trafficSubtype (subtype): forwardLevel/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice
























22






















user User name.






utmaction The UTM action taken by the system.

filename The name of the file that was transferred.

virus The name of the virus detected.

attack ATTACK

hostname The hostname information.

catdesc The category description.

sender SENDER

recipient RECIPIENT

mailcount MAILCOUNT

23

spamcount SPAMCOUNT

dlprule DLP rule.

utmevent The type of UTM event taking place.

utmseverity UTM severity.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.



24

14Message ID: 000014Message Description: traffic local messageType (type): trafficSubtype (subtype): localLevel/Severity: notice

Log field Meaning

type traffic

subtype local

level notice
























25






















user User name.








26

15Message ID: 000015Message Description: start forward messageType (type): trafficSubtype (subtype): forwardLevel/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice
























27






















user User name.








28

16Message ID: 000016Message Description: start local messageType (type): trafficSubtype (subtype): localLevel/Severity: notice

Log field Meaning

type traffic

subtype local

level notice
























29





















user User name.








30

Netscan4096

Message ID: 004096Message Description: Network scan performedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype vulnerability

level notice




action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

start GMT epoch time the scan started.

end GMT epoch time the scan ended.

status Scan status: start, stop, pause, resume, complete.

engine Version of the netscan engine.

plugin Version of the netscan plugin.

31

4097Message ID: 004097Message Description: Network scan performedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice





start GMT epoch time the scan started.

end GMT epoch time the scan ended.

status Scan status: start, stop, pause, resume, complete.

engine Version of the netscan engine.

plugin Version of the netscan plugin.

32

4098Message ID: 004098Message Description: Netscan vulnerability detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice

Log field Meaning

type utm

subtype netscan


level notice






vuln Name of the detected vulnerability.

vulncat Category of the detected vulnerability.

vulnid ID of the detected vulnerability.

vulnref Reference to the detected vulnerability in FortiGuard.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

vulnscore NIST score of the detected vulnerability.

proto Protocol. Either TCP or UDP.


33

4099Message ID: 004099Message Description: Netscan OS detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice






os Operating system name.

osfamily OS family.

osgen OS generation.

osvendor OS vendor.

34

4100Message ID: 004100Message Description: Netscan service detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice









35

4101Message ID: 004101Message Description: Notification messageType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice

Log field Meaning

type utm

subtype netscan


level notice





36

4102Message ID: 004102Message Description: Notification messageType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice





37

4103Message ID: 004103Message Description: Netscan number of vulnerabilities detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice

Log field Meaning

type utm

subtype netscan


level notice






vulncnt Vulnerability count.

38

4104Message ID: 004104Message Description: Netscan host detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice






method The method information.

assetid Asset ID for this host.

assetname Asset definition for this host.

39

4105Message ID: 004105Message Description: Netscan port detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice








40

Virus8192

Message ID: 008192Message Description: virus infected blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning




status The status of the virus or packet: blocked, passthrough, monitored, analytics.












direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.

41

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).


dtype Dtype.

ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.







agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.


msg "File is infected."

42

8193Message ID: 008193Message Description: virus infected passType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice





















dtype Dtype.

43





user User name.







agent Agent.



sha256 SHA256 hash.



44

8194Message ID: 008194Message Description: virus infected mime blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning





















dtype Dtype.

45





user User name.







agent Agent.



sha256 SHA256 hash.



46

8195Message ID: 008195Message Description: virus infected mime passType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice





















dtype Dtype.

47





user User name.







agent Agent.



sha256 SHA256 hash.


msg "File submitted to FortiGuard Analytics."

48

8196Message ID: 008196Message Description: virus infected worm blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning














indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.



dtype Dtype.




user User name.


49

msg "Worm detected."

50

8197Message ID: 008197Message Description: virus infected worm monitorType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice

















dtype Dtype.




user User name.


51


52

8198Message ID: 008198Message Description: virus infected worm mime blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

















dtype Dtype.




user User name.


53




54

8199Message ID: 008199Message Description: virus infected worm mime monitorType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice

















dtype Dtype.




user User name.


55




56

8448Message ID: 008448Message Description: virus blocked (warning)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype filename

level warning

















filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.


checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

57




user User name.


agent Agent.



msg "File is blocked."

58

8449Message ID: 008449Message Description: virus blocked (notice)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice






















59




user User name.


agent Agent.




60

8450Message ID: 008450Message Description: virus blocked mime (warning)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype filename

level warning






















61




user User name.


agent Agent.




62

8451Message ID: 008451Message Description: virus blocked mime (notice)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice






















63




user User name.


agent Agent.




64

8452Message ID: 008452Message Description: virus blocked commandType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype filename

level warning

















user User name.


command Command information.

agent Agent.



65

msg "Command blocked."

66

8453Message ID: 008453Message Description: virus interceptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice






















67




user User name.


agent Agent.



msg "File is intercepted."

68

8454Message ID: 008454Message Description: virus intercepted mimeType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice






















69


dtype Dtype.




user User name.


agent Agent.



msg "File is intercepted."

70

8455Message ID: 008455Message Description: virus exemptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice























71

user User name.


agent Agent.



msg "File has been exempted."

72

8456Message ID: 008456Message Description: virus exempted mimeType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice























73

user User name.


agent Agent.



msg "File has been exempted."

74

8457Message ID: 008457Message Description: mms content checksumType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning





















user User name.

75


agent Agent.



msg "Blocked by MMS content checksum."

76

8458Message ID: 008458Message Description: mms content checksumType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning






















77

user User name.


agent Agent.



msg "Matched by MMS content checksum."

78

8704Message ID: 008704Message Description: oversized blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype oversize

level warning




















user User name.


agent Agent.

79



msg "Size limit exceeded."

80

8705Message ID: 008705Message Description: oversized passType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype oversize

level notice




















user User name.


agent Agent.

81




82

8706Message ID: 008706Message Description: oversized mime blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype oversize

level warning




















user User name.



83



84

8707Message ID: 008707Message Description: oversized mime passType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype oversize

level notice




















user User name.



85



86

8720Message ID: 008720Message Description: switching protocols blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): switchprotoLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype switchproto

level warning



















user User name.




87

agent Agent.

switchproto Protocol change information.

msg "Switching protocols request."

88

8721Message ID: 008721Message Description: switching protocols bypassType (type): utmSubtype (subtype): virusEvent Type (eventtype): switchprotoLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype switchproto

level notice



















user User name.




89

agent Agent.

switchproto Protocol change information.

msg "Switching protocols request."

90

8960Message ID: 008960Message Description: uncompressed nested limit reachedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

91





user User name.







agent Agent.



sha256 SHA256 hash.


msg "File reached uncompressed nested limit."

92

8961Message ID: 008961Message Description: uncompressed size limit reachedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

93





user User name.







agent Agent.



sha256 SHA256 hash.


msg "File reached uncompressed size limit."

94

8962Message ID: 008962Message Description: archive is encryptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning





















dtype Dtype.

95





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Encrypted archive."

96

8963Message ID: 008963Message Description: archive is encryptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

97





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Encrypted archive."

98

8964Message ID: 008964Message Description: archive is corruptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning





















dtype Dtype.

99





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Corrupted archive."

100

8965Message ID: 008965Message Description: archive is corruptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

101





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Corrupted archive."

102

8966Message ID: 008966Message Description: multipart archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning





















dtype Dtype.

103





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Multipart archive."

104

8967Message ID: 008967Message Description: multipart archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

105





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Multipart archive."

106

8968Message ID: 008968Message Description: nested archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning





















dtype Dtype.

107





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Nested archive."

108

8969Message ID: 008969Message Description: nested archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

109





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Nested archive."

110

8970Message ID: 008970Message Description: archive is oversizedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning





















dtype Dtype.

111





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Oversized archive."

112

8971Message ID: 008971Message Description: archive is oversizedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

113





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Oversized archive."

114

8972Message ID: 008972Message Description: unhandled archive typeType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning





















dtype Dtype.

115





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Unhandled archive."

116

8973Message ID: 008973Message Description: unhandled archive typeType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice





















dtype Dtype.

117





user User name.







agent Agent.



sha256 SHA256 hash.


msg "Unhandled archive."

118

9233Message ID: 009233Message Description: FortiGuard analyticsType (type): utmSubtype (subtype): virusEvent Type (eventtype): analyticsLevel/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype analytics

level notice





















dtype Dtype.

119





user User name.







agent Agent.



sha256 SHA256 hash.


msg

120

Webfilter12288

Message ID: 012288Message Description: Web content banned wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype content

level warning








initiator The initiator name.

user User name.










121








reqtype The request type, either direct or referral.




status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

agent Agent.



banword Banned word flagged in the message.

msg "URL was blocked because it contained banned word(s)."

122

12289Message ID: 012289Message Description: Web content MMS banned wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype content

level warning









user User name.














123










agent Agent.




msg "Message was blocked because it contained banned word(s)."

124

12290Message ID: 012290Message Description: Web content exempt wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice









user User name.














125









agent Agent.




msg "URL was exempted because it contained exempt word(s)."

126

12291Message ID: 012291Message Description: Web content MMS exempt wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice









user User name.














127










agent Agent.




msg "Message was exempted because it contained exempt word(s)."

128

12292Message ID: 012292Message Description: Web search key wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice









user User name.














129









agent Agent.



keyword Flagged or searched keyword.

msg "Message contained a key word in the profile list."

130

12293Message ID: 012293Message Description: Web searchType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice









user User name.














131









agent Agent.



keyword Flagged or searched keyword.

msg "Search phrase detected."

132

12305Message ID: 012305Message Description: Web content MMS banned wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice









user User name.














133










agent Agent.




msg "Message was logged because it contained a banned word."

134

12544Message ID: 012544Message Description: URL filter blockType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level warning



urlfilteridx URL filter index.

urlfilterlist URL filter list name.







user User name.












135











msg "URL was blocked because it is in the URL filter list."

136

12545Message ID: 012545Message Description: URL filter exemptType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information











user User name.












137











msg "URL was exempted because it is in the URL filter list."

138

12546Message ID: 012546Message Description: URL filter allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information











user User name.












139











msg "URL was allowed because it is in the URL filter list."

140

12547Message ID: 012547Message Description: URL filter invalid hostname (Block/HTTP)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice








user User name.















141


msg "The HTTP request contained an invalid domain name."

142

12548Message ID: 012548Message Description: URL filter invalid hostname (Block/HTTPS)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice








user User name.















143


msg "The certificate for the HTTPS session contained an invalid domain name."

144

12549Message ID: 012549Message Description: URL filter invalid hostname (Filter/HTTP)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information








user User name.















145


msg "The HTTP request contained an invalid domain name. The session has been filtered by IP only."

146

12550Message ID: 012550Message Description: URL filter invalid hostname (Filter/HTTPS)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information








user User name.















147


msg "The certificate for this HTTPS session contained an invalid domain name. The session has been filtered by IP only."

148

12553Message ID: 012553Message Description: Server certificate validation failedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice








user User name.













msg "The server certificate validation failed."

149

12554Message ID: 012554Message Description: Unknown SSL session IDType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice








user User name.












msg "The SSL session was blocked because the session ID was unknown."

150

12555Message ID: 012555Message Description: SSL session blocked due to invalid/missing server certificateType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice








user User name.












msg "The SSL session was blocked because the server certificate was missing or invalid."

151

12556Message ID: 012556Message Description: SSL session ignored due to invalid/missing server certificateType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice








user User name.












msg "The SSL session was ignored because the server certificate was missing or invalid."

152

12557Message ID: 012557Message Description: FortiGuard service inactiveType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: critical

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level critical




msg "FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled."

153

12558Message ID: 012558Message Description: Rating error occursType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information




user User name.





urltype URL type. One of: HTTP, HTTPS, FTP, Telnet, mail, phishing.



error Error.


msg "Policy allows URLs when a rating error occurs."

154

12559Message ID: 012559Message Description: URL filter passType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information











user User name.












155











msg "URL was passed because it is in the URL filter list."

156

12800Message ID: 012800Message Description: FortiGuard webfilter errorType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_errLevel/Severity: error

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_err

level error









user User name.














157









error Error.

msg "A rating error occurred."

158

12801Message ID: 012801Message Description: FortiGuard webfilter errorType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_errLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_err

level warning









user User name.














159









error Error.

msg "A rating error occurred."

160

12802Message ID: 012802Message Description: Daily fortiguard quota statusType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_quotaLevel/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_quota

level information




quotaexceeded Quota exceeded: yes or no.

quotatype The quota type, either: time or traffic.

quotaused Quota time used (in seconds).

quotamax Maximum quota time allowed (in seconds).


user User name.


161

13056Message ID: 013056Message Description: FortiGuard webfilter category blockType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_blkLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_blk

level warning









user User name.














162










class The class.

classdesc The class description.

cat The category.


msg "URL belongs to a denied category in policy."

163

13057Message ID: 013057Message Description: FortiGuard webfilter category blockType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_blkLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_blk

level warning









user User name.














164










class The class.


cat The category.


msg "URL belongs to a category with warnings enabled."

165

13312Message ID: 013312Message Description: FortiGuard webfilter category allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_allowLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_allow

level notice









user User name.














166










class The class.


cat The category.


msg "URL belongs to a allowed category in policy."

167

13313Message ID: 013313Message Description: FortiGuard webfilter allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_allowLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter


level notice









user User name.














168










class The class.


cat The category.


mode Mode.

ruletype Rule type. One of: Directory, domain, rating, unhandled.

ruledata Rule data.

ovrdtbl Override table name.

ovrdid Override ID.

msg "URL belongs to an override rule."

169

13314Message ID: 013314Message Description: FortiGuard webfilter allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_allowLevel/Severity: information

Log field Meaning

type utm

subtype webfilter


level information









user User name.














170










class The class.


cat The category.


mode Mode.


ruledata Rule data.

ovrdtbl Override table name.

ovrdid Override ID.

msg "URL belongs to an override rule."

171

13315Message ID: 013315Message Description: FortiGuard webfilter category quota countingType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_quota_countingLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_quota_counting

level notice









user User name.














172










class The class.


cat The category.





msg "Webfilter quota has begun counting."

173

13316Message ID: 013316Message Description: FortiGuard webfilter category quota expiredType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level warning









user User name.














174










class The class.


cat The category.





msg "Webfilter quota for category has expired."

175

13317Message ID: 013317Message Description: URL visitedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice









user User name.














176










class The class.


cat The category.


msg "URL has been visited."

177

13568Message ID: 013568Message Description: Web script filter ActiveXType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): activexfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype activexfilter

level notice









user User name.














178









count Number of packets.

msg "ActiveX script was removed."

179

13573Message ID: 013573Message Description: Web script filter cookieType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): cookiefilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype cookiefilter

level notice









user User name.














180









msg "Cookie was removed."

181

13584Message ID: 013584Message Description: Web script filter appletType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): appletfilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype appletfilter

level notice









user User name.














182










msg "Java applet was removed."

183

13601Message ID: 013601Message Description: Web cookie filterType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): cookiefilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter


level notice









user User name.














184










filtertype The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.

msg "Cookie was removed entirely."

185

13602Message ID: 013602Message Description: Web referer filterType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): cookiefilterLevel/Severity: notice

Log field Meaning

type utm

subtype webfilter


level notice









user User name.














186










filtertype The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.

msg "Referer was removed from request."

187

13603Message ID: 013603Message Description: Command blockedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): webfilter_command_blockLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype webfilter_command_block

level warning









user User name.














188

msg "Command blocked."

189

13616Message ID: 013616Message Description: Content type blockedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype content

level warning









user User name.














190









agent Agent.



contenttype Content type.

msg "Blocked by HTTP Header Content Type."

191

IPS16384

Message ID: 016384Message Description: attack signature (tcp/udp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): signatureLevel/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype signature

level alert












status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.





attackname Attack name.


192


attackid The identification number of the attack log message.

sensor Sensor.


user User name.







incidentserialno Incident serial number.

193

16385Message ID: 016385Message Description: attack signature (icmp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): signatureLevel/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype signature

level alert


















icmpid The source port of the ICMP message.

icmptype The type of ICMP message.

icmpcode The destination port of the ICMP message.


194

sensor Sensor.


user User name.








195

16386Message ID: 016386Message Description: attack signature (others)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): signatureLevel/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype signature

level alert



















sensor Sensor.


user User name.

196








197

18432Message ID: 018432Message Description: attack anomaly (tcp/udp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): anomalyLevel/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype anomaly

level alert





















sensor Sensor.

198


user User name.








199

18433Message ID: 018433Message Description: attack anomaly (icmp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): anomalyLevel/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype anomaly

level alert


















icmpid The source port of the ICMP message.

icmptype The type of ICMP message.

icmpcode The destination port of the ICMP message.


200

sensor Sensor.


user User name.








201

18434Message ID: 018434Message Description: attack anomaly (others)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): anomalyLevel/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype anomaly

level alert



















sensor Sensor.


user User name.

202








203

Spam20480

Message ID: 020480Message Description: antispam smtp (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): smtpLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype smtp

level notice







user User name.












204






status The status of the email message. One of: exempted, blocked, or detected.



tracker Tracker ID.



205

20481Message ID: 020481Message Description: antispam smtp (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): smtpLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype smtp

level notice







user User name.
















206





tracker Tracker ID.




subject Subject.

207

20482Message ID: 020482Message Description: antispam pop3 (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): pop3Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype pop3

level notice







user User name.
















208





tracker Tracker ID.



209

20483Message ID: 020483Message Description: antispam pop3 (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): pop3Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype pop3

level notice







user User name.
















210





tracker Tracker ID.




211

20484Message ID: 020484Message Description: antispam imap (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): imapLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype imap

level notice







user User name.
















212





tracker Tracker ID.



213

20485Message ID: 020485Message Description: antispam endpoint filter (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level warning







user User name.
















214





tracker Tracker ID.



215

20486Message ID: 020486Message Description: antispam endpoint filter (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: notice

Log field Meaning

type utm

subtype spam


level notice







user User name.
















216





tracker Tracker ID.



217

20487Message ID: 020487Message Description: antispam endpoint filter (mm7 warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: warning

Log field Meaning

type utm

subtype spam


level warning







user User name.
















218





tracker Tracker ID.



agent Agent.

219

20488Message ID: 020488Message Description: antispam endpoint filter (mm7 notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: notice

Log field Meaning

type utm

subtype spam


level notice







user User name.
















220





tracker Tracker ID.



agent Agent.

221

20489Message ID: 020489Message Description: antispam endpoint filter (mm1 warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: warning

Log field Meaning

type utm

subtype spam


level warning







user User name.
















222





tracker Tracker ID.



direction The direction of the message. Either tx or rx.

agent Agent.

223

20490Message ID: 020490Message Description: antispam endpoint filter (mm1 notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: notice

Log field Meaning

type utm

subtype spam


level notice







user User name.
















224





tracker Tracker ID.




agent Agent.

225

20491Message ID: 020491Message Description: antispam imap banned-word (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): imapLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype imap

level notice







user User name.
















226





tracker Tracker ID.




subject Subject.

227

20492Message ID: 020492Message Description: antispam MM1 flood detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning







user User name.
















228





tracker Tracker ID.




agent Agent.

229

20493Message ID: 020493Message Description: antispam MM1 flood detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice







user User name.
















230





tracker Tracker ID.




agent Agent.

231

20494Message ID: 020494Message Description: antispam MM4 flood detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning







user User name.
















232





tracker Tracker ID.



233

20495Message ID: 020495Message Description: antispam MM4 flood detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice







user User name.
















234





tracker Tracker ID.



235

20496Message ID: 020496Message Description: antispam MM1 duplicate detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning







user User name.
















236





tracker Tracker ID.



direction The direction of the traffic: incoming, outgoing, or N/A.

agent Agent.

237

20497Message ID: 020497Message Description: antispam MM1 duplicate detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice







user User name.
















238





tracker Tracker ID.




agent Agent.

239

20498Message ID: 020498Message Description: antispam MM4 duplicate detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning







user User name.
















240





tracker Tracker ID.



241

20499Message ID: 020499Message Description: antispam MM4 duplicate detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice







user User name.
















242





tracker Tracker ID.



