Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (28)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | fortinet.act fortinet.action fortinet.utmaction | strings |
gen.proxy.userAgent User agent string from the HTTP request. | fortinet.agent | string |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | fortinet.authproto fortinet.domainctrlprotocoltype fortinet.proto fortinet.protocol | strings |
gen.firewall.rule Firewall rule that triggered the event. | fortinet.banned_rule fortinet.policyname fortinet.rulename | strings |
gen.file.name File name associated with the event. | fortinet.cfgpath fortinet.file fortinet.filename fortinet.infectedfilename fortinet.matchfilename fortinet.path | strings |
gen.file.path Full file path associated with the event. | fortinet.cfgpath fortinet.file fortinet.filename fortinet.infectedfilename fortinet.matchfilename fortinet.path | strings |
gen.src.ip Source IP address. | fortinet.client_addr fortinet.ip fortinet.locip fortinet.saddr fortinet.srcip | text_general |
gen.dest.ip Destination IP address. | fortinet.daddr fortinet.dstip fortinet.remip fortinet.tunnelip | text_general |
gen.dest.interface Network interface used for the destination connection. | fortinet.dintf fortinet.dst_int fortinet.dstintf fortinet.outintf fortinet.replydstintf | strings |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | fortinet.dir fortinet.direction | strings |
gen.dest.port Destination port number. | fortinet.dst_port fortinet.dstport fortinet.remport fortinet.tranport | pint |
gen.dest.mac MAC address of the destination device. | fortinet.dstmac fortinet.masterdstmac | string |
gen.mail.sender Email address of the message sender. | fortinet.from fortinet.sender | strings |
gen.proxy.httpStatus HTTP response status code from the proxy. | fortinet.httpcode fortinet.statuscode | pint |
gen.proxy.method HTTP request method (e.g., GET, POST). | fortinet.httpmethod | string |
gen.severity Normalized severity field across log sources. | fortinet.icbseverity fortinet.infectedfilelevel fortinet.level fortinet.severity | strings |
gen.av.infectionName Name of the detected infection or malware. | fortinet.infection fortinet.virus | strings |
gen.src.port Source port number. | fortinet.locport fortinet.src_port fortinet.srcport fortinet.transport | pint |
gen.src.mac MAC address of the source device. | fortinet.mastersrcmac fortinet.source_mac fortinet.srcmac | string |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | fortinet.rcvdbyte | plong |
gen.mail.receiver Email address of the message recipient. | fortinet.recipient fortinet.to | strings |
gen.proxy.referrer HTTP referrer header value. | fortinet.referralurl | string |
gen.src.interface Network interface used for the source connection. | fortinet.replysrcintf fortinet.src_int fortinet.srcintf | strings |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | fortinet.sentbyte | plong |
gen.ssid SSID of the wireless network used. | fortinet.ssid | strings |
gen.mail.subject Subject line of the email. | fortinet.subject | strings |
gen.username Username associated with the event. | fortinet.user | text_general |
gen.av.infectionCategory Category of detected malware or infection. | fortinet.viruscat | strings |
Reference-Specific Fields (741)
| Field | Type |
|---|---|
fortinet.accessctrl Name of the access-control policy (ACL/role) evaluated for the connection. | string |
fortinet.accessproxy Name of the access-proxy virtual server that handled the request. | string |
fortinet.acct_stat RADIUS accounting status-type or interim-update marker. | string |
fortinet.acktime Round-trip time (ms) measured between SYN and ACK or ICMP echo-reply. | pdate |
fortinet.act Short action keyword set by the module (accept, deny, quarantine). | string |
fortinet.action Concrete action taken by FortiGate (accept, deny, block, reset). | string |
fortinet.activity Free-text summary describing the administrative or traffic activity logged. | text_general |
fortinet.activitycategory Categorisation label for the admin or user activity (configuration, maintenance, audit). | string |