243

20500Message ID: 020500Message Description: antispam msn hotmail (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): msnLevel/Severity: information

Log field Meaning

type utm

subtype spam

eventtype msn

level information







user User name.
















244





tracker Tracker ID.



subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

245

20501Message ID: 020501Message Description: antispam yahoo mail (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): yahooLevel/Severity: information

Log field Meaning

type utm

subtype spam

eventtype yahoo

level information







user User name.
















246





tracker Tracker ID.



subject Subject.




247

20502Message ID: 020502Message Description: antispam gmail (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): googleLevel/Severity: information

Log field Meaning

type utm

subtype spam

eventtype google

level information







user User name.
















248





tracker Tracker ID.



subject Subject.




249

20503Message ID: 020503Message Description: antispam smtp general (info)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): smtpLevel/Severity: information

Log field Meaning

type utm

subtype spam

eventtype smtp

level information







user User name.
















250





tracker Tracker ID.




subject Subject.




251

20504Message ID: 020504Message Description: antispam pop3 general (info)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): pop3Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype pop3

level information







user User name.
















252





tracker Tracker ID.




subject Subject.




253

20505Message ID: 020505Message Description: antispam imap general (info)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): imapLevel/Severity: information

Log field Meaning

type utm

subtype spam

eventtype imap

level information







user User name.
















254





tracker Tracker ID.




subject Subject.




255

20506Message ID: 020506Message Description: antispam mapi (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mapiLevel/Severity: information

Log field Meaning

type utm

subtype spam

eventtype mapi

level information







user User name.
















256





tracker Tracker ID.



subject Subject.


257

20507Message ID: 020507Message Description: antispam mapi (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mapiLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mapi

level notice







user User name.
















258





tracker Tracker ID.




259

20508Message ID: 020508Message Description: antispam mapi (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mapiLevel/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mapi

level notice







user User name.
















260





tracker Tracker ID.



subject Subject.


0

DLP24576

Message ID: 024576Message Description: DLP log (Warning)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlpLevel/Severity: warning

Log field Meaning

type utm

subtype dlp

eventtype dlp

level warning



filteridx The filter index.

dlpextra Extra DLP information.

filtertype DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.





epoch Epoch.

eventid Serial number.

user User name.







1










subject Subject.


action Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantineinterface.


2

24577Message ID: 024577Message Description: DLP log (Notice)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlpLevel/Severity: notice

Log field Meaning

type utm

subtype dlp

eventtype dlp

level notice



filteridx The filter index.


filtertype DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.





epoch Epoch.


user User name.











3






subject Subject.


action Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantineinterface.


4

24578Message ID: 024578Message Description: DLP fingerprint document source (Notice)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlp-docsourceLevel/Severity: notice

Log field Meaning

type utm

subtype dlp

eventtype dlp-docsource

level notice




sensitivity The sensitivity of the DLP sensor.

docsource The fingerprinted document's source.


5

24579Message ID: 024579Message Description: DLP fingerprint document source (Error)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlp-docsourceLevel/Severity: warning

Log field Meaning

type utm

subtype dlp

eventtype dlp-docsource

level warning




sensitivity The sensitivity of the DLP sensor.

docsource The fingerprinted document's source.


6

Application Control28672

Message ID: 028672Message Description: application control im-basic logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information

Log field Meaning

type utm

subtype app-ctrl

eventtype app-ctrl-all

level information




user User name.







kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.









7


srcuser The source user.

dstuser The destination user.








apptype The type of application that triggered the action within the control list.


action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.

8

28673Message ID: 028673Message Description: application control im logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice

Log field Meaning

type utm

subtype app-ctrl


level notice




user User name.



















9











status The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,failed, authentication-required, pass, block.

10

28674Message ID: 028674Message Description: application control im(chat message count) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information

Log field Meaning

type utm

subtype app-ctrl


level information




user User name.



















11












12

28675Message ID: 028675Message Description: application control im(file) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information

Log field Meaning

type utm

subtype app-ctrl


level information




user User name.



















13













filesize File size.

immsg IM message content.

14

28676Message ID: 028676Message Description: application control im(chat) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice

Log field Meaning

type utm

subtype app-ctrl


level notice




user User name.



















15












content Traffic content.

16

28677Message ID: 028677Message Description: application control im(chat blocked) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice

Log field Meaning

type utm

subtype app-ctrl


level notice




user User name.



















17












reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.

req The request information.

18

28678Message ID: 028678Message Description: application control im-block logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice

Log field Meaning

type utm

subtype app-ctrl


level notice




user User name.



















19











20

28688Message ID: 028688Message Description: application control (voip basic) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information

Log field Meaning

type utm

subtype app-ctrl


level information




user User name.



















21












22

28689Message ID: 028689Message Description: application control (sccp call blocked) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information

Log field Meaning

type utm

subtype app-ctrl


level information




user User name.



















23












phone The phone information or number.


24

28690Message ID: 028690Message Description: application control (sip block) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice

Log field Meaning

type utm

subtype app-ctrl


level notice




user User name.



















25













req The request information.

26

28704Message ID: 028704Message Description: application control ips log (pass)Type (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information

Log field Meaning

type utm

subtype app-ctrl


level information





user User name.



















27












message Log message information.

28

28705Message ID: 028705Message Description: application control ips log (block)Type (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: warning

Log field Meaning

type utm

subtype app-ctrl


level warning





user User name.



















29












30

28706Message ID: 028706Message Description: application control ips log (reset)Type (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: warning

Log field Meaning

type utm

subtype app-ctrl


level warning





user User name.



















31












32

28720Message ID: 028720Message Description: application control ssh filterType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice

Log field Meaning

type utm

subtype app-ctrl


level notice




user User name.



















33










34

28721Message ID: 028721Message Description: application control ssh filter blockType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: warning

Log field Meaning

type utm

subtype app-ctrl


level warning




user User name.



















35










36

Event20099

Message ID: 020099Message Description: interface statistics changeType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information




action The action that was taken by the system.

status Status. Either UP or DOWN.

msg "Interface (interface name) was turned (up / down)."

37

32001Message ID: 032001Message Description: successful admin login attemptType (type): eventSubtype (subtype): systemLevel/Severity: information

Logfield

Meaning

type event

subtype system

level information




user User name.

ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).


status Authentication status. One of: success, failure, timed_out, locked_out.

reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.


msg "Administrator (name) logged in successfully from (source)."

38

32003Message ID: 032003Message Description: successful admin logout attemptType (type): eventSubtype (subtype): systemLevel/Severity: information

Logfield

Meaning

type event

subtype system

level information




user User name.



status Status. Either success or error.



msg "Administrator (name) logged out successfully from (source)." "Administrator (name) timed out on (source)."

39

32142Message ID: 032142Message Description: automatic config backupType (type): eventSubtype (subtype): systemLevel/Severity: notice

Logfield

Meaning

type event

subtype system

level notice




user User name.






msg "Automatic configuration backup to Management Station succeeded."

40

37120Message ID: 037120Message Description: negotiate IPsec phase 1 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice




action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.

remip The remote IP address.

locip The local IP address.

remport Remote port.

locport Local port.

outintf Outward interface.

cookies Cookies.

user User name.


xauthuser The name of the XAuth user.

xauthgroup The name of the Xauthentication group.


status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.

xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.

msg "negotiate IPsec phase 1."

41

37121Message ID: 037121Message Description: negotiate IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.


42


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.






role Role - either responder or initiator.

esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.

espauth ESP authentication information. One of: no authentication, HMAC_SHA1, HMAC_MD5, HMAC_SHA256.


43


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.










44

37124Message ID: 037124Message Description: IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request

45

peernotif Peer notification information. One of the following: NOT-APPLICABLE, INVALID-PAYLOAD-TYPE, DOI-NOT-SUPPORTED,SITUATION-NOT-SUPPORTED, INVALID-COOKIE, INVALID-MAJOR-VERSION, INVALID-MINOR-VERSION,INVALID-EXCHANGE-TYPE, INVALID-FLAGS, INVALID-MESSAGE-ID, INVALID-PROTOCOL-ID, INVALID-SPI,INVALID-TRANSFORM-ID, ATTRIBUTES-NOT-SUPPORTED, NO-PROPOSAL-CHOSEN, BAD-PROPOSAL-SYNTAX,PAYLOAD-MALFORMED, INVALID-KEY-INFORMATION, INVALID-ID-INFORMATION, INVALID-CERT-ENCODING,INVALID-CERTIFICATE, BAD-CERT-REQUEST-SYNTAX, INVALID-CERT-AUTHORITY, INVALID-HASH-INFORMATION,AUTHENTICATION-FAILED, INVALID-SIGNATURE, ADDRESS-NOTIFICATION, NOTIFY-SA-LIFETIME,CERTIFICATE-UNAVAILABLE, UNSUPPORTED-EXCHANGE-TYPE, UNEQUAL-PAYLOAD-LENGTHS, CONNECTED,RESPONDER-LIFETIME, REPLAY-STATUS, INITIAL-CONTACT, R-U-THERE, R-U-THERE-ACK, HEARTBEAT,RETRY-LIMIT-REACHED

msg "IPsec phase 1 error."

46


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.








47

37126Message ID: 037126Message Description: IPsec no state errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.







msg "IPsec no state error."

48

37127Message ID: 037127Message Description: progress IPsec phase 1 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.






init Initiator: either local or remote.

mode Mode. One of: aggressive, main, quick, xauth, xauth_client.

direction Direction, either outbound or inbound.

stage Stage number.


result Result. One of: ERROR, OK, DONE, PENDING.

msg "progress IPsec phase 1."

49

37128Message ID: 037128Message Description: progress IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.









stage Stage number.




50


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.









stage Stage number.




51


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.









stage Stage number.




52

37131Message ID: 037131Message Description: IPsec ESP notifType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packetdetected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayedpacket)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., InvalidESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packetwith unknown SPI.

spi IPsec Security Parameter Index.

seq Sequence number.

msg "IPsec ESP."

53

37132Message ID: 037132Message Description: IPsec ESP errorType (type): eventSubtype (subtype): vpnLevel/Severity: critical

Log field Meaning

type event

subtype vpn

level critical








locport Local port.


cookies Cookies.

user User name.






errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packetdetected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayedpacket)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., InvalidESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packetwith unknown SPI.



msg "IPsec ESP."

54

37133Message ID: 037133Message Description: install IPsec SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.






inspi In SPI.

outspi Out SPI.

msg "install IPsec SA."

55

37134Message ID: 037134Message Description: delete IPsec phase 1 SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





msg "delete IPsec phase 1 SA."

56


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





encspi Enc SPI.

decspi Dec SPI.


57

37136Message ID: 037136Message Description: IPsec DPD failureType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






msg "IPsec DPD failure."

58

37137Message ID: 037137Message Description: IPsec connection failureType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






msg "IPsec connection failure."

59

37138Message ID: 037138Message Description: IPsec connection status changeType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





tunnelip The tunnel IP address.

tunnelid The tunnel ID.

tunneltype "ipsec"




nextstat Next stat number.

tunnel Tunnel name.

msg "IPsec connection status change."

60


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





phase2name Phase 2 name.

msg "IPsec phase 2 status change."

61

37140Message ID: 037140Message Description: auto-IPsec statusType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.







msg "auto-IPsec status."

62

37141Message ID: 037141Message Description: IPsec tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.







tunneltype "ipsec"





tunnel Tunnel name.

msg "IPsec tunnel statistics."

63


Log field Meaning

type event

subtype vpn

level notice




action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.




locport Local port.


cookies Cookies.

user User name.






64


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






65


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.








66


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.








67


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






68


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.






69

37190Message ID: 037190Message Description: IPsec not state errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.





msg "IPsec no state error."

70


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





exch Exchange. One of: SA_INIT, AUTH, CREATE_CHILD.




version "IKEv2"


71


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.









version "IKEv2"


72


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.









version "IKEv2"


73


Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.









version "IKEv2"


74

37195Message ID: 037195Message Description: IPsec ESP notifType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.




errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., InvalidESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packetdetected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.



msg "IPsec ESP."

75

37196Message ID: 037196Message Description: IPsec ESP errorType (type): eventSubtype (subtype): vpnLevel/Severity: critical

Log field Meaning

type event

subtype vpn

level critical








locport Local port.


cookies Cookies.

user User name.




errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., InvalidESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packetdetected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.



msg "IPsec ESP."

76

37197Message ID: 037197Message Description: install IPsec SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.




inspi In SPI.

outspi Out SPI.

msg "install IPsec SA."

77


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.




78


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.



encspi Enc SPI.

decspi Dec SPI.


79

37200Message ID: 037200Message Description: IPsec DPD failureType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.




msg "IPsec DPD failure."

80

37201Message ID: 037201Message Description: IPsec connection failureType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error








locport Local port.


cookies Cookies.

user User name.




msg "IPsec connection failure."

81


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





tunneltype "ipsec"





tunnel Tunnel name.

msg "IPsec connection status change."

82


Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.



phase2name Phase 2 name.

msg "IPsec phase 2 status change."

83

37204Message ID: 037204Message Description: IPsec tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: notice

Log field Meaning

type event

subtype vpn

level notice








locport Local port.


cookies Cookies.

user User name.





tunneltype "ipsec"





tunnel Tunnel name.

msg "IPsec tunnel statistics."

84

37888Message ID: 037888Message Description: HA group deleteType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




hagroup HA group.

msg "HA group is deleted."

85

37889Message ID: 037889Message Description: Virtual cluster deleteType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




vcluster Virtual cluster.

msg "Virtual cluster is deleted."

86

37890Message ID: 037890Message Description: Virtual cluster move vdomType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




fromvcluster Source virtual cluster.

tovcluster Destination virtual cluster.

vdname VDOM name.

msg "Virtual cluster's vdom is removed."

87

37891Message ID: 037891Message Description: Virtual cluster add vdomType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




tovcluster Destination virtual cluster.

vdname VDOM name.

msg "Virtual cluster's vdom is added."

88

37892Message ID: 037892Message Description: Virtual cluster move member stateType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




harole HA role: either master or slave.


vclusterstate Virtual cluster state. One of: init, helo, work, standby.

vclustermember Virtual cluster member.


sn Serial number.

msg "Virtual cluster's member state moved."

89

37893Message ID: 037893Message Description: Virtual cluster detect member deadType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




hagroup HA group.


msg "Virtual cluster detected member dead."

90

37894Message ID: 037894Message Description: Virtual cluster detect member joinType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




hagroup HA group.


msg "Virtual cluster detected member join."

91

37895Message ID: 037895Message Description: Virtual cluster add HA device (interface)Type (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice





devintfname The name of the device's interface.

msg "Virtual cluster add HA device."

92

37896Message ID: 037896Message Description: Virtual cluster delete HA device (interface)Type (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice






msg "Virtual cluster delete HA device (interface)."

93

37897Message ID: 037897Message Description: HA device (interface) readyType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice






msg "HA device (interface) ready."

94

37898Message ID: 037898Message Description: HA device (interface) failType (type): eventSubtype (subtype): systemLevel/Severity: warning

Log field Meaning

type event

subtype system

level warning






msg "HA device (interface) fail."

95

37899Message ID: 037899Message Description: HA device (interface) peerinfoType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice






msg "HA device (interface) peerinfo."

96

37900Message ID: 037900Message Description: Heartbeat device (interface) deleteType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice





msg "Heartbeat device (interface) delete."

97

37901Message ID: 037901Message Description: Heartbeat device (interface) downType (type): eventSubtype (subtype): systemLevel/Severity: critical

Log field Meaning

type event

subtype system

level critical





hbdnreason Heartbeat down reason: either linkfail or neighbor-info-lost.


msg "Heartbeat device (interface) down."

98

37902Message ID: 037902Message Description: Heartbeat device (interface) upType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






msg "Heartbeat device (interface) up."

99

37903Message ID: 037903Message Description: The sync status with the masterType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information




synctype Sync type. Either configurations or external-files.

syncstatus Sync status. Either out-of-sync or in-sync.

msg "The sync status with the master."

100

37904Message ID: 037904Message Description: HA activity reportType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




ip HA IP.

haprio HA priority.

activity HA activity message.

msg "HA activity report."

101

38031Message ID: 038031Message Description: Authentication messageType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice




user User name.

src The source IP of the traffic.

server The name or IP address of the server.

action FSSO-polling-logon

status success

reason Reason.

msg "FSSO-polling-logon event from <device>: user <username> logged on <ip address>."

102


Log field Meaning

type event

subtype user

level notice




user User name.



action FSSO-polling-logoff

status success

reason Reason.

msg "FSSO-polling-logoff event from <device>: user <username> logged on <ip address>."

103


Log field Meaning

type event

subtype user

level notice



user User name.


action FSSO-polling-AD-server

msg "FSSO-polling-AD-server status changes: <description>."

104

38400Message ID: 038400Message Description: The system successfully sent a notification messageType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.




proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).

dst The destination IP of the traffic.

dport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

nftype Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.






msg "Successfully sent a notification message."

105

38401Message ID: 038401Message Description: The system was unable to send a notification messageType (type): eventSubtype (subtype): systemLevel/Severity: warning

Log field Meaning

type event

subtype system

level warning




user User name.






dport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

nftype Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.






msg "Unable to send a notification message."

106

38402Message ID: 038402Message Description: The system was unable to resolve an MMSC hostnameType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice








profilevd Profile VDOM.

msg "Unable to resolve hostname."

107

38656Message ID: 038656Message Description: RADIUS protocol error reportType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice






msg Message.

108

38657Message ID: 038657Message Description: RADIUS profile error reportType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice






msg Message.

109

38658Message ID: 038658Message Description: RADIUS context error reportType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice






msg Message.

110

38659Message ID: 038659Message Description: RADIUS missing stop packet reportType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice






msg Message.

111

38660Message ID: 038660Message Description: RADIUS accounting event reportType (type): eventSubtype (subtype): userLevel/Severity: information

Log field Meaning

type event

subtype user

level information






msg Message.

112

38661Message ID: 038661Message Description: RADIUS other dynamic profile reportType (type): eventSubtype (subtype): userLevel/Severity: information

Log field Meaning

type event

subtype user

level information






msg Message.

113

38662Message ID: 038662Message Description: RADIUS protocol errors occurredType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice




carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.

ip IP address.

rssokey RSSO key.

msg Message.

acctstat Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.

reason Reason.

114

38663Message ID: 038663Message Description: RADIUS start or interim-update packet received with missing or invalid profilespecifiedType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice





ip IP address.

rssokey RSSO key.

msg Message.


reason Reason.

115

38664Message ID: 038664Message Description: RADIUS no context found for userType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice





ip IP address.

rssokey RSSO key.

msg Message.

116

38665Message ID: 038665Message Description: RADIUS stop packet was missedType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice





ip IP address.

rssokey RSSO key.

msg Message.


reason Reason.

117

38666Message ID: 038666Message Description: RADIUS accounting eventType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice





ip IP address.

rssokey RSSO key.

msg Message.


reason Reason.

118

38667Message ID: 038667Message Description: RADIUS other dynamic profile eventType (type): eventSubtype (subtype): userLevel/Severity: information

Log field Meaning

type event

subtype user

level information





ip IP address.

rssokey RSSO key.

msg Message.


reason Reason.


119

39424Message ID: 039424Message Description: SSL tunnel establishedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "tunnel-up"

tunneltype "ssl-web"




user User name.


dsthost Destination host.


msg "SSL tunnel established."

120

39425Message ID: 039425Message Description: SSL tunnel shutdownType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "tunnel-down"





user User name.








121

39426Message ID: 039426Message Description: SSL user failed to log inType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-login-fail"





user User name.




msg "SSL user failed to log in."

122

39936Message ID: 039936Message Description: SSL web tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "tunnel-stats"





user User name.



nextstats Next statistics.





msg "SSL web tunnel statistics."

123

39937Message ID: 039937Message Description: SSL web application blockedType (type): eventSubtype (subtype): vpnLevel/Severity: warning

Log field Meaning

type event

subtype vpn

level warning




action "ssl-web-deny"





user User name.




msg "SSL web application blocked."

124

39938Message ID: 039938Message Description: SSL web application activatedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-web-pass"





user User name.




msg "SSL web application activated."

125

39939Message ID: 039939Message Description: SSL web application timeoutType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-web-timeout"





user User name.




msg "SSL web application timeout."

126

39940Message ID: 039940Message Description: SSL web application closedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-web-close"





user User name.




msg "SSL web application closed."

127

39941Message ID: 039941Message Description: SSL system busyType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-sys-busy"





user User name.




msg "SSL system busy."

128

39942Message ID: 039942Message Description: SSL new SSL certification verification successType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-cert"

tunneltype "ssl"




user User name.




msg "SSL new SSL certification verification success."

129

39943Message ID: 039943Message Description: SSL new connectionType (type): eventSubtype (subtype): vpnLevel/Severity: debug

Log field Meaning

type event

subtype vpn

level debug




action "ssl-new-con"

tunneltype "ssl"




user User name.




msg "SSL new connection."

130

39944Message ID: 039944Message Description: SSL alertsType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error




action "ssl-alert"

tunneltype "ssl"




user User name.



alert Alert information.

desc Description.

msg "SSL alerts."

131

39945Message ID: 039945Message Description: SSL exit failType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error




action "ssl-exit-fail"

tunneltype "ssl"




user User name.




msg "SSL exit fail."

132

39946Message ID: 039946Message Description: SSL exit errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error




action "ssl-exit-error"

tunneltype "ssl"




user User name.




msg "SSL exit error."

133

39947Message ID: 039947Message Description: SSL tunnel establishedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "tunnel-up"

tunneltype "ssl-tunnel"




user User name.





134

39948Message ID: 039948Message Description: SSL tunnel shutdownType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "tunnel-down"





user User name.








135

39949Message ID: 039949Message Description: SSL tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "tunnel-stats"





user User name.



nextstats Next statistics.





msg "SSL tunnel statistics."

136

39950Message ID: 039950Message Description: SSL tunnel unknown tagType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "ssl-tunnel-unknown-tag"





user User name.




msg "SSL tunnel unknown tag."

137

39951Message ID: 039951Message Description: SSL tunnel errorType (type): eventSubtype (subtype): vpnLevel/Severity: error

Log field Meaning

type event

subtype vpn

level error




action "ssl-tunnel-error"





user User name.




msg "SSL tunnel error."

138

40704Message ID: 040704Message Description: System performanceType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information




action "perf-stats"

cpu CPU usage.

mem Memory usage.

totalsession Total IP sessions.

msg "Performance statistics."

139

40960Message ID: 040960Message Description: web proxy forward server errorType (type): eventSubtype (subtype): wadLevel/Severity: notice

Log field Meaning

type event

subtype wad

level notice




fwservername Forward server name.

addrtype Address type, either IP or FQDN.

ip IP address.

fqdn Domain name.

port Port number.

msg Message. Either "Failed to connect to forward server" or "Successfully connected to forward server".

140

41216Message ID: 041216Message Description: GTP forwardType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information





status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.

version Version.

msgtype Message type.





seqnum Sequence number.

tunnelidx Tunnel index.

imsi IMSI.

msisdn The MSISDN information.

apn APN.

selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.

cgsn CGSN.

ugsn UGSN.

nsapi NSAPI.

linkednsapi Linked NSAPI.

imeisv IMEISV.

rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.

rai RAI.

uli ULI.

141

endusraddress End user address.

headerteid Header TEID.

142

41217Message ID: 041217Message Description: GTP DenyType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.




denycause Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version

ietype IE type.

dtlexp Detailed explanation. One of the following:none, ie-is-missing, invalid-ie-length, no-tunnel-exists, hteid-is-zero, response-hteid-doesnt-match-request,payload-teid-is-zero, invalid-tid, header-seq-num-is-missing, expired-echo-response, expired-create-response,expired-update-response, expired-delete-response,invalid-mcc-mnc, neither-hteid-nor-cteid-exists,cant-have-both-hteid-and-cteid, malformed-extension-header, expired-create-session-response,expired-create-bearer-response,expired-create-indirect-tunnel-response, expired-modified-bearer-response,expired-update-bearer-response, expired-delete-session-response, expired-delete-beaerer-response,expired-delete-indirect-tunnel-response, expired-release-access-bearer-response, cause-value-should-be-isr-deactivation,imsi-shouldnt-exist, fteid-shouldnt-exist, cant-have-both-ebi-and-lbi, invalid-eps-bearer-id, malformed-piggybacked-msg,malformed-p-flag, malformed-t-flag





imsi IMSI.

143


apn APN.


cgsn CGSN.

ugsn UGSN.

nsapi NSAPI.


imeisv IMEISV.


rai RAI.

uli ULI.



144

41218Message ID: 041218Message Description: GTP Rate LimitType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.








imsi IMSI.


apn APN.


cgsn CGSN.

ugsn UGSN.

nsapi NSAPI.


imeisv IMEISV.


rai RAI.

uli ULI.

145



146

41219Message ID: 041219Message Description: GTP State InvalidType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.









imsi IMSI.


apn APN.


cgsn CGSN.

147

ugsn UGSN.

nsapi NSAPI.


imeisv IMEISV.


rai RAI.

uli ULI.



148

41220Message ID: 041220Message Description: GTP Tunnel LimitType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.








imsi IMSI.


apn APN.


cgsn CGSN.

ugsn UGSN.

nsapi NSAPI.


imeisv IMEISV.


rai RAI.

uli ULI.

149



150

41221Message ID: 041221Message Description: GTP Traffic AccountType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.

csgsn CSGSN.

cggsn CGGSN.

usgsn USGSN.

uggsn UGGSN.

csgsnteid CSGSN TEID.

cggsnteid CSGSN TEID.

usgsnteid USGSN TEID.

uggsnteid UGGSN TEID.



cpkts C-packets.

cbytes C-bytes.

upkts U-packets.

ubytes U-bytes.


imsi IMSI.


apn APN.


151

cgsn CGSN.

ugsn UGSN.

nsapi NSAPI.


imeisv IMEISV.


rai RAI.

uli ULI.


152

41222Message ID: 041222Message Description: GTP User DataType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.





imsi IMSI.


apn APN.

userdata User data.

153

41223Message ID: 041223Message Description: GTPv2 ForwardType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.








imsi IMSI.


imeisv IMEISV.

snetwork Serving network.



apn APN.



cpaddr Sender IP address for control plane.

cpteid Sender TEID for control plane.

154

41224Message ID: 041224Message Description: GTPv2 DenyType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.




denycause Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version

ietype IE type.






imsi IMSI.

155


imeisv IMEISV.




apn APN.





156

41225Message ID: 041225Message Description: GTPv2 Rate LimitType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.








imsi IMSI.


imeisv IMEISV.




apn APN.





157

41226Message ID: 041226Message Description: GTPv2 State InvalidType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.









imsi IMSI.


imeisv IMEISV.



158


apn APN.





159

41227Message ID: 041227Message Description: GTPv2 Tunnel LimitType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.








imsi IMSI.


imeisv IMEISV.




apn APN.





160

41228Message ID: 041228Message Description: GTP Traffic AccountType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information






version Version.

cpdladdr Down-link IP address for control plane.

cpdlisraddr Secondary down-link IP address for control plane, for ISR cases.

cpuladdr Up-link IP address for control plane.

cpdlteid Down-link TEID for control plane.

cpdlisrteid Secondary down-link TEID for control plane, for ISR cases.

cpulteid Up-link TEID for control plane.



cpkts C-packets.

cbytes C-bytes.

upkts U-packets.

ubytes U-bytes.

imsi IMSI.


apn APN.


imeisv IMEISV.



161


162

41984Message ID: 041984Message Description: Certificate LoadType (type): eventSubtype (subtype): vpnLevel/Severity: information

Logfield

Meaning

type event

subtype vpn

level information




action "info"

user User name.


certtype Certificate type. One of: CA, CRL, Local, Remote.

msg "A certificate is loaded."

163

41985Message ID: 041985Message Description: Certificate RemovalType (type): eventSubtype (subtype): vpnLevel/Severity: information

Logfield

Meaning

type event

subtype vpn

level information




action "info"

user User name.



msg "A certificate is removed."

164

41986Message ID: 041986Message Description: Certificate RegeneratedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Logfield

Meaning

type event

subtype vpn

level information




action "info"

status "success"

user User name.



msg "A certificate is regenerated."

165

41987Message ID: 041987Message Description: Certificate UpdatedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Log field Meaning

type event

subtype vpn

level information




action "info"

status "success"

name Certificate name.



msg "A certificate is updated."

166

41988Message ID: 041988Message Description: SSL Setting UpdatedType (type): eventSubtype (subtype): vpnLevel/Severity: information

Logfield

Meaning

type event

subtype vpn

level information




action "info"

user User name.


msg "User changed SSL setting."

167

41989Message ID: 041989Message Description: Certificate ErrorType (type): eventSubtype (subtype): vpnLevel/Severity: information

Logfield

Meaning

type event

subtype vpn

level information




action "info"

user User name.



msg "Certificate is invalid."

168

43008Message ID: 043008Message Description: Authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.



action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.


reason Reason.

msg Message.

169

43009Message ID: 043009Message Description: Authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.





reason Reason.

msg Message.

170

43010Message ID: 043010Message Description: Authentication locked outType (type): eventSubtype (subtype): userLevel/Severity: warning

Logfield

Meaning

type event

subtype user

level warning







user User name.





reason Reason.

msg Message.

171

43011Message ID: 043011Message Description: Authentication timed outType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.





reason Reason.

msg Message.

172

43012Message ID: 043012Message Description: FSSO authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice






proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the nextlevel protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).


user User name.

adgroup The name of the AD group.




reason Reason.

msg Message.

173

43013Message ID: 043013Message Description: FSSO authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice






proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the nextlevel protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).


user User name.





reason Reason.

msg Message.

174

43014Message ID: 043014Message Description: FSSO log onType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice





user User name.



msg Message.

175

43015Message ID: 043015Message Description: FSSO log offType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice





user User name.



msg Message.

176

43016Message ID: 043016Message Description: NTLM authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.






reason Reason.

msg Message.

177

43017Message ID: 043017Message Description: NTLM authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.






reason Reason.

msg Message.

178

43018Message ID: 043018Message Description: FortiGuard override failedType (type): eventSubtype (subtype): userLevel/Severity: warning

Log field Meaning

type event

subtype user

level warning








reason Reason.

msg Message.

179


Log field Meaning

type event

subtype user

level warning








reason Reason.

msg Message.

180

43020Message ID: 043020Message Description: FortiGuard override succeededType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice








reason Reason.

scope Scope information. One of: user, user_group, ip, profile, unhandled.

scopedata Scope data.


ruledata Rule data.

offsite Offsite allowed, either yes or no.

expiry Expiry information.

oldwprof Old Webfilter profile name.

newwprof New Webfilter profile name.

msg Message.

181

43021Message ID: 043021Message Description: Endpoint checking eventType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice






msg Message.

182

43022Message ID: 043022Message Description: Endpoint license distributionType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice






msg Message.

183

43023Message ID: 043023Message Description: Endpoint detectionType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice






msg Message.

184

43024Message ID: 043024Message Description: Endpoint detectionType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice






msg Message.

185

43025Message ID: 043025Message Description: Authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.





reason Reason.

msg Message.

186


Logfield

Meaning

type event

subtype user

level notice







user User name.





reason Reason.

msg Message.

187

43027Message ID: 043027Message Description: Authentication timed outType (type): eventSubtype (subtype): userLevel/Severity: notice

Logfield

Meaning

type event

subtype user

level notice







user User name.





reason Reason.

msg Message.

188


Logfield

Meaning

type event

subtype user

level notice







user User name.





reason Reason.

msg Message.

189

43029Message ID: 043029Message Description: FortiGuard override succeededType (type): eventSubtype (subtype): userLevel/Severity: notice

Log field Meaning

type event

subtype user

level notice








reason Reason.

scope Scope information. One of: user, user_group, ip, profile, unhandled.

scopedata Scope data.


ruledata Rule data.

offsite Offsite allowed, either yes or no.

expiry Expiry information.

oldwprof Old Webfilter profile name.

newwprof New Webfilter profile name.

msg Message.

190


Log field Meaning

type event

subtype user

level warning








reason Reason.

msg Message.

191

43264Message ID: 043264Message Description: MMS StatisticsType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information




proto MMS protocol: MM1, MM3, MM4, or MM7.

infected Number of infected messages.

suspicious Number of suspicious messages.

scanned Number of scanned messages.

intercepted Number of intercepted messages.

blocked Number of blocked messages.

checksum Number of content checksum blocked messages.


192

43520Message ID: 043520Message Description: wireless system activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice





msg Message.

193

43521Message ID: 043521Message Description: wireless rogue AP activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice




onwire Will display NO or 0.

ssid The service set identifier.

bssid The basic service set identifier.

aptype AP type.

rate The data rate number.

radioband Radio band.

channel The channel number.


manuf Manufacturer.

securitymode Security mode.

rssi RSSI.

Noise Noise.

live Live.

age Age.

detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.

stamac Station MAC.

apscan WTP that scanned the station.

sndetected Serial number of physical AP which detected the rogue AP.

radioiddetected ID of the radio on physical AP which detected the rogue AP.

stacount STA count.

snclosest Serial number of physical AP which is closest to the rogue AP.

radioiddetected ID of the radio on physical AP which is closest to the rogue AP.

194

msg Message.

195

43522Message ID: 043522Message Description: physical AP activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice




sn Serial number.

ap Physical AP name.

approfile AP profile.

ip IP address.

meshmode Mesh mode: non-mesh, mesh ap, mesh root ap, mesh branch/leaf ap.

snmeshparent Serial number of physical AP which is the mesh parent of this mesh branch/leaf AP.


reason Reason.

msg Message.

196

43524Message ID: 043524Message Description: wireless client activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice




sn Serial number.


vap Virtual AP name.


user User name.


mac Client MAC address.

ip IP address.



security Security type: open, wep64, wep128, wpa-psk, wpa-radius, wpa, wpa2, wpa2-auto.


reason Reason.

msg Message.

197

43525Message ID: 043525Message Description: wireless rogue AP activity (on-wire)Type (type): eventSubtype (subtype): wirelessLevel/Severity: warning

Log field Meaning

type event

subtype wireless

level warning




onwire Will display YES or 1.



aptype AP type.

rate The data rate number.

onwire On wire: either yes or no.




manuf Manufacturer.

securitymode Security mode.

rssi RSSI.

Noise Noise.

live Live.

age Age.

detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.

stamac Station MAC.

apscan WTP that scanned the station.



stacount STA count.

snclosest Serial number of physical AP which is closest to the rogue AP.

198

radioiddetected ID of the radio on physical AP which is closest to the rogue AP.

msg Message.

199

43526Message ID: 043526Message Description: physical AP radio activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice




sn Serial number.


ip IP address.

radioid Radio ID.

configcountry Config country.

opercountry Operating country.

cfgtxpower Config TX power.

opertxpower Operating TX power.



msg Message.

200

43527Message ID: 043527Message Description: wireless rogue AP status configType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice







apstatus AP status.

msg Message.

201

43528Message ID: 043528Message Description: physical AP radio activityType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error




sn Serial number.


ip IP address.

radioid Radio ID.

configcountry Config country.

opercountry Operating country.

cfgtxpower Config TX power.

opertxpower Operating TX power.



msg Message.

202

43529Message ID: 043529Message Description: wireless client load balancingType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice




sn Serial number.


vap Virtual AP name.


mac Client MAC address.


stacount STA count.


reason Reason.

msg Message.

203

43530Message ID: 043530Message Description: wl-bridge-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice





threattype WIDS threat type.

live Live.

age Age.


rssi RSSI.

frametype Frame type.

ds Distribution system directory.



encrypt Encryption status of the packet.

tamac Transmitter MAC address. Shows "Receiver" if none.

manuf Manufacturer.



msg Message.

204

43531Message ID: 043531Message Description: bc-deauth-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

205

43532Message ID: 043532Message Description: null-pbresp-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

206

43533Message ID: 043533Message Description: invalid-OUI-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



invalidmac The MAC address with invalid OUI.

msg Message.

207

43534Message ID: 043534Message Description: long-dur-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



dur Duration of the last threatening packed captured from TA.

msg Message.

208

43535Message ID: 043535Message Description: weak-wepiv-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



weakwepiv Weak WEP IV.

msg Message.

209

43536Message ID: 043536Message Description: wl-bridge-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

210

43537Message ID: 043537Message Description: bc-deauth-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

211

43538Message ID: 043538Message Description: null-pbresp-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

212

43539Message ID: 043539Message Description: invalid-OUI-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



invalidmac The MAC address with invalid OUI.

msg Message.

213

43540Message ID: 043540Message Description: long-dur-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



dur Duration of the last threatening packed captured from TA.

msg Message.

214

43541Message ID: 043541Message Description: weak-wepiv-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



weakwepiv Weak WEP IV.

msg Message.

215

43542Message ID: 043542Message Description: eapol-packet-floodType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.


manuf Manufacturer.



eapoltype EAPOL packet type: eapol-start, eapol-logoff, eapol-succ, eapol-fail, eapol-pre-succ, eapol-pre-fail.

eapolcnt EAPOL packet count.

msg Message.

216

43543Message ID: 043543Message Description: eapol-packet-floodType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.


manuf Manufacturer.



eapoltype EAPOL packet type: eapol-start, eapol-logoff, eapol-succ, eapol-fail, eapol-pre-succ, eapol-pre-fail.

eapolcnt EAPOL packet count.

msg Message.

217

43544Message ID: 043544Message Description: mgmt-flood-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.





manuf Manufacturer.



mgmtcnt The count of unauthorized client flooding mgmt frames.

msg Message.

218

43545Message ID: 043545Message Description: mgmt-flood-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.





manuf Manufacturer.



mgmtcnt The count of unauthorized client flooding mgmt frames.

msg Message.

219

43546Message ID: 043546Message Description: spoofed-deauth-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

220

43548Message ID: 043548Message Description: asleep-attack-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice

Log field Meaning

type event

subtype wireless

level notice






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

221

43549Message ID: 043549Message Description: asleep-attack-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error

Log field Meaning

type event

subtype wireless

level error






live Live.

age Age.


rssi RSSI.







manuf Manufacturer.



msg Message.

222

43776Message ID: 043776Message Description: NAC quarantine event logType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice












action Action. One of: ban-ip, ban-interface, ban-src-dst-ip.

user User name.



bannedsrc Banned source: IPS, DOS, SLP, or AV.

bannedrule Banned rule/reason.

sensor Sensor.

223

44288Message ID: 044288Message Description: dns responseType (type): eventSubtype (subtype): routerLevel/Severity: information

Log field Meaning

type event

subtype router

level information









user User name.


dnsname DNS name.

dnsip DNS IP address(es).

224

44544Message ID: 044544Message Description: config path msgType (type): eventSubtype (subtype): systemLevel/Severity: information

Logfield

Meaning

type event

subtype system

level information




user User name.


action Action. One of: add, edit, delete, clear, move, rename, clone, abort.

cfgtid Config transaction ID.

cfgpath Config path.

msg Config message.

225

44545Message ID: 044545Message Description: config obj msgType (type): eventSubtype (subtype): systemLevel/Severity: information

Logfield

Meaning

type event

subtype system

level information




user User name.





cfgobj Config object.

msg Config message.

226

44546Message ID: 044546Message Description: config attr msgType (type): eventSubtype (subtype): systemLevel/Severity: information

Logfield

Meaning

type event

subtype system

level information




user User name.





cfgattr Config attributes.

msg Config message.

227

44547Message ID: 044547Message Description: config obj attr msgType (type): eventSubtype (subtype): systemLevel/Severity: information

Logfield

Meaning

type event

subtype system

level information




user User name.





cfgobj Config object.

cfgattr Config attributes.

msg Config message.

0

45056Message ID: 045056Message Description: forticlient license exceed msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




action Action. One of: add, close, upgrade.


licenselimit Maximum FortiClient license number.

reason Reason.

repeat Repeat times of the action.

msg "FortiClient license maximum has been reached."

1

45057Message ID: 045057Message Description: add forticlient connection msgType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information







licenseused Current FortiClient connection number.

usedfortype Connection for the type.

connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.

count Number of connections affected by the action.

user User name.

ip Source IP address.

name Name of connection.

forticlientid Unique FortiClient ID.

msg "Add a FortiClient connection."

2

45058Message ID: 045058Message Description: close forticlient connection msgType (type): eventSubtype (subtype): systemLevel/Severity: information

Log field Meaning

type event

subtype system

level information







licenseused Current FortiClient connection number.

usedfortype Connection for the type.

connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.

count Number of connections affected by the action.

user User name.

ip Source IP address.

name Name of connection.


msg "Close a FortiClient connection."

3

45059Message ID: 045059Message Description: upgrade forticlient license msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice






ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove asetting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B(IP address is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).

user User name.


msg "FortiClient license has been upgraded."

4

45060Message ID: 045060Message Description: upgrade forticlient license failed msgType (type): eventSubtype (subtype): systemLevel/Severity: error

Logfield

Meaning

type event

subtype system

level error







user User name.

reason Reason.

msg "Failed to upgrade FortiClient license."

5

45100Message ID: 045100Message Description: FortiClient registration fail msgType (type): eventSubtype (subtype): systemLevel/Severity: warning

Log field Meaning

type event

subtype system

level warning




user User name.


ip HA IP.


interface Interface information.

msg "FortiClient registration failed."

6

45101Message ID: 045101Message Description: FortiClient registration succeed msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.


ip HA IP.



msg "FortiClient registration succeeded."

7

45102Message ID: 045102Message Description: FortiClient registration renew msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.


ip HA IP.



msg "FortiClient registration renewed."

8

45103Message ID: 045103Message Description: FortiClient registration block msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice





msg "FortiClient registration blocked."

9

45104Message ID: 045104Message Description: FortiClient registration unblock msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice





msg "FortiClient registration unblocked."

10

45105Message ID: 045105Message Description: FortiClient registration de-register msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice





msg "FortiClient registration de-registered."

11

45106Message ID: 045106Message Description: FortiClient registration license upgrade msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




msg "FortiClient registration license upgraded."

12

45107Message ID: 045107Message Description: FortiClient configuration distribute msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.


ip HA IP.



msg "FortiClient configuration distributed."

13

45108Message ID: 045108Message Description: FortiClient unregister msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.


ip HA IP.



msg "FortiClient unregistered."

14

45109Message ID: 045109Message Description: FortiClient logoff msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.


ip HA IP.



msg "FortiClient logged off."

15

45110Message ID: 045110Message Description: FortiClient disable SYNC_WITH_FGT msgType (type): eventSubtype (subtype): systemLevel/Severity: notice

Log field Meaning

type event

subtype system

level notice




user User name.


ip HA IP.



msg "FortiClient SYNC_WITH_FGT disabled."

16

48009Message ID: 048009Message Description: SSL decryption failureType (type): eventSubtype (subtype): wadLevel/Severity: error

Log field Meaning

type event

subtype wad

level error




action 'close'.







reason Reason.

msg 'SSL decryption failure'.

17

48023Message ID: 048023Message Description: SSL Alert receivedType (type): eventSubtype (subtype): wadLevel/Severity: error

Log field Meaning

type event

subtype wad

level error




action 'receive'







alert Alert information.

desc Description.

msg 'SSL Alert received'.

18

Content32768

Message ID: 032768Message Description: content http logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): HTTPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype HTTP

level information




clogver Content log version.

epoch Epoch.


cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.

infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.



user User name.




client The internal IP address of the FortiGate unit.


19



dlpsensor DLP sensor name.




cat The category.


20

32769Message ID: 032769Message Description: content https logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): HTTPSLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype HTTPS

level information





epoch Epoch.






user User name.









21




cat The category.


22

32770Message ID: 032770Message Description: content smtp logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): SMTPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype SMTP

level information





epoch Epoch.






user User name.









23



subject Subject.


24

32771Message ID: 032771Message Description: content smtps logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): SMTPSLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype SMTPS

level information





epoch Epoch.






user User name.









25



subject Subject.


26

32772Message ID: 032772Message Description: content pop3 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): POP3Level/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype POP3

level information





epoch Epoch.






user User name.









27



subject Subject.


28

32773Message ID: 032773Message Description: content pop3s logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): POP3SLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype POP3S

level information





epoch Epoch.






user User name.









29



subject Subject.


30

32774Message ID: 032774Message Description: content imap logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): IMAPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype IMAP

level information





epoch Epoch.






user User name.









31



subject Subject.


32

32775Message ID: 032775Message Description: content imaps logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): IMAPSLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype IMAPS

level information





epoch Epoch.






user User name.









33



subject Subject.


34

32776Message ID: 032776Message Description: content ftp logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): FTPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype FTP

level information





epoch Epoch.






user User name.









35

ftpcmd The related FTP command: NONE, USER, PASS, ACCT, STOR, RETR, QUIT.


36

32777Message ID: 032777Message Description: content nntp logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): NNTPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype NNTP

level information






epoch Epoch.






user User name.








37

32778Message ID: 032778Message Description: content mm1 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): MM1Level/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype MM1

level information





epoch Epoch.






user User name.









38


subject Subject.


39


Log field Meaning

type utm

subtype contentlog

eventtype MM3

level information





epoch Epoch.






user User name.









40



subject Subject.

41


Log field Meaning

type utm

subtype contentlog

eventtype MM4

level information





epoch Epoch.






user User name.









42



subject Subject.

43


Log field Meaning

type utm

subtype contentlog

eventtype MM7

level information





epoch Epoch.






user User name.









44


subject Subject.

45

32782Message ID: 032782Message Description: IM chat summaryType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.







kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.

laddr The local IP address.

raddr The remote IP address.

local The local user.

46

remote The remote user.

messages Message number.

startdate Local start date.

enddate Local end date.

47

32783Message ID: 032783Message Description: IM chat messageType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











48


action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.


messages Message number.

content Traffic content.

49

32784Message ID: 032784Message Description: IM file transferType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











50






filesize File size.

msg Message.

51

32785Message ID: 032785Message Description: IM photo sharingType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











52





53

32786Message ID: 032786Message Description: IM photo transferType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











54



connmode Connection mode.

55

32787Message ID: 032787Message Description: IM voice chatType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











56





57

32788Message ID: 032788Message Description: IM virusType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











58






heuristic Heuristic information.

59

32789Message ID: 032789Message Description: IM file oversizeType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











60





61

32790Message ID: 032790Message Description: IM file blockType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











62





63

32791Message ID: 032791Message Description: IM file exemptType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











64





65

32792Message ID: 032792Message Description: IM DLP (information)Type (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











66





filesize File size.

67

32793Message ID: 032793Message Description: IM DLP (warning)Type (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: warning

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level warning





epoch Epoch.




user User name.











68





filesize File size.

69

32794Message ID: 032794Message Description: VOIP SIP logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype VOIP

level information





epoch Epoch.




user User name.











70








71

32795Message ID: 032795Message Description: SCCP registerType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype VOIP

level information





epoch Epoch.




user User name.











72




73

32796Message ID: 032796Message Description: SCCP unregisterType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype VOIP

level information





epoch Epoch.




user User name.











74



75

32797Message ID: 032797Message Description: SCCP call blockType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype VOIP

level information





epoch Epoch.




user User name.











76





77

32798Message ID: 032798Message Description: SCCP call informationType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype VOIP

level information





epoch Epoch.




user User name.











78








79

32800Message ID: 032800Message Description: VOIP SIP fuzzing logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype VOIP

level information





epoch Epoch.




user User name.






proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifiesthe next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).





80






messagetype Message type: either request or response.

requestname Request name.

malformdesc Malform description, which explains the issue with the VOIP traffic.

malformdata Malform data.

line Content line.

column Content column.



81

32801Message ID: 032801Message Description: IM video chatType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information

Log field Meaning

type utm

subtype contentlog

eventtype im-all

level information





epoch Epoch.




user User name.











82





83

VoIP44032

Message ID: 044032Message Description: SIP logType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information

Log field Meaning

type utm

subtype voip

eventtype voip

level information





epoch Epoch.










user User name.




voipproto VOIP application protocol. Can be either sip or sccp.

84

kind Kind of message: register, unregister, call, call-info, call-block.


status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.



callid Call ID.



85

44033Message ID: 044033Message Description: SIP block logType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: notice

Log field Meaning

type utm

subtype voip

eventtype voip

level notice





epoch Epoch.










user User name.








86

reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close,new-register, invalid-ip, exceed-rate.





callid Call ID.




87

44034Message ID: 044034Message Description: SIP fuzzing logType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information

Log field Meaning

type utm

subtype voip

eventtype voip

level information





epoch Epoch.










user User name.







reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close,new-register, invalid-ip, exceed-rate.

88





malformdesc Malform description, which explains the issue with the VOIP traffic.

malformdata Malform data.

line Content line.

column Content column.

89

44035Message ID: 044035Message Description: SCCP registerType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information

Log field Meaning

type utm

subtype voip

eventtype voip

level information





epoch Epoch.










user User name.









91

44036Message ID: 044036Message Description: SCCP unregisterType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information

Log field Meaning

type utm

subtype voip

eventtype voip

level information





epoch Epoch.










user User name.








92

reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,invalid-ip, exceed-rate.


93

44037Message ID: 044037Message Description: SCCP call blockType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information

Log field Meaning

type utm

subtype voip

eventtype voip

level information





epoch Epoch.










user User name.








94

reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,invalid-ip, exceed-rate.


95

44038Message ID: 044038Message Description: SCCP call infoType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information

Log field Meaning

type utm

subtype voip

eventtype voip

level information





epoch Epoch.










user User name.









96


Addendum: Variable Event Logs

All logs below are in the category: Event.

These log messages were not documented in the previous versions of the 5.0 Log Message

Reference due to their variable structure not fitting the format. They will be documented here

instead. This issue is specific to 5.0, and future versions of the LMR will not require an

addendum.

The Format column lists the log fields present in that log message. [s] represents a string of text

or characters. [n] represents a number or value.

ID Severity Subtype Macro Format Description

20001 information system LOG_ID_CLIENT_

DISASSOCIATED

client [s] is disassociated paed log

20002 notice system LOG_ID_DOMAIN_

UNRESOLVABLE

user=system ui=system

action=[s] status=failure

msg="Can't resolve the IP

address of [s]"

The domain name in alert

e-mail.s sender is not

resolvable

20003 notice system LOG_ID_MAIL_SENT_FAIL user=system ui=system

action=alert-email

status=failure count=[n]

msg="Failed to send alert

email from [s] to ([s])"

The alert e-mail send failed

20004 unknown system LOG_ID_POLICY_TOO_BIG user="[s]" ui=[s]

status=failure msg="Policy

[n] is too big for system, it's

installed partially."

Policy is too big

20005 information system LOG_ID_PPP_LINK_UP msg="modem: PPP link is

up"

modemd log

20006 information system LOG_ID_PPP_LINK_DOWN msg="modem: PPP link is

down"

modemd log

20007 critical system 20007 service=kernel

status=failure proto=[n]

src=[n].[n].[n].[n] src_

port=[n] nat=[n].[n].[n].[n]

dst=[n].[n].[n].[n] dst_

port=[n] msg="NAT port is

exhausted."

Socket is exhausted

20011 information system LOG_ID_CLIENT_NEW_

ASSOCIATION

Accepted association from

[s]

paed log

20012 information system LOG_ID_CLIENT_WPA_1X Client [s] does 1X paed log

20013 information system LOG_ID_CLIENT_WPA_SSN Client [s] does WPA paed log

20014 warning system LOG_ID_TEST user="admin"

action="login"

status="success"

msg="user admin logged

into the fw - [n]"

test

20015 information system LOG_ID_IEEE802_NEW_

STATION

action=authentication

status=start msg="Client

does 801.1x"

wpad log

20016 information system LOG_ID_MODEM_EXCEED_

REDIAL_COUNT

msg="modem: Redial limit

exceeded... giving up"

modemd log

20017 information system LOG_ID_MODEM_FAIL_TO_

OPEN

msg="modem: unable to

open modem device -

check hardware"

modemd log

20018 critical system LOG_ID_GW_GRP_STATE_

CHANGED

interface="[s]" gw_

group=[n] status=[s] gw_

status=[s] msg="The status

of [s] for gateway group [n]

is [s]"

Gateway group state is

changed

20019 critical system LOG_ID_ROUTE_INFO_

CHANGED

interface="[s]" status=[s]

msg="[s]"

Routing information is changed

because the gateway is

up/down

20021 information system LOG_ID_MAIL_RESENT user=system ui=system

action=alert-email

status=success count=[n]

msg="Resending alert

e-mail with [n] pending

alert(s) from [s] to ([s])"

The alert e-mail resend

20025 notice system LOG_ID_REPORTD_

REPORT_SUCCESS

msg="Report generation

succeeded for layout:[s]."

file="[s]" filesize=[n]

datarange="[s]"

reporttype="[s]"

processtime=[n]

Reporting Complete

20026 error system LOG_ID_REPORTD_

REPORT_FAILURE

msg="[s]" Reporting Failure

20027 warning system LOG_ID_REPORT_DEL_OLD_

REC

msg="Delete old report db

records" datarange="[s]"

Delete old report db records

20031 critical system LOG_ID_RAD_OUT_OF_MEM msg="Interface [s] Out of

memory in [s]:[s]:[n]"

ravdv_iface_set_config() finds a

pointer pointing to a wrong

address

20032 critical system LOG_ID_RAD_NOT_FOUND msg="Interface [s] not

found in [s]:[s]:[n]"

ravdv_iface_same_config()

cannot find the corresponding

interface by name

20033 information system LOG_ID_RAD_MOBILE_IPV6 msg="using Mobile IPv6

extensions"

An interface uses Mobile IPv6

extensions


20034 critical system LOG_ID_RAD_IPV6_OUT_

OF_RANGE

msg="MinRtrAdvInterval for

[s] must be between [n] and

[n]"

MinRtrAdvInterval using Mobile

Ipv6 extension is out of range

20035 critical system LOG_ID_RAD_MIN_OUT_OF_

RANGE

msg="MinRtrAdvInterval

must be between [n] and [n]

for [s]"

MinRtrAdvInterval is out of

range

20036 critical system LOG_ID_RAD_MAX_OUT_

OF_RANGE

msg="MaxRtrAdvInterval

for [s] must be between [n]

and [n]"

MaxRtrAdvInterval using

Mobile Ipv6 extension is out of

range

20037 critical system LOG_ID_RAD_MAX_ADV_

OUT_OF_RANGE

msg="MaxRtrAdvInterval


for [s]"

MaxRtrAdvInterval is out of

range

20038 critical system LOG_ID_RAD_MTU_OUT_

OF_RANGE

msg="AdvLinkMTU must

be zero or between [n] and

[n] for [s]"

AdvLinkMTU is out of range

20039 critical system LOG_ID_RAD_MTU_TOO_

SMALL

msg="AdvLinkMTU must

be zero or greater than [n]

for [s]"

AdvLinkMTU is too small

20040 critical system LOG_ID_RAD_TIME_TOO_

SMALL

msg="AdvReachableTime

must be less than [n] for [s]"

AdvReachableTimeis too small

20041 critical system LOG_ID_RAD_HOP_OUT_

OF_RANGE

msg="AdvCurHopLimit

must not be greater than [n]

for [s]"

AdvCurHopLimit in Router

Advertisement packet is too

big

20042 critical system LOG_ID_RAD_DFT_HOP_

OUT_OF_RANGE

msg="AdvDefaultLifetime

for [s] must be zero or

between [n] and [n]"

AdvCurHopLimit in Router

Advertisement packet is out of

range

20043 critical system LOG_ID_RAD_AGENT_OUT_

OF_RANGE

msg="HomeAgentLifetime


for [s]"

HomeAgentLifetime in Router

Advertisement packet is out of

range

20044 critical system LOG_ID_RAD_AGENT_FLAG_

NOT_SET

msg="AdvHomeAgentFlag

must be set with

HomeAgentInfo"

AdvHomeAgentFlag

HomeAgentLifetime in Router

Advertisement packet must be

set with HomeAgentInfo

20045 critical system LOG_ID_RAD_PREFIX_TOO_

LONG

msg="invalid prefix length

for [s]"

prefix length is too long

20046 critical system LOG_ID_RAD_PREF_TIME_

TOO_SMALL

msg="AdvValidLifetime

must be greater than

AdvPreferredLifetime for

[s]"

AdvValidLifetime is less than

AdvPreferredLifetime

20047 critical system LOG_ID_RAD_FAIL_IPV6_

SOCKET

msg="can't create

socket(AF_INET6): [s]"

IPv6 router advertisement

daemon (radvd) failed to create

an IPv6 socket

20048 critical system LOG_ID_RAD_FAIL_OPT_

IPV6_PKTINFO

msg="setsockopt(IPV6_

PKTINFO): [s]"

Radvd failed to set IPV6_

PKTINFO option



IPV6_CHECKSUM


CHECKSUM): [s]"


CHECKSUM option


IPV6_UNICAST_HOPS


UNICAST_HOPS): [s]"


UNICAST_HOPS option


IPV6_MULTICAST_HOPS


MULTICAST_HOPS): [s]"


MULTICAST_HOPS option


IPV6_HOPLIMIT


HOPLIMIT): [s]"


HOPLIMIT option


IPPROTO_ICMPV6

msg="setsockopt(ICMPV6_

FILTER): [s]"

Radvd failed to set ICMPV6_

FILTER option

20054 information system LOG_ID_RAD_EXIT_BY_

SIGNAL

msg="radvd receive

signal=[n]"

radvd has received a signal,

and is going to exit

20055 critical system LOG_ID_RAD_FAIL_CMDB_

QUERY

msg="Can not create query

to interface at [s]:[s]:[n]!"

Radvd cannot create query to

interface by using cmf_query_

create()

20056 critical system LOG_ID_RAD_FAIL_CMDB_

FOR_EACH

msg="Internal error in cmf_

query_for_each()!"

Radvd occurs an internal error

when it uses cmf_query_for_

each()

20057 critical system LOG_ID_RAD_FAIL_FIND_

VIRT_INTF

msg="Interface [s]:[n] not

found in the list!"

Radvd failed to find a virtual

interface by interface index

20058 information system LOG_ID_RAD_UNLOAD_INTF msg="Interface [s]:[n]

unloaded!"

Radvd reloads a specific

interface

20059 warning system LOG_ID_RAD_NO_PKT_INFO msg="received packet with

no pkt_info!"

Radvd received a packet with

no pkt_info

20060 warning system LOG_ID_RAD_INV_ICMPV6_

LEN

msg="received icmpv6

packet with invalid length:

[n]"

Radvd received an icmpv6

packet with invalid length

20061 critical system LOG_ID_RAD_INV_ICMPV6_

TYPE

msg="icmpv6 filter failed" Radvd received an unwanted

type of icmpv6 packet


RA_LEN

msg="received icmpv6 RA


[n]"

Radvd received icmpv6 RA


20063 warning system LOG_ID_RAD_ICMPV6_NO_

SRC_ADDR

msg="received icmpv6 RA

packet with non-linklocal

source address"

Radvd received icmpv6 RA

packet with non-linklocal

source address


RS_LEN

msg="received icmpv6 RS


[n]"

Radvd received icmpv6 RS



CODE

msg="received icmpv6

RS/RA packet with invalid

code: [n]"

Radvd received icmpv6 RS/RA

packet with invalid code



HOP

msg="received RS or RA

with invalid hoplimit [n] from

[s]"

Radvd received icmpv6 RS/RA

packet with wrong hoplimit

20067 warning system LOG_ID_RAD_MISMATCH_

HOP

msg="our AdvCurHopLimit

on [s] doesn't agree with

[s]"

AdvCurHopLimit on our

interface does not agree with a

remote site


MGR_FLAG

msg="our

AdvManagedFlag on [s]

doesn't agree with [s]"

AdvManagedFlag on our


remote site


OTH_FLAG

msg="our

AdvOtherConfigFlag on [s]


AdvOtherConfigFlag on our


remote site


TIME

msg="our

AdvReachableTime on [s]


AdvReachableTime on our


remote site


TIMER

msg="our AdvRetransTimer

on [s] doesn't agree with

[s]"

AdvRetransTimer on our


remote site

20072 critical system LOG_ID_RAD_EXTRA_DATA msg="trailing garbage in

RA on [s] from [s]"

Radvd finds extra data in RA

packet

20073 critical system LOG_ID_RAD_NO_OPT_DATA msg="zero length option in

RA on [s] from [s]"

Radvd finds a RA packet with

no option data

20074 critical system LOG_ID_RAD_INV_OPT_LEN msg="option length greater

than total length in RA on

[s] from [s]"

option length is greater than

total length in RA packet


MTU

msg="our AdvLinkMTU on

[s] doesn't agree with [s]"

AdvLinkMTU on our interface

does not agree with a remote

site


PREF_TIME

msg="our

AdvPreferredLifetime on [s]

for [s] doesn't agree with

[s]"

AdvPreferredLifetime on our


remote site

20078 critical system LOG_ID_RAD_INV_OPT msg="invalid option [n] in

RA on [s] from [s]"

Radvd finds an invalid option in

RA packet from a remote site

20079 information system LOG_ID_RAD_READY msg="radvd started" Radvd daemon is ready to

serve

20080 critical system LOG_ID_RAD_FAIL_TO_RCV msg="recvmsg: [s]" Recvmsg() in radvd failed

20081 critical system LOG_ID_RAD_INV_HOP msg="received a bogus

IPV6_HOPLIMIT from the

kernel! len=[n], data=[n]"

Radvd received a packet with a

wrong IPV6_HOPLIMIT

20082 critical system LOG_ID_RAD_INV_PKTINFO msg="received a bogus

IPV6_PKTINFO from the

kernel! len=[n], index=[n]"

Radvd received a packet with a

wrong IPV6_PKTINFO


20083 warning system LOG_ID_RAD_FAIL_TO_

CHECK

msg="problem checking

all-routers membership on

[s]"

Radvd failed to check whether

we've joined the all-routers

multicast group

20084 warning system LOG_ID_RAD_FAIL_TO_

SEND

msg="sendmsg: [s]" sendmsg () in radvd failed

20085 information system 20085 status="clash" proto=[n]

msg="session clash"[s]

session clash

20086 unknown system 20086 msg="==[s] xh0(sp_[n],

fmc[n]) crashed, master is

fmc[n]=="

xh0 crashed

20090 notice |

information

system LOG_ID_INTF_LINK_STA_

CHG

intf=[s] status=[s]

msg="interface [s] link

status is [s]"

Interface link status changed

20101 warning system LOG_ID_WEB_LIC_EXPIRE msg="FortiGuard web

filtering license will expire in

[n] day(s)"

FortiGuard web filtering license

expiring

20102 warning system LOG_ID_SPAM_LIC_EXPIRE msg="FortiGuard

anti-spam license will

expire in [n] day(s)"

FortiGuard anti-spam license

expiring

20103 warning system LOG_ID_AV_LIC_EXPIRE msg="FortiGuard AV

update license will expire in

[n] day(s)"

FortiGuard AV update license

expiring

20104 warning system LOG_ID_IPS_LIC_EXPIRE msg="FortiGuard IPS

update license will expire in

[n] day(s)"

FortiGuard IPS update license

expiring

20105 warning system LOG_ID_LOG_UPLOAD_SKIP ui=[s] action=upload

error="Daily volume

exceeded" msg="Log

upload to FortiCloud

skipped (Daily volume

exceeded)."

Log uploading

20107 warning system LOG_ID_LOG_UPLOAD_ERR action=upload error="[s]"

user="[s]" server=[s]

port=[n] msg="Log upload

to [s] error on vdom [s]"

uploading error

20108 notice system LOG_ID_LOG_UPLOAD_

DONE

action=upload

status=completed

user="[s]" server=[s]

port=[n] msg="Log upload

to [s] completed on vdom

[s]"

upload status

20110 notice system LOG_ID_HPAPI_ESPD_

START

msg="hp_api: Connection

to ESPd has been

initialized"

hp_api log

20111 warning system LOG_ID_HPAPI_ESPD_

RESET

msg="hp_api: Connection

to ESPd has been reset,

exiting"

hp_api log


20113 error system LOG_ID_IPSA_DOWNLOAD_

FAIL

msg="Fail to download

IPSA DB!"

IPSA error

20114 error system LOG_ID_IPSA_SELFTEST_

FAIL

msg="IPSA self test failed,

disable IPSA!"

IPSA error

20115 error system LOG_ID_IPSA_STATUSUPD_

FAIL

msg="Fail to update IPSA

driver status!"

IPSA error

20200 notice system LOG_ID_FIPS_SELF_TEST user="[s]" ui=[s]

action=self-test

msg="Administrator [s]

initiates the [s] self-test

from [s]"

running self-test

20201 notice system LOG_ID_FIPS_SELF_ALL_

TEST

user="[s]" ui=[s]

action=self-test


initiates all self-tests from

[s]"

running self-test

20202 warning system LOG_ID_DISK_FORMAT_

ERROR

msg="Partitioning or

formatting error ([s], [s])

partition=[n] format=[n]

label=[s]"

Error in partitioning or

formatting

20203 information system LOG_ID_DAEMON_

SHUTDOWN

action=daemon-shutdown

daemon=[s] pid=[n]

msg="[s] shut down"

daemon shutdown

20204 information system LOG_ID_DAEMON_START action=daemon-startup

daemon=[s] pid=[n]

msg="[s] has started"

daemon started

20205 critical system LOG_ID_DISK_FORMAT_REQ user="[s]" ui=[s]

action=format-disk

msg="User [s] requested to

format [s] disk from [s]"

format disk

20206 warning system LOG_ID_DISK_SCAN_REQ user="[s]" ui=[s]

action=scan-disk


scan [s] disk from [s]"

scan disk

20300 unknown system LOG_ID_BGP_NB_STAT_CHG msg="BGP:

%%BGP-5-ADJCHANGE:

neighbor [s] [s] [s]"

bgp neighbor status change

22000 warning system LOG_ID_INV_PKT_LEN msg="Packet length does

not match that specified in

the request header."

Packet length does not match

that specified in the request

header.

22001 warning system LOG_ID_UNSUPPORTED_

PROT_VER

msg="Protocol version-[n]

is not supported"

Unsupported protocol version

22002 warning system LOG_ID_INV_REQ_TYPE msg="Request type [n] is

not supported."

Other request than http, https,

ftp, mail and av is not

supported


22003 warning system LOG_ID_FAIL_SET_SIG_

HANDLER

sigaction([n])failed: [s] failed to set up a signal handler

22004 warning system LOG_ID_FAIL_CREATE_

SOCKET

Socket() failed: [s] failed to create a socket

22005 warning system LOG_ID_FAIL_CREATE_

SOCKET_RETRY

failed to create a [s]/udp

socket to receive URL

request: [s]

failed to create a udp socket to

receive URL request

22006 warning system LOG_ID_FAIL_REG_CMDB_

EVENT

msg="Failed to register for

cmdb events."

Failed to register for cmdb

events

22009 warning system LOG_ID_FAIL_FIND_AV_

PROFILE

name=[s] status=failure

msg="failed to find its AV

protection profile"

failed to find av profile by ID

22010 error system LOG_ID_SENDTO_FAIL process="[s]" reason="[s]"

msg="failed to send urlfilter

packet"

safe_sendto() failed

22011 unknown system 22011 service=kernel

conserve=on free="[n]

pages" red="[n] pages"

msg="Kernel enters

conserve mode"

Kernel enters conserve mode

22012 unknown system 22012 service=kernel

conserve=exit free="[n]

pages" green="[n] pages"

msg="Kernel leaves

conserve mode"

Kernel leaves conserve mode

22013 alert system 22013 action=pba-block-exhaust

saddr=[n].[n].[n].[n]

poolname="[s]" msg="Pba

ippool port-block has been

exhausted"

Alert ippool pba block exhaust

22014 alert |

notice

system 22014 action=pba-natip-exhaust


poolname="[s]" msg="Pba

ippool natip has been

exhausted"

Alert ippool pba natip exhaust

22015 notice system LOG_ID_EXCEED_VD_RES_

LIMIT

service=kernel msg="[s]

vdom([n]) limit. count=[n]

limit=[n]"

Exceed vdom resource limit

22016 notice system 22016 action=pba-close


nat=[n].[n].[n].[n]

portbegin=[n] portend=[n]

poolname="[s]"

duration=[n] msg="Pba

ippool close"

Deallocate ippool pba

22020 warning system LOG_ID_FAIL_CREATE_HA_

SOCKET

msg="Socket() failed: [s]" Failed to create a ha_socket


22021 warning system LOG_ID_FAIL_CREATE_HA_

SOCKET_RETRY

msg="Failed to create a

udp socket to relay URL

requests: [s]"

Failed to create a udp socket

to relay URL requests

22100 warning system LOG_ID_QUAR_DROP_

TRAN_JOB

count=[n] duration=[n]

limit=[n] used=[n] fams_

pause=[n] action=transfer

status=drop reason=[s]

msg="In the past [n]

seconds, [n] files were

dropped by quard."

Quarantine dropped transfer

jobs

22101 warning system LOG_ID_QUAR_DROP_TLL_

JOB

count=[n] action=transfer

status=drop

reason=poor-network-cond

ition msg="[n] files were

dropped by quard to [s]: [n]

reached max retries, [n]

reached TTL."

Quarantine dropped transfer

jobs

22102 critical system LOG_ID_LOG_DISK_FAILURE msg="Log disk failure is

imminent, logs should be

backed up"

Erroneous SMART status

22104 critical system 22104 action=power-supply-monit

or status=restore unit=[s]

msg="Power supply [s]

restore"

Power supply restore

22105 critical system LOG_ID_POWER_FAILURE action=power-supply-monit

or status=failure unit=[s]

msg="Power supply [s] [s]"

Power supply failure

22106 warning |

information

system LOG_ID_POWER_

OPTIONAL_NOT_DETECTED

action=ipmc-sensor-monito

r status=failure msg="[s]"

IPMC sensor failure

22107 warning system LOG_ID_VOLT_ANOM action=ipmc-sensor-monito


IPMC sensor failure

22108 warning system LOG_ID_FAN_ANOM action=ipmc-sensor-monito


IPMC sensor failure

22110 critical system LOG_ID_SPARE_BLOCK_

LOW

msg="Available spare

blocks of boot device are

getting low (remaining [n])."

Available spare blocks is low

22200 warning system LOG_ID_AUTO_UPT_CERT user=system

action=certificate-update

status=warning cert=[s]

msg="CA certificate [s] will

auto-update in [n] days."

Certificate will be auto-update

22201 warning system LOG_ID_AUTO_GEN_CERT user=system

action=certificate-regenerat

e status=warning cert=[s]

msg="Local certificate [s]

will auto-regenerate in [n]

days."

Certificate will be

auto-regenerate


22202 error system LOG_ID_AUTO_UPT_CERT_

FAIL

user=system

action=certificate-update

status=failure cert=[s]

msg="[s]"

Certificate failed to

auto-update

22203 error system LOG_ID_AUTO_GEN_CERT_

FAIL

user=system

action=certificate-regenerat

e status=failure cert=[s]

msg="[s]"

Certificate failed to

auto-regenerate

22700 critical system LOG_ID_IPS_FAIL_OPEN msg="IPS session scan

resumed, exit fail open

mode."

IPS fail open

22800 critical system LOG_ID_SCAN_SERV_FAIL service=[s] mode=[s]

msg="The system has [s]

session fail mode"

Scan services session fail

mode

22801 critical system LOG_ID_SCAN_LEAVE_

CONSERVE_MODE

service=[s] conserve=exit

total=[n] free=[n]

entermargin=[n]

exitmargin=[n] msg="The

system exited conserve

mode"

Scan services exited conserve

mode

22802 critical system LOG_ID_SYS_ENTER_

CONSERVE_MODE

service=[s] sysconserve=on

total=[n] free=[n]

entermargin=[n]


system has entered system

conserve mode"

System services entered

conserve mode

22803 critical system LOG_ID_SYS_LEAVE_

CONSERVE_MODE

service=[s]

sysconserve=exit total=[n]

free=[n] entermargin=[n]


system exited system

conserve mode"

System exited conserve mode

22804 critical system LOG_ID_LIC_STATUS_CHG service=license status=[s]

msg="License status

changed to [s]"

License Status Change

22805 warning system LOG_ID_FAIL_TO_VALIDATE_

LIC

service=license

status=warning

msg="License could not be

validated for over 4 hours"

License Status Warning

22806 warning system LOG_ID_DUP_LIC service=license

status=warning

msg="Detected duplicate

license in use"

License Status Duplicate

Warning

22810 critical system LOG_ID_SCAN_ENTER_

CONSERVE_MODE

service=[s] conserve=on

total=[n] free=[n]

entermargin=[n]


system has entered

conserve mode"

Scan services entered

conserve mode


22900 notice system LOG_ID_CAPUTP_SESSION msg="[s]" action=[s]

src=[n].[n].[n].[n]

caputp-session

22901 notice system LOG_ID_FAZ_CON action=connect

status=success

msg="Connected to

FortiAnalyzer [s]"

FortiAnalyzer Connection

22902 notice system LOG_ID_FAZ_DISCON action=disconnect

status=success

reason="[s]"

msg="Disconnected from

FortiAnalyzer [s]"

FortiAnalyzer Disconnection

22903 critical system LOG_ID_FAZ_CON_ERR action=connect

status=failure reason="[s]"

msg="Failed to connect

FortiAnalyzer [s]"

FortiAnalyzer Connection

22910 notice system LOG_ID_EVENT_SLA_

PROBE_PING

[s]="[n]" [s]="[s]" [s]="ping"

[s]="[s]" msg="SLA Probe

event: change state from [s]

to [s]"

SLA Probe information

22911 notice system LOG_ID_EVENT_SLA_

PROBE_HTTPGET

[s]="[n]" [s]="[s]" [s]="[s]"

[s]="http-get" [s]="[s]"

msg="SLA Probe event:

change state from [s] to [s]"

SLA Probe information

22916 notice system LOG_ID_FDS_STATUS status=[s] msg="FortiGuard

Message Service server is

[s]"

FortiGuard Message Service

status

22917 notice system LOG_ID_FDS_SMS_QUOTA user=system msg="SMS

quota is used up."

SMS quota used up

23101 unknown vpn LOG_ID_IPSEC_TUNNEL_UP action=[s] tunnel_id=[n]

[s]tunneltype=[s] remote_

ip=[s] tunnel_ip=[s]

user="[s]" group="[s]"

[s][s][s][s]msg="[s] [s]"

VPN event log message

23102 unknown vpn LOG_ID_IPSEC_TUNNEL_

DOWN

action=[s] tunnel_id=[n]




[s][s][s][s]msg="[s] [s]"


23103 unknown vpn LOG_ID_IPSEC_TUNNEL_

STAT





[s][s][s][s]msg="[s] [s]"


26001 information

| unknown

router LOG_ID_DHCP_MSG interface="[s]" dhcp_

msg="[s]" dir=[s]

mac=[s]:[s]:[s]:[s]:[s]:[s]

ip=[n].[n].[n].[n] lease=[n]

hostname="[s]" msg="[s]"

DHCP request and response

log


26002 error router LOG_ID_DHCP_NO_SHARE_

NET

interface="[s]" No shared

network for network [s] ([s])

No shared network found

26003 information router LOG_ID_DHCP_STAT interface="[s]" total=[n]

used=[n] msg="[s]"

DHCP Statistics

26004 error router LOG_ID_DHCP_MULT_SUB_

NET

interface="[s]" Address

range [s] to [s], netmask [s]

spans [s]!

Address range spans multiple

subnets

26005 error router LOG_ID_DHCP_INV_ADDR_

RANGE

interface="[s]" Address

range [s] to [s] not on net

[s]/[s]!

Address range doesn't belong

to the net

29001 unknown router LOG_ID_PPPD_MSG user="[s]"

local=[n].[n].[n].[n]

remote=[n].[n].[n].[n]

assigned=[n].[n].[n].[n]

stat="[s]" msg="[s]"

Pppd log message

29002 notice |

debug

router LOG_ID_PPPD_AUTH_SUC user="[s]"

local=[n].[n].[n].[n]



action=auth_success

msg="User '[s]' using [s]

with authentication protocol

[s], [s]"

PPPD authentication success

log message

29003 notice router LOG_ID_PPPD_AUTH_FAIL local=[n].[n].[n].[n]



action=auth_failed msg="[s]

is trying to connect using [s]

with authentication protocol

[s], failed"

PPPD authentication failure log

message

29009 notice router LOG_ID_PPPOE_STATUS_

REPORT

gateway=[n].[n].[n].[n]


msg="PPPoE status report"

PPPoE status report

29011 error router LOG_ID_PPPD_FAIL_TO_

EXEC

Can't execute [s]: [s] pppd cannot execute a

program

29012 unknown router LOG_ID_PPP_OPT_ERR [s] ppp has received wrong

options

29013 notice router LOG_ID_PPPD_START msg="pppd is started" pppd is started

29014 information router LOG_ID_PPPD_EXIT msg="pppd is exiting" pppd is exiting

29015 error router LOG_ID_PPP_RCV_BAD_

PEER_IP

Peer IP is the same as an

interface IP[s].

IP([n].[n].[n].[n])

ppp has received bad options

29016 error router LOG_ID_PPP_RCV_BAD_

LOCAL_IP

Local IP is the same as an

interface IP[s].

IP([n].[n].[n].[n])

ppp has received bad options


29017 unknown router LOG_ID_PPP_OPT_NOTIF [s] ppp has received wrong

options

29020 notice router LOG_ID_WIRELESS_SET_

FAIL

wireless set command [s] [s]

failed

32001 information system LOG_ID_ADMIN_LOGIN_

SUCC

user="[s]" ui=[s]

action=login

status=success

reason=none profile="[s]"


logged in successfully from

[s]"

Admin logged in successfully

32002 alert system LOG_ID_ADMIN_LOGIN_FAIL user=test ui=cli

action=login status=failed

reason=test msg="Alarm

testing"

Failed admin login attempt

32003 information system LOG_ID_ADMIN_LOGOUT user="[s]" ui=[s]

action=logout

status=success

duration=[n] [s]reason=[s]

msg="Administrator [s] [s]

[s]"

Admin logged out

32004 emergency system LOG_ID_ALARM_TEST_FAIL action=error-mode

reason=self-test

msg="Alarm testing"

alarm testing

32005 information system 32005 user="[s]"

action=vdom-override

status=success

reason=none


vdom overridden to [s]"

Admin overrided vdom

successfully

32006 information system LOG_ID_ADMIN_ENTER_

VDOM

user="[s]" ui=[s]

action=vdom-switch

reason=none msg="User [s]

has entered the virtual

domain [s]"

A super admin has entered to

this vdom

32007 information system LOG_ID_ADMIN_LEFT_VDOM user="[s]" ui=[s]

action=vdom-switch

reason=none msg="User [s]

has left the virtual domain

[s]"

A super admin has left the

current vdom

32008 warning system LOG_ID_VIEW_LOG_FAIL user="[s]" ui=[s] msg="User

[s] failed to access the [s]

logs from [s]"

Failed to view log

32009 information system LOG_ID_SYSTEM_START msg="Fortigate started[s]" System started

32010 emergency

|

information

| unknown

system LOG_ID_DISK_LOG_FULL msg="[s] is [n]%

full.System will stop [s]

logging."

Log full


32011 notice system LOG_ID_LOG_ROLL action=roll-log

reason=file-size log=[s]

msg="Disk log has rolled."

Log rotation

32012 information system LOG_ID_FIPS_LEAVE_ERR_

MOD

action=exit-error-mode

msg="System exiting out of

error mode."

CC exiting error mode

32014 warning system LOG_ID_CS_LIC_EXPIRE msg="FortiGuard customer

support license will expire

in [n] day(s)"

FortiGuard customer support

license expiring

32015 warning system LOG_ID_DISK_LOG_USAGE msg="Log disk is [n]% full" Log full

32018 emergency system LOG_ID_FIPS_ENTER_ERR_

MOD

action=error-mode

reason=[s] msg="System

enters error-mode due to

[s]"

FIPS error mode

32020 warning system LOG_ID_SSH_CORRPUT_

MAC

ui=https msg="Corrupted

MAC packet detected"

Corrupted MAC detected

32021 alert system LOG_ID_ADMIN_LOGIN_

DISABLE

ui=[s] action=login

status=failed

reason=exceed_limit

msg="Login disabled from

IP [s] for [n] seconds

because of [n] bad

attempts"

Admin login disabled

32022 notice system LOG_ID_VDOM_ENABLED user="[s]" ui=[s] msg="User

[s] enabled virtual domain

[s] from [s]"

vdom enabled

32023 warning |

information

system LOG_ID_MEM_LOG_FULL msg="Memory log is [n]%

full"

Log full

32024 notice system LOG_ID_ADMIN_PASSWD_

EXPIRE

user="[s]"

action=admin-password

status=expired

msg="Password of

administrator [s] has

expired."

Admin password expiry

32026 critical system LOG_ID_STORE_CONF_FAIL Cannot store config due to

first line error: require first

line in file [s] from process

[n]

Cannot store config due to first

line error

32027 notice system LOG_ID_VIEW_LOG_SUCC user="[s]" ui=[s] log=[s]

msg="User [s] has viewed

the disk logs from [s]"

User displayed disk logs

32028 information system LOG_ID_LOG_DEL_DIR msg="System deleted

directory [s]."

Log full

32029 information system LOG_ID_LOG_DEL_FILE action=delete

msg="System deleted log

file [s]"

Log deleted


32030 notice system LOG_ID_SEND_FDS_STAT user="[s]" ui=[s]

action=send-fds-stats


send FDS statistics from

[s]"

send fds stats

32035 notice system LOG_ID_VDOM_DISABLED user="[s]" ui=[s] msg="User

[s] disabled virtual domain

[s] from [s]"

vdom disabled

32045 warning system LOG_ID_MGR_LIC_EXPIRE msg="FortiGuard

management service

license will expire in [n]

day(s)"

FortiGuard management

service license expiring

32048 warning system LOG_ID_SCHEDULE_EXPIRE msg="onetime schedule [s]

will expire in [n] day(s)"

onetime schedule expiring

32051 notice system LOG_ID_LOG_UPLOAD ui=[s] action=upload

status=start msg="Start

uploading disk logs to [s]

from vdom [s]."

Log uploading

32086 warning system LOG_ID_ENTER_

TRANSPARENT

user=[s] ui=lcd action=[s]

status=success

msg="System has been

changed to transparent

mode LCD via LCD"

System has been changed to

transparent mode LCD via LCD

32087 warning system LOG_ID_ENTER_NAT user=[s] ui=lcd action=[s]

status=success

msg="System has been

changed to NAT mode LCD

via LCD"

System has been changed to

NAT mode LCD via LCD

32095 warning system LOG_ID_GUI_CHG_SUB_

MODULE

user="[s]" ui=[s] action=[s]

status=[s] msg="[s] by user

[s] via [s]"

A user has performed an action

to the firewall via GUI. The

action can be one of the

followings: reboot, shutdown,

reload, backup, factory_reset,

restore, upgrade,switch_mode,

download, upload, clear_mlog,

del_log, update, downgrade,

del_session, bootup

32096 warning system LOG_ID_GUI_DOWNLOAD_

LOG


status=[s] hash=[s] file=[s]

msg="[s] by user [s] via [s]"

A user has downloaded a

logging file from the firewall via

GUI

32100 warning system LOG_ID_FORTI_TOKEN_

SYNC

user="[s]" action=token_

sync msg="User [s]

synchronized his/her

FortiToken"

FortiToken synchronization

32101 notice system LOG_ID_LCD_CHG_CONF user="[s]" ui=[s] msg="[s]

by [s]"

Administrator has changed

configuration from LCD


32102 unknown system LOG_ID_CHG_CONFIG user="[s]" ui=[s]

module="[s]"

submodule="[s]" msg="[s]

made a change from [s]:[s]"

A user has changed the

configuration

32103 notice system LOG_ID_NEW_FIRMWARE user=system

action=firmware

status=new msg="New

firmware is available from

FortiGuard"

New firmware is available from

FortiGuard

32120 notice system LOG_ID_RPT_ADD_DATASET user="[s]" ui=[s] name="[s]"

msg="User [s] added a

report dataset [s] from [s]"

Report Dataset is added

32122 notice system LOG_ID_RPT_DEL_DATASET user="[s]" ui=[s] name="[s]"

msg="User [s] delete a

report dataset [s] from [s]"

A report dataset is deleted

32123 notice system LOG_ID_RPT_ADD_LAYOUT_

ITEM

user="[s]" ui=[s] name="[n]"


report summary entry [n]

from [s]"

Report Summary entries is

added

32124 notice system LOG_ID_RPT_DEL_LAYOUT_

ITEM

user="[s]" ui=[s] name="[n]"


report summary entry [n]

from [s]"

A report summary entries is

deleted

32125 notice system LOG_ID_RPT_ADD_CHART user="[s]" ui=[s] name="[s]"


report chart widget [s] from

[s]"

Report Chart widget is added

32126 notice system LOG_ID_RPT_DEL_CHART user="[s]" ui=[s] name="[s]"


report chart widget [s] from

[s]"

A report chart widget is deleted

32129 notice system LOG_ID_ADD_GUEST user="[s]" ui=[s] name="[s]"

status=[s] msg="User [s]

added guest user [s] from

[s]"

A new guest user is added

32130 notice system LOG_ID_CHG_USER user="[s]" ui=[s] name="[s]"

old_status=[s] new_

status=[s] passwd=[s]

msg="User [s] changed

local user [s] setting from

[s]"

A local user's setting is

changed

32131 notice system LOG_ID_DEL_GUEST user="[s]" ui=[s] name="[s]"


deleted guest user [s] from

[s]"

A guest user is deleted

32132 notice system LOG_ID_ADD_USER user="[s]" ui=[s] name="[s]"


added local user [s] from

[s]"

A new local user is added


32138 critical system LOG_ID_REBOOT device is rebooted

32139 critical |

warning |

notice

system LOG_ID_UPD_SIGN_DB user="[s]" ui=[s]

action=update msg="User

[s] requested a geoip object

update from [s]"

Update src-vis object.

32140 notice system 32140 user="[s]" ui=[s]

field=date-time msg="The

[s] ntp server, [s]([s]), is

determined [s] at [s]"

ntp server status change

32142 alert | error

| warning |

notice

system LOG_ID_BACKUP_CONF action=backup

status=success

msg="Configuration

backed up to flash disk

after system upgrading"

backup configuration

32143 critical system 32143 user="[s]" ui="[s]"

action=update-image

msg="User [s] loaded a

wrong layout image from

[s]."

update image

32148 notice system LOG_ID_GET_CRL user="[s]" ui=[s]

action=crl-update crl=[s]

msg="User [s] requested a

CRL update from [s]"

get CRL

32149 notice system LOG_ID_COMMAND_FAIL user="[s]" ui=[s] ret=[n]

msg="Command failed:'[s]'

Return code [n]: [s]"

command failure

32151 notice system LOG_ID_ADD_IP6_LOCAL_

POL

[s] A new ipv6 firewall local in

policy is added

32152 notice system LOG_ID_CHG_IP6_LOCAL_

POL

[s] A ipv6 firewall local in policy's

setting is changed

32153 notice system LOG_ID_DEL_IP6_LOCAL_

POL

[s] A ipv6 firewall local in policy is

deleted

32155 notice system LOG_ID_ACT_FTOKEN_REQ user="[s]" ui=[s]

action=fortitoken-activate

serialno=[s] msg="User [s]

has requested to activate

FortiToken [s]."

Activate FortiToken

32156 notice system LOG_ID_ACT_FTOKEN_

SUCC

action=fortitoken-activate

serialno=[s] status=success

msg="Activation of

FortiToken [s] succeeded."

Activate FortiToken

32157 notice system LOG_ID_SYNC_FTOKEN_

SUCC

user="[s]" ui=[s]

action=fortitoken-synchroni

ze serialno=[s]

status=success


resynchronized FortiToken

[s] successfully."

Synchronize FortiToken


32158 notice system LOG_ID_SYNC_FTOKEN_

FAIL

user="[s]" ui=[s]

action=fortitoken-synchroni

ze serialno=[s] status=failed


failed to resynchronize

FortiToken [s], because [s]."

Synchronize FortiToken

32159 notice system LOG_ID_ACT_FTOKEN_FAIL action=fortitoken-activate

serialno=[s] status=failed

msg="Activation of

FortiToken [s] failed,

because [s]."

Activate FortiToken

32168 notice system LOG_ID_REACH_VDOM_

LIMIT

user="[s]" ui=[s]

msg="Adding new entry

failed: vdom property limit

has been reached when

user [s] adds [s].[s] from [s]"

adding new entry failed

32170 alert system LOG_ID_ALARM_MSG action=alarm alarmid=[n]

groupid=[n] msg="[s]"

alarm

32171 alert system LOG_ID_ALARM_ACK user="[s]" ui=[s]

action=alarm-ack

alarmid=[n] acktime="[s]"

msg="[s]"

alarm ack

32172 notice system LOG_ID_ADD_IP4_LOCAL_

POL

[s] A new firewall local in policy is

added

32173 notice system LOG_ID_CHG_IP4_LOCAL_

POL

[s] A firewall local in policy's

setting is changed

32174 notice system LOG_ID_DEL_IP4_LOCAL_

POL

[s] A firewall local in policy is

deleted

32188 warning system LOG_ID_SSL_PROXY_CA_

INIT_FAIL

msg="SSL Proxy CA

initialization failed"

[s]

32200 critical system LOG_ID_SHUTDOWN user="[s]" ui=[s]

action=shutdown

msg="User [s] shutdown

the device from [s].[s]"

shutdown device

32201 critical system LOG_ID_LOAD_IMG_SUCC user="[s]" ui=[s]

action=loaded-image

msg="User [s] loaded the

image from [s], the new

image does not support CC

mode."

loaded an image

32202 critical system LOG_ID_RESTORE_IMG user="[s]" ui=[s]

action=restore-image

msg="User [s] restored the

image from [s] ([s],build[s]

-> [s],build[s])"

restore the image


32203 critical |

warning |

notice

system LOG_ID_RESTORE_CONF user="[s]" ui=[s]

action=restore-configuratio

n msg="User [s] restored

the configuration from [s]"

restore the configuration

32204 critical |

notice

system LOG_ID_RESTORE_FGD_

SVR


msg="User [s] restored [s]

file from [s]"

restore the fortiguard service

32205 critical |

notice

system LOG_ID_RESTORE_VDOM_

LIC


msg="User [s] restored [s]

file from [s]"

restore VM license

32206 warning system LOG_ID_RESTORE_SCRIPT user="system"

action=restore-script

msg="System restored

script [s] from management

station"

restore script

32207 warning system LOG_ID_RETRIEVE_CONF_

LIST

user="[s]" ui=[s]

action=retrieve-[s]

msg="User [s] failed to

retrieve the [s] list from

management station"

retrieve configuration list failure

32208 critical system LOG_ID_IMP_PKCS12_CERT user="[s]" ui=[s]

action=import-certificate

msg="User [s] imported the

certificate from [s]"

import the pkcs12 certificate

32209 critical |

notice

system LOG_ID_RESTORE_USR_

DEF_IPS

user="[s]" ui=[s]

action=restore-ips-signatur

e status=success


restored the user-defined

IPS signatures from [s]"

restore the user-defined IPS

signatures

32210 notice system LOG_ID_BACKUP_IMG user="[s]" ui=[s]

action=backup

status=success

msg="Firmware image

backed up to flash disk for

system [s]"

backup image

32211 notice system LOG_ID_UPLOAD_REVISION user="[s]" ui=[s]

action=upload

status=success msg="User

[s] upload the [s] from [s] to

flash disk"

upload revision

32212 notice system LOG_ID_DEL_REVISION action=delete

status=success

msg="[s]:[n] has been

deleted from revision data

base"

revision DB deletion


32213 warning system LOG_ID_RESTORE_

TEMPLATE

user="system"

action=restore-cfg

msg="System restored [s]

file [s] from management

station"

restore template

32214 warning system LOG_ID_RESTORE_FILE user="system"

action=restore-[s]

msg="System failed to

restore [s] file [s] from

management station"

restore failure

32215 critical system LOG_ID_UPT_IMG user="[s]" ui="[s]"

action=update-image

msg="User [s] loaded a

wrong image from [s]."

update image

32217 warning |

notice

system LOG_ID_UPD_IPS user="[s]" ui="[s]"


[s] has updated IPS

package by SCP"

An user has updated the IPS

package by SCP

32218 warning system LOG_ID_UPD_DLP user="[s]"

ui="Fortimanager"


[s] failed to update DLP

fingerprint database by

SCP"

An user failed to update the

DLP fingerprint database by

SCP

32219 warning system LOG_ID_BACKUP_OUTPUT user="[s]" ui="[s]"

action=backup msg="User

[s] backed up the result of

batch mode commands by

SCP"

An user has backed up the

result of standardized error

output by SCP

32220 warning system LOG_ID_BACKUP_

COMMAND

user="[s]" ui="[s]"


[s] backed up the result of

batch mode commands by

SCP"

An user has backed up the

result of batch mode

commands by SCP

32221 warning system LOG_ID_UPD_VDOM_LIC user="[s]" ui="[s]"


[s] has installed VM license

by SCP"

An user has installed the VM

license by SCP

32222 notice system LOG_ID_GLB_SETTING_CHG user="[s]" ui=[s]

field=virtual-domain

action=[s] msg="User [s]

changed global setting from

[s]"

global setting change

32223 error |

notice

system LOG_ID_BACKUP_USER_

DEF_IPS

user="[s]" ui=[s]

action=backup

status=failure


failed to back up the

user-defined IPS signatures

from [s]"

backup the user-defined IPS

signatures failure


32224 notice system LOG_ID_BACKUP_LOG user="[s]" ui=[s]


[s] backed up [s] log from

[s]"

backup log

32225 notice system LOG_ID_DEL_ALL_REVISION action=delete

status=success

msg="[s]:revision data base

corruption detected, reset."

revision DB clearance

32226 critical system LOG_ID_LOAD_IMG_FAIL user="[s]" ui=[s]

action=loaded-image

status=failure msg="User

[s] loaded a wrong image

from [s]."

loaded an image

32240 critical system LOG_ID_SYS_USB_MODE action=reboot

status=success

msg="System is rebooted

and operating in USB mode

with configurations loaded

from USB (read-only)"

System is operating in USB

mode

32252 critical system LOG_ID_FACTORY_RESET user="[s]" ui=[s]

action=factory-reset

msg="User [s] reset to the

factory settings from [s]"

factory reset

32253 critical system LOG_ID_FORMAT_RAID user="[s]" ui=[s]

action=format-rebuild-level

msg="User [s] formatted

the RAID disk from [s]"

config raid

32254 critical system LOG_ID_ENABLE_RAID user="[s]" ui=[s]

action=enable-raid

msg="User [s] enabled

RAID from [s]"

config raid

32255 critical system LOG_ID_DISABLE_RAID user="[s]" ui=[s]

action=disable-raid

msg="User [s] disabled

RAID from [s]"

config raid

32300 notice system LOG_ID_UPLOAD_RPT_IMG user="[s]" ui=[s] status=[s]

action=upload-report-imag

e reason="[s]" msg="User

'[s]' [s] upload the report

image file '[s]' from [s]([s])"

upload the report image file

32301 notice system LOG_ID_ADD_VDOM user="[s]" ui=[s]

action=add-vdom

msg="Virtual domain [s] is

added"

Vdom is added

32302 notice system LOG_ID_DEL_VDOM user="[s]" ui=[s]

action=del-vdom

msg="Virtual domain [s] is

deleted"

Vdom is deleted


32340 critical system LOG_ID_LOG_DISK_UNAVAIL msg="Log disk is

unavailable"

Log disk is unavailable

32341 notice system LOG_ID_LOG_DISK_

DEFAULT_DISABLED

msg="Disk log status

changed to disabled in

upgrade process."

disk log status changed

32400 alert system LOG_ID_CONF_CHG user="[s]" ui=[s]

msg="Configuration is

changed in the admin

session"

config changed

32545 critical system LOG_ID_SYS_RESTART user=none ui=none

action=reboot

msg="System will reboot

due to scheduled daily

restart."

System restart

32546 warning system LOG_ID_APPLICATION_

CRASH

action=crash msg="Pid: [s],

application: [s], Firmware:

[s], Signal [n] received,

Backtrace:[s]"

Application crash

35001 notice system LOG_ID_HA_SYNC_VIRDB msg="HA slave sync

virdb([s]) [s]"

HA slave sync virdb

35002 notice system LOG_ID_HA_SYNC_ETDB msg="HA slave sync

etdb([s]) [s]"

HA slave sync etdb

35003 notice system LOG_ID_HA_SYNC_EXDB msg="HA slave sync

exdb([s]) [s]"

HA slave sync exdb

35004 notice system LOG_ID_HA_SYNC_FLDB msg="HA slave sync

fldb([s]) [s]"

HA slave sync fldb

35005 notice system LOG_ID_HA_SYNC_IPS msg="HA slave sync ids([s])

package [s]"

HA slave sync ids package

35007 notice system LOG_ID_HA_SYNC_AV msg="HA slave sync AV([s])

package [s]"

HA slave sync AV package

35008 notice system LOG_ID_HA_SYNC_VCM msg="HA slave sync

VCM([s]) package [s]"

HA slave sync VCM package

35009 notice system LOG_ID_HA_SYNC_CID msg="HA slave sync

CID([s]) package [s]"

HA slave sync CID package

35010 error system LOG_ID_HA_SYNC_FAIL msg="HA slave sync failed

in [n] turns"

HA slave sync failed

36880 warning system LOG_ID_EVENT_SYSTEM_

MAC_HOST_STORE_LIMIT

msg="Number of detected

user devices exceeds limit

that can be persistently

stored. Detected [n]; can

save [n]."

user device data store limit


37124 error vpn MESGID_NEG_I_P1_ERROR msg="IPsec phase 1 error"

action=[s] remip=[s]

locip=[s] remport=[n]

locport=[n] outintf=[s]

cookies="[s]" user="[s]"

group="[s]" xauthuser="[s]"

xauthgroup="[s]"

vpntunnel="[s]" status=[s]

error_reason="[s]" peer_

notif="[s]"

IPsec phase 1 error log

37125 error vpn MESGID_NEG_I_P2_ERROR msg="IPsec phase 2 error"






xauthgroup="[s]"


error_reason="[s]"


37126 error vpn MESGID_NEG_NO_STATE_

ERROR

msg="IPsec no state error"






xauthgroup="[s]"


error_reason="[s]"

IPsec no state error log

37133 notice vpn MESGID_INSTALL_SA msg="install IPsec SA"






xauthgroup="[s]"

vpntunnel="[s]" role=[s] in_

spi="[s]" out_spi="[s]"

install IPsec SA log

37134 notice vpn MESGID_DELETE_P1_SA msg="delete IPsec phase 1

SA" action=[s] remip=[s]





xauthgroup="[s]"

vpntunnel="[s]"

delete IPsec phase 1 SA log

37135 notice vpn MESGID_DELETE_P2_SA msg="delete IPsec phase 2






xauthgroup="[s]"

vpntunnel="[s]" enc_

spi="[s]" dec_spi="[s]"



37136 error vpn MESGID_DPD_FAILURE msg="IPsec DPD failure"






xauthgroup="[s]"


IPsec DPD failure log

37137 error vpn MESGID_CONN_FAILURE msg="IPsec connection

failure" action=[s] remip=[s]





xauthgroup="[s]"


IPsec connection failure log

37138 notice vpn MESGID_CONN_UPDOWN msg="IPsec connection

status change" action=[s]

remip=[s] locip=[s]

remport=[n] locport=[n]

outintf=[s] cookies="[s]"


xauthuser="[s]"

xauthgroup="[s]"

vpntunnel="[s]" tunnelip=[s]

tunnelid=[n]

tunneltype="ipsec"

duration=[n] sent=[n]

rcvd=[n] nextstat=[n]

tunnel="[s]"

IPsec connection status

change log

37139 notice vpn MESGID_P2_UPDOWN msg="IPsec phase 2 status

change" action=[s]

remip=[s] locip=[s]




xauthuser="[s]"

xauthgroup="[s]"

vpntunnel="[s]" phase2_

name=[s]

IPsec phase 2 status change

log

37140 notice vpn MESGID_AUTO_IPSEC msg="auto-ipsec status

change" action=[s]

remip=[s] locip=[s]




xauthuser="[s]"

xauthgroup="[s]"


reason="[s]"

auto-ipsec status log


37141 notice vpn MESGID_CONN_STATS msg="IPsec tunnel

statistics" action=[s]

remip=[s] locip=[s]




xauthuser="[s]"

xauthgroup="[s]"


tunnelid=[n]

tunneltype="[s]"



tunnel="[s]"

IPsec tunnel statistics log

37188 error vpn MESGID_NEG_I_P1_ERROR_

IKEV2

msg="IPsec phase 1 error"





group="[s]" vpntunnel="[s]"

status=[s] error_

reason="[s]"


37189 error vpn MESGID_NEG_I_P2_ERROR_

IKEV2

msg="IPsec phase 2 error"






status=[s] error_

reason="[s]"


37190 error vpn MESGID_NEG_NO_STATE_

ERROR_IKEV2

msg="IPsec no state error"






status=[s] error_

reason="[s]"

IPsec no state error log

37197 notice vpn MESGID_INSTALL_SA_IKEV2 msg="install IPsec SA"






role=[s] in_spi="[s]" out_

spi="[s]"

install IPsec SA log

37198 notice vpn MESGID_DELETE_P1_SA_

IKEV2

msg="delete IPsec phase 1








37199 notice vpn MESGID_DELETE_P2_SA_

IKEV2

msg="delete IPsec phase 2






enc_spi="[s]" dec_spi="[s]"


37200 error vpn MESGID_DPD_FAILURE_

IKEV2

msg="IPsec DPD failure"






status=[s]

IPsec DPD failure log

37201 error vpn MESGID_CONN_FAILURE_

IKEV2

msg="IPsec connection

failure" action=[s] remip=[s]





status=[s]

IPsec connection failure log

37202 notice vpn MESGID_CONN_UPDOWN_

IKEV2

msg="IPsec connection

status change" action=[s]

remip=[s] locip=[s]





tunnelid=[n]

tunneltype="ipsec"



tunnel="[s]"

IPsec connection status

change log

37203 notice vpn MESGID_P2_UPDOWN_

IKEV2

msg="IPsec phase 2 status

change" action=[s]

remip=[s] locip=[s]




vpntunnel="[s]" phase2_

name="[s]"

IPsec phase 2 status change

log

37204 notice vpn MESGID_CONN_STATS_

IKEV2

msg="IPsec tunnel

statistics" action=[s]

remip=[s] locip=[s]





tunnelid=[n]

tunneltype="[s]"



tunnel="[s]"

IPsec tunnel statistics log


37888 notice system MESGID_HA_GROUP_

DELETE

msg="HA group is deleted"

ha_group=[n]

HA group delete log

37889 notice system MESGID_VC_DELETE msg="Virtual cluster is

deleted" vcluster=[n]

Virtual cluster delete log

37890 notice system MESGID_VC_MOVE_VDOM msg="Virtual cluster's

vdom is moved" from_

vcluster=[n] to_vcluster=[n]

vdname="[s]"

Virtual cluster move vdom log

37891 notice system MESGID_VC_ADD_VDOM msg="Virtual cluster's

vdom is added" to_

vcluster=[n] vdname="[s]"

Virtual cluster add vdom log

37892 notice system MESGID_VC_MOVE_MEMB_

STATE

Virtual cluster move member

state log

37893 notice system MESGID_VC_DETECT_

MEMB_DEAD

msg="Virtual cluster

detected member dead"

vcluster=[n] ha_group=[n]

sn="[s]"

Virtual cluster detect member

dead log

37894 notice system MESGID_VC_DETECT_

MEMB_JOIN

msg="Virtual cluster

detected member join"

vcluster=[n] ha_group=[n]

sn="[s]"

Virtual cluster detect member

join log

37895 notice system MESGID_VC_ADD_HADEV msg="Virtual cluster add

HA device" vcluster=[n]

devintfname="[s]"

Virtual cluster add HA

device(interface) log

37896 notice system MESGID_VC_DEL_HADEV msg="Virtual cluster delete

HA device(interface)"

vcluster=[n]

devintfname="[s]"

Virtual cluster delete HA

device(interface) log

37897 notice system MESGID_HADEV_READY msg="HA device(interface)

ready" ha_role=[s]

devintfname="[s]"

HA device(interface) ready log

37898 warning system MESGID_HADEV_FAIL msg="HA device(interface)

fail" ha_role=[s]

devintfname="[s]"

HA device(interface) fail log

37899 notice system MESGID_HADEV_PEERINFO msg="HA device(interface)

peerinfo" ha_role=[s]

devintfname="[s]"

HA device(interface) peerinfo

log

37900 notice system MESGID_HBDEV_DELETE msg="Heartbeat

device(interface) delete"

devintfname="[s]"

Heartbeat device(interface)

delete log

37901 critical system MESGID_HBDEV_DOWN msg="Heartbeat

device(interface) down" ha_

role=[s] hbdn_reason="[s]"

devintfname="[s]"

Heartbeat device(interface)

down log


37902 information system MESGID_HBDEV_UP msg="Heartbeat

device(interface) up" ha_

role=[s] devintfname="[s]"

Heartbeat device(interface) up

log

37903 information system MESGID_SYNC_STATUS msg="The sync status with

the master" sync_type=[s]

sync_status="[s]"

The sync status with the

master log

37904 information system MESGID_HA_ACTIVITY msg="HA activity report"

ip=[s] ha-prio=[n]

activity="[s]"

HA activity report log

38010 alert user LOG_ID_FIPS_ENCRY_FAIL user="[s]" ui=[s]

action=encryption

cipher=aes-128-cbc

status=failed msg="EVP

encryption failed"

Encryption failed

38011 alert user LOG_ID_FIPS_DECRY_FAIL user="[s]" ui=[s]

action=decryption

cipher=aes-128-cbc

status=failed msg="EVP

decryption failed"

Decryption failed

38012 notice user LOG_ID_ENTROPY_TOKEN user=system

action=seeding

msg="Seeding PRNG from

entropy token"

Seeding from entropy token

38031 notice user LOG_ID_FSSO_LOGON user="[s]" src=[n].[n].[n].[n]

server="[s]"

action=FSSO-polling-logon

status=success

reason="[s]"

msg="FSSO-polling-logon

event from [s]: user [s]

logged on [n].[n].[n].[n]"

authentication information

38032 notice user LOG_ID_FSSO_LOGOFF user="[s]" src=[n].[n].[n].[n]

server="[s]"

action=FSSO-polling-logoff

status=success

reason="[s]"

msg="FSSO-polling-logoff

event from [s]: user [s]

logged off [n].[n].[n].[n]"


38033 notice user LOG_ID_FSSO_SVR_STATUS user="[s]" server="[s]"

action=FSSO-polling-AD-s

erver

msg="FSSO-polling-AD-se

rver status changes: [s] ->

[s]"



38400 notice system LOGID_EVENT_NOTIF_

SEND_SUCC

user="[s]" from="[s]"

to="[s]" service="[s]"

proto=[s] dst=[s] dport=[n]

nf_type=[s] virus="[s]"

profile="[s]"

profiletype="[s]"

profilegroup="[s]" count=[n]

duration=[n]

msg="Successfuly sent a

notification message."

The system successfully sent a

notification message log

38401 warning system LOGID_EVENT_NOTIF_

SEND_FAIL

user="[s]" from="[s]"

to="[s]" service="[s]"

proto=[s] dst=[s] dport=[n]

nf_type=[s] virus="[s]"

profile="[s]"

profiletype="[s]"

profilegroup="[s]" count=[n]

duration=[n] msg="Unable

to send notification

message." sess_

duration=[n]

The system was unable to

send a notification message

log

38402 notice system LOGID_EVENT_NOTIF_DNS_

FAIL

hostname="[s]"

service="[s]" profile="[s]"

profiletype="[s]" profile_

vd="[s]" msg="Unable to

resolve hostname."

The system was unable to

resolve an MMSC hostname

log


INSUFFICIENT_RESOURCE

msg="[s] ([s])" Insufficient resource


HOSTNAME_ERROR

hostname="[s]" msg="[s]" Unable to resolve FortiGuard

hostname

38405 notice system LOGID_NOTIF_CODE_

SENDTO_SMS_PHONE

user="[s]"

action=send-activation-cod

e msg="Send token [s]

activation code [s] to [s]"

send activation code


SENDTO_SMS_TO

user="[s]"






SENDTO_EMAIL

user="[s]"





38408 information system LOGID_EVENT_OFTP_SSL_

CONNECTED

dst=[n].[n].[n].[n] dstport=[n]

action=connect

status=success msg="SSL

connection to [n].[n].[n].[n]

is successfully

established."

SSL connection established.



DISCONNECTED


action=disconnect

status=success msg="SSL

connection to [n].[n].[n].[n]

is successfully closed."

SSL connection closed.


FAILED


reason="[s]([n])"

action=connect

status=failure msg="SSL

read to [n].[n].[n].[n] has

failed."

SSL connection failure.

38656 notice user LOGID_EVENT_RAD_RPT_

PROTO_ERROR


msg="[s]"

RADIUS

protocol/profile/context error,

missing stop

packet,accounting or other

report log


PROF_NOT_FOUND


msg="[s]"

RADIUS


missing stop


report log


CTX_NOT_FOUND


msg="[s]"

RADIUS


missing stop


report log


ACCT_STOP_MISSED


msg="[s]"

RADIUS


missing stop


report log


ACCT_EVENT


msg="[s]"

RADIUS


missing stop


report log


OTHER


msg="[s]"

RADIUS


missing stop


report log

38662 notice user LOGID_EVENT_RAD_STAT_

PROTO_ERROR

carrier_ep="[s]" ip=[s] rsso_

key="[s]" msg="[s]" acct_

stat=[s] reason="[s]"

RADIUS protocol errors

occurred log


PROF_NOT_FOUND




RADIUS start or interim-update

packet receivedwith missing or

invalid profile specified


CTX_NOT_FOUND


key="[s]" msg="[s]"

RADIUS no context found for

user



ACCT_STOP_MISSED




RADIUS stop packet was

missed


ACCT_EVENT




RADIUS accounting event


OTHER




count=[n]

RADIUS other dynamic profile

event

39424 unknown vpn LOG_ID_EVENT_SSL_VPN_

USER_TUNNEL_UP

action="[s]"

tunneltype="[s]" tunnel_

id=[n] remote_ip=[s] tunnel_

ip=[s] user="[s]" group="[s]"

[s][s][s] reason="[s]"

msg="[s]"

SSL user event log


USER_TUNNEL_DOWN

action="[s]"






rcvd=[n] msg="[s]"

SSL user event log


USER_SSL_LOGIN_FAIL

action="[s]"





msg="[s]"

SSL user event log


SESSION_WEB_TUNNEL_

STATS

action="[s]"




[s][s][s] next_stats=[n]


rcvd=[n] msg="[s]"

SSL user event log


SESSION_WEBAPP_DENY

action="[s]"




[s][s][s] app-type="[s]"

msg="[s]"

SSL user event log


SESSION_WEBAPP_PASS

action="[s]"





msg="[s]"

SSL user event log



SESSION_WEBAPP_

TIMEOUT

action="[s]"





msg="[s]"

SSL user event log


SESSION_WEBAPP_CLOSE

action="[s]"





msg="[s]"

SSL user event log


SESSION_SYS_BUSY

action="[s]"





msg="[s]"

SSL user event log


SESSION_CERT_OK

action="[s]"





msg="[s]"

SSL user event log


SESSION_NEW_CON

action="[s]"





msg="[s]"

SSL user event log


SESSION_ALERT

action="[s]"




[s][s][s] alert="[s]"

desc="[s]" msg="[s]"

SSL user event log


SESSION_EXIT_FAIL

action="[s]"





msg="[s]"

SSL user event log


SESSION_EXIT_ERR

action="[s]"





msg="[s]"

SSL user event log



SESSION_TUNNEL_UP

action="[s]"





msg="[s]"

SSL user event log


SESSION_TUNNEL_DOWN

action="[s]"






rcvd=[n] msg="[s]"

SSL user event log


SESSION_TUNNEL_STATS

action="[s]"




[s][s][s] next_stats=[n]


rcvd=[n] msg="[s]"

SSL user event log


SESSION_TUNNEL_

UNKNOWNTAG

action="[s]"





msg="[s]"

SSL user event log


SESSION_TUNNEL_ERROR

action="[s]"





msg="[s]"

SSL user event log


SESSION_ENTER_

CONSERVE_MODE

action="[s]"





msg="[s]"

SSL user event log


SESSION_LEAVE_

CONSERVE_MODE

action="[s]"





msg="[s]"

SSL user event log

40001 unknown vpn LOG_ID_PPTP_TUNNEL_UP action=[s] tunnel_id=[n]




[s][s][s][s]msg="[s] [s]"



40002 unknown vpn LOG_ID_PPTP_TUNNEL_

DOWN





[s][s][s][s]msg="[s] [s]"


40003 unknown vpn LOG_ID_PPTP_TUNNEL_

STAT





[s][s][s][s]msg="[s] [s]"


40014 warning vpn LOG_ID_PPTP_REACH_

MAX_CON

status=failure

action=connect

msg="PPTP: the maximum

number of connections has

been reached. No more

clients can connect."

The maximum number of PPTP

connections has been reached

40016 warning vpn LOG_ID_L2TPD_SVR_

DISCON

action=disconnect

status=success

reason="interface not

found" msg="L2TPD

closed all client

connections in vdom '[s]'

because failed to find

interface by device index"

L2TPD disconnection

40017 warning vpn LOG_ID_L2TPD_CLIENT_

CON_FAIL

action=connect

status=failure reason="no

ip available" msg="No IP

addresses left to assign in

virtual domain: [s]"

L2TP client connection

40019 information vpn LOG_ID_L2TPD_CLIENT_

DISCON

action=disconnect

status=success

msg="Client [n].[n].[n].[n]

control connection (id [n])

finished"

L2TP client disconnection

40021 debug vpn LOG_ID_PPTP_NOT_CONIG status=failure

action=connect

msg="PPTP: connection

request in unconfigured


pptp is not configured (in this

virtual domain)

40022 warning vpn LOG_ID_PPTP_NO_IP_AVAIL status=failure

action=connect

msg="PPTP: No IP

addresses left to assign in


No ip available

40024 warning vpn LOG_ID_PPTP_OUT_MEM status=failure action=start

msg="failed to expand pptp

config list due to not

enough memory"

Not enough memory


40034 notice vpn LOG_ID_PPTP_START action=start

status=success

msg="PPTPD started

successfully"

PPTPD start

40035 error vpn LOG_ID_PPTP_START_FAIL action=start status=failure

reason="failed to create

socket" msg="PPTPD

failed to start because

failed to create socket"

PPTPD start

40036 notice vpn LOG_ID_PPTP_EXIT action=exit status=success

msg="PPTPD exited

successfully"

PPTPD exit

40037 information vpn LOG_ID_PPTPD_SVR_

DISCON

action=disconnect

status=success

reason="PPTP setting is

changed" msg="PPTPD

closed all client

connections in vdom '[s]'

because PPTP setting was

changed"

PPTPD disconnect

40038 information vpn LOG_ID_PPTPD_CLIENT_

CON

action=connect

status=success


control connection started"

PPTPD client connection

40039 information vpn LOG_ID_PPTPD_CLIENT_

DISCON

action=disconnect

status=success


control connection

finished"

PPTPD client disconnection

40101 unknown vpn LOG_ID_L2TP_TUNNEL_UP action=[s] tunnel_id=[n]




[s][s][s][s]msg="[s] [s]"


40102 unknown vpn LOG_ID_L2TP_TUNNEL_

DOWN





[s][s][s][s]msg="[s] [s]"


40103 unknown vpn LOG_ID_L2TP_TUNNEL_

STAT





[s][s][s][s]msg="[s] [s]"


40114 notice vpn LOG_ID_L2TPD_START action=start

status=success

msg="L2TPD started

successfully"

L2TPD starting


40115 notice vpn LOG_ID_L2TPD_EXIT action=exit status=success

msg="L2TPD exited

successfully"

L2TPD exiting

40118 information vpn LOG_ID_L2TPD_CLIENT_

CON

action=connect

status=success

msg="Client [s] control

connection started (id [n]),

assigned ip [n].[n].[n].[n]"

L2TP client connection

40704 notice system LOG_ID_EVENT_SYS_PERF action="perf-stats" cpu=[n]

mem=[n] totalsession=[n]

msg="Performance

statistics"

system performace log

40960 notice wad LOGID_EVENT_WAD_

WEBPROXY_FWD_SRV_

ERROR

fwserver_name="[s]" addr_

type=[s] ip=[s] fqdn="[s]"

port=[n] msg="[s]"

Web proxy forward server error

41000 notice system LOG_ID_UPD_FGT_SUCC [s] msg="Fortigate [s]

[s][s][s] [s][s][s] [s][s][s]

[s][s][s] [s][s][s] [s][s][s]

[s][s][s] [s][s][s] from [s]"

Administrator has updated

fortigate successfully

41001 critical system LOG_ID_UPD_FGT_FAIL [s] msg="Fortigate [s]

failed"

Administrator has failed to

update fortigate

41002 notice system LOG_ID_UPD_SRC_VIS status=update src-vis=yes

msg="FortiGate updated

src-vis ([s])"


src-vis plugin successfully

41003 critical system LOG_ID_INVALID_UPD_LIC action=update

status=failure msg="HA

member [s] does not have

valid license"

Invalid update license

41005 notice system LOG_ID_UPD_VCM status=update vcm=yes

msg="FortiGate updated

VCM ([s])"


VCM plugin successfully

41984 information vpn LOG_ID_EVENT_SSL_VPN_

CERT_LOAD

action="[s]" user="[s]"

ui="[s]" name="[s]"

msg="[s]" cert-type=[s]

Certificate log


CERT_REMOVAL

action="[s]" user="[s]"

ui="[s]" name="[s]"

msg="[s]" cert-type=[s]

Certificate log


CERT_UPDATE

action="[s]" cert-type=[s]

status="[s]" name="[s]"

method="[s]" msg="[s]"

Certificate log


SETTING_UPDATE

action="info" user="[s]"

ui="[s]" msg="User

changed SSL setting"

SSL Setting Updated


CERT_ERR




Certificate log



CERT_UPDATE_FAILED




Certificate log

43008 notice user LOG_ID_EVENT_AUTH_

SUCCESS

src=[s] dst=[s] policyid=3

user="user"

group="usergroup"

ui="HTTP([s])"


status=success

reason="reason"

msg="User user succeeded

in authentication"

Authentication log


FAILED


user="user"

group="usergroup"

ui="HTTP([s])"


status=failure

reason="reason"

msg="User user failed in

authentication"

Authentication log

43010 warning user LOG_ID_EVENT_AUTH_

LOCKOUT


user="user"

group="usergroup"

ui="HTTP([s])"


status=locked_out

reason="reason"

msg="User from [s] was

locked out"

Authentication log


TIME_OUT

src=[s] dst=[s] policyid=[n]


ui="[s]" action=[s]

status=[s]

reason="Authentication

timed out" msg="[s]"

Authentication log


FSAE_AUTH_SUCCESS

src=[s] dst=[s] proto=[n]

policyid=[n] user="[s]"

adgroup="[s]" ui="[s]"

action=[s] status=[s]

reason="[s]" msg="[s]"

FSSO Authentication log


FSAE_AUTH_FAIL

src=[s] dst=[s] proto=[n]

policyid=[n] user="[s]"

adgroup="[s]" ui="[s]"



FSSO Authentication log


FSAE_LOGON

src=[s] user="[s]"

server="[s]" action=[s]

msg="[s]"

FSSO log on/off


FSAE_LOGOFF

src=[s] user="[s]"

server="[s]" action=[s]

msg="[s]"

FSSO log on/off



NTLM_AUTH_SUCCESS


user="[s]" adgroup="[s]"

group="[s]" ui="[s]"



NTLM authentication log


NTLM_AUTH_FAIL


user="[s]" adgroup="[s]"

group="[s]" ui="[s]"



NTLM authentication log


FGOVRD_FAIL

src=[s] dst=[s] initiator=[s]

status=[s] reason="[s]"

msg="[s]"

Fortiguard override failed log


FGOVRD_TBL_FULL

src=[s] dst=[s] initiator=N/A

status=failure

reason="reason"

msg="FortiGuard Web

Filtering override table is

full"

Fortiguard override log


FGOVRD_SUCCESS



scope=[s] scope_data="[s]"

rule_type=[s] rule_

data="[s]" offsite=[s]

expiry="[s]" oldwprof="[s]"

newwprof="[s]" msg="[s]"

Fortiguard override succeeded

log


ENDPOINT_CHECK

dst=[s] ui="HTTP(0.0.0.0)"

msg="forticlient msg"

Endpoint log


ENDPOINT_LICENSE

dst=[s] ui="HTTP(0.0.0.0)"


Endpoint log


ENDPOINT_DET_RECORD

dst=[s] ui="N/A(0.0.0.0)"


Endpoint log


ENDPOINT_DET_SESSION

dst=[s] ui="HTTP(0.0.0.0)"


Endpoint log


PROXY_SUCCESS



ui="[s]" action=[s]


msg="[s]"

Wad-auth HTTP log


PROXY_FAILED



ui="[s]" action=[s]


msg="[s]"

Wad-auth FTP log


PROXY_TIME_OUT



ui="[s]" action=[s]

status=[s] reason="user

timed out" msg="[s]"

Wad-auth time out log



PROXY_AUTHORIZATION_

FAILED



ui="[s]" action=[s]


msg="[s]"

Wad-auth HTTP log


WARNING_SUCCESS



scope=[s] scope_data="[s]"

rule_type=[s] rule_

data="[s]" offsite=[s]

expiry="[s]" oldwprof="[s]"

newwprof="[s]" msg="[s]"

Fortiguard override succeeded

log


WARNING_TBL_FULL



msg="[s]"

Fortiguard override failed log

43264 information system LOGID_MMS_STATS proto=[s] infected=[n]

suspicious=[n] scanned=[n]

intercepted=[n] blocked=[n]

checksum=[n] duration=[n]

MMS Statistics log

43520 notice wireless LOG_ID_EVENT_WIRELESS_

SYS

action="[s]" msg="[s]" wireless system activity log


WTP

sn="[s]" ap="[s]"

approfile="[s]" ip=[s]

meshmode="[s]"

snmeshparent="[s]"

action="[s]" reason="[s]"

msg="[s]"

physical AP activity log


STA

sn="[s]" ap="[s]" vap="[s]"

ssid="[s]" user="[s]"

group="[s]" mac=[s] ip=[s]

channel=[n] radioband="[s]"

security="[s]" action="[s]"


wireless client activity log


WTPR

sn="[s]" ap="[s]" ip="[s]"

radioid=[n]

configcountry="[s]"

opercountry="[s]"

cfgtxpower=[n]

opertxpower=[n]

action="[s]" msg="[s]"

physical AP radio activity log


ROGUE_CFG

action="[s]" ssid="[s]"

bssid=[s] apstatus=[n]

msg="[s]"

wireless rogue AP status config

log


CLB

sn="[s]" ap="[s]" vap="[s]"

ssid="[s]" mac="[s]"

radioband="[s]"

stacount=[n] action="[s]"


wireless client load balancing

log



WIDS_WL_BRIDGE

action="[s]"

Threattype="[s]" live=[n]

age=[n] channel=[n] rssi=[n]

Frametype="[s]" DS="[s]"

bssid="[s]" seq=[n]

Encrypt=[n] TAMAC="[s]"

manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]"

wireless wids detected log


WIDS_NL_PBRESP

action="[s]"




bssid="[s]" seq=[n]


manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]"



WIDS_MAC_OUI

action="[s]"




bssid="[s]" seq=[n]

Encrypt=[n] TAMAC=[s]

manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]" Invalidmac=[s]

wireless wids

invalid-OUI-detect log


WIDS_LONG_DUR

action="[s]"




bssid="[s]" seq=[n]


manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]" Dur=[n]

wireless wids long-dur-detect

log


WIDS_WEP_IV

action="[s]"




bssid="[s]" seq=[n]


manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]" Weakwepiv=[s]

wireless wids

weak-wepiv-detect log



WIDS_EAPOL_FLOOD

action="[s]"


TAMAC=[s] manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]" eapoltype=[s]

eapolcnt=[n]

wireless wids

eapol-packet-flood log


WIDS_MGMT_FLOOD

action="[s]"




bssid="[s]" TAMAC=[s]

manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]" mgmtcnt=[n]

wireless wids

mgmt-flood-detect log


WIDS_SPOOF_DEAUTH

action="[s]"




bssid="[s]" seq=[n]


manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]"



WIDS_ASLEAP

action="[s]"




bssid="[s]" seq=[n]


manuf="[s]"

sndetected="[s]"

radioiddetected=[n]

msg="[s]"



STA_LOCATE

sn="[s]" ap="[s]" radioid=[n]

radioband="[s]"

stamac="[s]" signal=[n]

noise=[n] action="[s]"

msg="[s]"

wireless station presence

detection log

43776 notice system LOGID_EVENT_NAC_

QUARANTINE

src=[s] dst=[s] src_int=[s]

proto=[n] service="[s]"

action=[s] user="[s]"

group="[s]" policyid=[n]

banned_src=[s] banned_

rule="[s]" sensor="[s][n]"

NAC quarantine event log

43800 critical system LOG_ID_EVENT_ELBC_

BLADE_JOIN

[s]="blade-join" [s]="[n]"

[s]="[n]" [s]="[s]" [s]="blade

in slot [n] of chassis [n] is

ready to process traffic"

blade joins cluster



BLADE_LEAVE

[s]="blade-leave" [s]="[n]"

[s]="[n]" [s]="[s]" [s]="blade

in slot [n] of chassis [n] is no

longer ready to process

traffic"

blade leaves cluster


MASTER_BLADE_FOUND

[s]="master-found" [s]="[n]"

[s]="[n]" [s]="[s]" [s]="blade

in slot [n] of chassis [n]

became master. there was

no previous master."

master blade found


MASTER_BLADE_LOST

[s]="master-lost" [s]="[n]"

[s]="[n]" [s]="[s]" [s]="blade


longer master. there is no

new master."

master blade lost


MASTER_BLADE_CHANGE

[s]="master-changed"

[s]="[n]" [s]="[n]" [s]="[n]"

[s]="[n]" [s]="[s]" [s]="blade


longer master. blade in slot

[n] of chassis [n] is the new

master"

master blade changed


ACTIVE_CHANNEL_FOUND

[s]="channel-activate"

[s]="[n]" [s]="[n]" [s]="[s]"

[s]="[n]" [s]="Channel [n]

(FortiSwitch in slot [n]) of

chassis [n] became active.

there was no previous

active channel"

ELBC channel becomes active


ACTIVE_CHANNEL_LOST

[s]="channel-deactivate"

[s]="[n]" [s]="[n]" [s]="[s]"

[s]="[n]" [s]="Channel [n]


chassis [n] became

inactive. there is currently

no active channel."

ELBC channel becomes

inactive


ACTIVE_CHANNEL_CHANGE

[s]="channel-failover"

[s]="[n]" [s]="[n]" [s]="[s]"

[s]="[n]" [s]="[n]"

[s]="Channel [n]


chassis [n] failed over to

channel [n] (FortiSwitch in

slot [n])."

ELBC channel failover


CHASSIS_ACTIVE

[s]="chassis-activated"

[s]="[n]" [s]="[s]"

[s]="chassis [n] became

active and will process

traffic"

chassis becomes active



CHASSIS_INACTIVE

[s]="chassis-deactivated"

[s]="[n]" [s]="[s]"

[s]="chassis [n] became

passive and will not

process traffic"

chassis becomes inactive

44288 information router LOG_ID_DNS_RESPONSE policyid=22 src=[s] dst=[s]

src_int="eth0" dst_

int="switch0" user="user"

group="group" dns_

name="fotinet dns" dns_

ip="1.1.1.1"

test dns event log

44544 information system LOGID_EVENT_CONFIG_

PATH

user="[s]" ui="[s]"

action=[s] cfgtid=[n]

cfgpath="[s]" msg="[s]"

config path log

44545 information system LOGID_EVENT_CONFIG_OBJ user="[s]" ui="[s]"


cfgpath="[s]" cfgobj="[s]"

msg="[s]"

config obj log


ATTR

user="[s]" ui="[s]"


cfgpath="[s]" cfgattr=[s]

msg="[s]"

config attr log


OBJATTR

user="[s]" ui="[s]"


cfgpath="[s]" cfgobj="[s]"

cfgattr=[s] msg="[s]"

config obj attr log

44801 notice system 44801 limit=[n]

msg=”[Inbound/Outbound]

bandwidth rate exceeded

the shaper limit.”

[Inbound/Outbound]

bandwidth rate exceeded

45000 debug router LOG_ID_VSD_SSL_RCV_HS serial=[s] policy=[n]

identidx=[n] vip="[s]"

src=[s] src-port=[n] dst=[s]

dst-port=[n] action=receive

handshake=[s] msg=[s]

SSL handshake received

45001 error router LOG_ID_VSD_SSL_RCV_

WRG_HS

serial=[s] policy=[n]




expected=[s] received=[s]

msg="Incorrect SSL

handshake message"

SSL received incorrect

handshake message

45002 debug router LOG_ID_VSD_SSL_SENT_HS serial=[s] policy_id=[n]



dst-port=[n] action=send

handshake=[s] msg=[s]

SSL handshake sent


45003 error router LOG_ID_VSD_SSL_WRG_

HS_LEN





len=[n] msg="Incorrect SSL

handshake length"

SSL handshake has invalid

length

45004 debug router LOG_ID_VSD_SSL_RCV_CCS serial=[s] policy=[n]




msg=ChangeCipherSpec

SSL ChangeCipherSpec

received

45005 error router LOG_ID_VSD_SSL_RSA_DH_

FAIL




dst-port=[n] action=close

msg="RSA verification of

Diffie-Hellman parameters

failed"

RSA verification of

Diffie-Hellman parameters

failed

45006 debug router LOG_ID_VSD_SSL_SENT_

CCS





msg=ChangeCipherSpec

SSL ChangeCipherSpec sent

45007 error router LOG_ID_VSD_SSL_BAD_

HASH




dst-port=[n] local=[s]

remote=[s] action=close

msg="Hash in SSL Finished

does not match calculated

hash"

Hash in SSL Finished does not

match calculated hash

45009 error router LOG_ID_VSD_SSL_DECRY_

FAIL





reason=[n] msg="SSL

decryption failure"

SSL decryption failure

45010 debug router LOG_ID_VSD_SSL_

SESSION_CLOSED





msg="SSL session closed"

SSL session closed

45011 error router LOG_ID_VSD_SSL_LESS_

MINOR





min-minor=[n]

recv-minor=[n] msg="SSL

minor below mininum

configured value"

SSL minor version less than

configured minimum value


45012 warning router LOG_ID_VSD_SSL_REACH_

MAX_CON





msg="SSL maximum

connections reached"

SSL maximum connection limit

reached

45013 error router LOG_ID_VSD_SSL_NOT_

SUPPORT_CS





msg="None of the offered

CipherSuites are

supported"

None of the offered SSL

CipherSuites are supported

45016 debug router LOG_ID_VSD_SSL_HS_FIN serial=[s] policy=[n]



dst-port=[n]

action=complete

msg="SSL Handshake

complete"

SSL handshake complete

45017 error router LOG_ID_VSD_SSL_HS_TOO_

LONG





handshake=[s] len=[n]

max=[n] msg="SSL

Handshake too long"

SSL handshake too long

45018 debug router LOG_ID_VSD_SSL_MORE_

MINOR




dst-port=[n] action=recv

max-minor=[n]

recv-minor=[n] msg="SSL

capping minor version at

maximum configured value"

SSL minor version larger than

configured maximum value

45019 error router LOG_ID_VSD_SSL_SENT_

ALERT_ERR





level=[n] desc=[n]

msg="SSL Alert sent"

SSL Alert sent

45020 debug router LOG_ID_VSD_SSL_

SESSION_EXPIRE

vip="[s]" addr=[s] port=[n]

created="[s]" id=[s]

action=expire msg="SSL

session state expired"

SSL session state expiry

45021 debug router LOG_ID_VSD_SSL_SENT_

ALERT





level=[n] desc=[n]

msg="SSL Alert sent"

SSL Alert sent


45022 debug router LOG_ID_VSD_SSL_RCV_CH serial=[s] policy=[n]




handshake=ClientHello

msg=ClientHello ssl2=[n]

major=[n] minor=[n]

session_

id="[s]"[s][s][s][s][s][s]

SSL ClientHello received

45023 debug router LOG_ID_VSD_SSL_RCV_SH serial=[s] policy=[n]




handshake=ServerHello

msg=ServerHello major=[n]

minor=[n] cipher=[s]

session_id="[s]"[s][s][s]

SSL ServerHello received

45024 debug router LOG_ID_VSD_SSL_SENT_SH serial=[s] policy=[n]




handshake=ServerHello

msg=ServerHello major=[n]

minor=[n] cipher=[s]

session_id="[s]"[s][s][s]

SSL ServerHello sent

45025 error |

debug

router LOG_ID_VSD_SSL_RCV_

ALERT





level=[n] desc=[n]

msg="SSL Alert received"

SSL Alert received

45027 error router LOG_ID_VSD_SSL_INVALID_

CONT_TYPE





type=[n] msg="Invalid SSL

ContentType"

Invalid SSL ContentType

45029 error router LOG_ID_VSD_SSL_BAD_

CCS_LEN





msg="Bad length in SSL

ChangeCipherSpec"

SSL ChangeCipherSpec has

bad length

45031 error router LOG_ID_VSD_SSL_BAD_DH serial=[s] policy=[n]



dst-port=[n]min=[n] max=[n]

received=[n] action=close

msg="[s]"

SSL Diffie-Hellman has bad

value


45032 error router LOG_ID_VSD_SSL_PUB_

KEY_TOO_BIG




dst-port=[n]len=[n] max=[n]

action=close msg="[s]"

Certificate's public key is too

big for SSL offloading

45033 error router LOG_ID_VSD_SSL_NOT_

SUPPORT_CM





msg="None of the offered

CompressionMethods are

supported"

None of the offered SSL

CompressionMethods are

supported

45056 notice system LOG_ID_FCC_EXCEED action=[s] status=[s]

license_limit=[n]

reason="[s]" repeat=[n]

msg="FortiClient license

maximum has been

reached."

forticlient license exceed msg

45057 information system LOG_ID_FCC_ADD action=[s] status=[s]

license_limit=[s] license_

used=[n] used_for_type=[n]

connection_type=[s]

count=[n] user="[s]" ip=[s]

name="[s]" forticlient_

id="[s]" msg="Add a

FortiClient Connection."

add forticlient connection msg

45058 information system LOG_ID_FCC_CLOSE close forticlient connection

msg

45059 notice system LOG_ID_FCC_UPGRADE_

SUCC


ui="[s]" user="[s]" license_

limit=[s] msg="FortiClient

license has been

upgraded."

upgrade forticlient license msg

45060 error system LOG_ID_FCC_UPGRADE_

FAIL


ui="[s]" user="[s]"

reason="[s]" msg="Failed

to upgrade FortiClient

license."

upgrade forticlient license

failed msg

45100 warning system LOG_ID_EC_REG_FAIL user="[s]" hostname="[s]"

ip=[n].[n].[n].[n] forticlient_

id=[s] interface=[s]

msg="FortiClient

registration failed due to

blocked UID."

FortiClient registration fail msg

45101 notice system LOG_ID_EC_REG_SUCCEED user="[s]" hostname="[s]"



msg="FortiClient

registration succeeded."

FortiClient registration succeed

msg


45102 notice system LOG_ID_EC_REG_RENEWED user="[s]" hostname="[s]"



msg="FortiClient

registration renewed."

FortiClient registration renew

msg

45103 notice system LOG_ID_EC_REG_BLOCK forticlient_id=[s]

msg="FortiClient is blocked

for registration."

FortiClient registration block

msg

45104 notice system LOG_ID_EC_REG_UNBLOCK forticlient_id=[s]

msg="FortiClient is

unblocked for registration."

FortiClient registration unblock

msg

45105 notice system LOG_ID_EC_REG_DEREG forticlient_id=[s]

msg="FortiClient is

de-registered."

FortiClient registration

de-register msg

45106 notice system LOG_ID_EC_REG_LIC_

UPGRADED

msg="FortiClient

registration license

upgraded."

FortiClient registration license

upgrade msg

45107 notice system LOG_ID_EC_CONF_

DISTRIBUTED

user="[s]" hostname="[s]"



msg="FortiClient

configuration distributed."

FortiClient configuration

distribute msg

45108 notice system LOG_ID_EC_FTCL_UNREG user="[s]" hostname="[s]"



msg="FortiClient

unregistered."

FortiClient unregister msg

45109 notice system LOG_ID_EC_FTCL_LOGOFF user="[s]" hostname="[s]"



msg="FortiClient logged

off."

FortiClient logoff msg

45110 notice system LOG_ID_EC_FTCL_ENABLE_

NOTSYNC

user="[s]" hostname="[s]"



msg="FortiClient SYNC_

WITH_FGT disabled."

FortiClient disable SYNC_

WITH_FGT msg

46000 notice system LOG_ID_VIP_REAL_SVR_ENA vip="[s]"

server=[n].[n].[n].[n] port=[n]

status=[s] action=enable

msg="ldb server enabled"

VIP realserver has been

enabled.

46001 alert system LOG_ID_VIP_REAL_SVR_

DISA

vip="[s]"


status=[s] action=disable

msg="ldb server disabled"

VIP realserver has been

disabled.

46002 notice system LOG_ID_VIP_REAL_SVR_UP vip="[s]"


status=[s] action=up

msg="ldb server up"

VIP realserver has become up.



DOWN

vip="[s]"


status=[s] action=down

msg="ldb server down"

VIP realserver has been down.

46004 notice system LOG_ID_VIP_REAL_SVR_

ENT_HOLDDOWN

vip="[s]"


status=[s] action=holddown

msg="ldb server entered

holddown period"

interval=[n](sec)

VIP realserver has started

holddown period.


FAIL_HOLDDOWN

vip="[s]"


status=[s] action=holddown

msg="ldb server health

checking failed during

holddown period"

VIP realserver has failed

holddown.

46006 debug system LOG_ID_VIP_REAL_SVR_FAIL vip="[s]"


status=[s]

monitor-name=[s]

monitor-type=[s]

action=check msg="ldb

server health checking

failed"

Health monitor has detected

VIP realserver health problem.

46084 error system LOG_EVENT_REPUTATION_

VDOM_PURGE_ERROR

action=reputation_purge


msg="Failed to complete

reputation db maintenance

for vdom [s]"

reputation tracking data

maintenance

46085 information system LOG_EVENT_REPUTATION_

VDOM_PURGE_SUCCESS

action=reputation_purge

status=success

msg="Completed

reputation db maintenance"

reputation tracking data

maintenance


ERASE_DATA_ERROR

action=reputation_clear


msg="Failed to erase

reputation db for vdom [s]"

reputation report


ERASE_DATA_SUCCESS

action=reputation_clear

status=success

msg="Erased reputation db

for vdom [s]"

reputation report

47201 emergency system LOG_ID_AMC_ENTER_

BYPASS

msg="The AMC card in slot

[s] has entered bypass

mode due to [s]."

AMC card entered bypass

mode

47202 emergency system LOG_ID_AMC_EXIT_BYPASS msg="The AMC card in slot

[s] has exited bypass mode

due to [s]."

AMC card exited bypass mode

47203 emergency system LOG_ID_ENTER_BYPASS msg="The bypass ports

pair have entered bypass

mode."

Bypass ports pair entered

bypass mode


47204 emergency system LOG_ID_EXIT_BYPASS msg="The bypass ports

pair have exited bypass

mode."

Bypass ports pair exited

bypass mode

48000 debug wad LOG_ID_WAD_SSL_RCV_HS session_id=[s] policyid=[n]

src=[n].[n].[n].[n] srcport=[n]


action=receive

handshake="[s]"

SSL handshake received

48001 error wad LOG_ID_WAD_SSL_RCV_

WRG_HS

session_id=[s] policyid=[n]

src=[n].[n].[n].[n] srcport=[n]


action=receive

msg="Incorrect SSL

handshake length. len:[n]"

SSL handshake has invalid

length


FortiOS Log Message Reference v5.0 - Fortinet Docs … · FortiGate Log Message Reference v5.0...

Documents

Transcript of FortiOS Log Message Reference v5.0 - Fortinet Docs … · FortiGate Log Message Reference v5.0...