fortinet.addr Generic address value (IP, IPv6, MAC) when format varies. | text_general |
fortinet.addr_type Type of address object (IP, MAC, FQDN, geo-ip) referenced in the rule. | string |
fortinet.addrgrp Address-group object involved in the policy evaluation. | string |
fortinet.adgroup Active Directory group name mapped to the user session. | string |
fortinet.admin Login name of the administrator account that performed the action. | string |
fortinet.advpnsc Number of ADVPN shortcut tunnels currently active. | plong |
fortinet.age Lifetime in seconds that the session or SA has existed at log time. | pint |
fortinet.agent User-Agent or client identifier string. | text_general |
fortinet.alarmid Numeric or GUID identifier of the generated alarm. | pint |
fortinet.analyticscksum Checksum of the analytics payload sent to FortiAnalyzer. | string |
fortinet.analyticssubmit Boolean indicating the log was submitted to FortiAnalyzer analytics. | string |
fortinet.antiphishdc Anti-phishing detection category returned by FortiGuard (e.g., credential-harvest). | string |
fortinet.antiphishrule Name or ID of the anti-phishing rule that triggered. | string |
fortinet.ap Access-point serial or name involved in the wireless event. | string |
fortinet.apn Access Point Name used in the mobile-data session. | string |
fortinet.app Application name detected by App-ID inspection. | text_general |
fortinet.app_type High-level application type (web, VoIP, mail, file-transfer) assigned by App-ID. | string |
fortinet.appact Resulting application-control action taken (allow, monitor, block, quarantine). | string |
fortinet.appcat Category of the detected application (social-media, file-sharing, VoIP). | string |
fortinet.apperror Error code or descriptive message emitted by the application-layer inspection engine (e.g., WAF, proxy) to indicate a problem with the transaction. | string |
fortinet.appid Numeric identifier assigned to the detected application signature. | string |
fortinet.applist Name of the Application Control profile that produced the log. | text_general |
fortinet.apprisk Risk level of the application (1 = benign, ... 5 = critical). | string |
fortinet.apps Comma-separated list of multiple apps detected in a single flow. | string |
fortinet.apscan Boolean / string indicating whether an AP scan was triggered (on, off). | string |
fortinet.apsn Serial number (SN) of the FortiAP involved in the event. | string |
fortinet.apstatus Operational status code of the FortiAP (0 = down, 1 = up). | pint |
fortinet.aptype Hardware model / role of the FortiAP (indoor, outdoor, mesh). | pint |
fortinet.assigned IP or resource value that was assigned to the client (e.g., DHCP). | string |
fortinet.assignip IP address assigned to the client (DHCP, VPN). | text_general |
fortinet.attachment Filename of the e-mail or HTTP attachment scanned. | string |
fortinet.attack High-level attack name or signature label matched by IPS. | string |
fortinet.attackcontext Correlation ID linking multiple events belonging to one attack chain. | string |
fortinet.attackcontextid Correlation ID that groups events belonging to the same attack chain. | string |
fortinet.attackid Numeric ID of the IPS/WAF signature or attack pattern. | pint |
fortinet.auditid Unique identifier of the generated audit report. | string |
fortinet.auditreporttype Type of security rating or compliance audit report (e.g., PCI, HIPAA). | string |
fortinet.auditscore Overall numeric score assigned by the security rating (0-100). | pfloat |
fortinet.audittime Timestamp (epoch ms) when the configuration audit ran. | plong |
fortinet.authalgo Authentication algorithm used in the crypto negotiation (e.g., SHA-1, SHA-256). | string |
fortinet.authgrp Authentication group name (e.g., RADIUS group, LDAP OU) applied to the user. | string |
fortinet.authid Authentication transaction or request identifier. | string |
fortinet.authproto Authentication protocol used (RADIUS, LDAP, EAP). | text_general |
fortinet.authserver Authentication server referenced in the event (RADIUS, LDAP, FS-SSO). | text_general |
fortinet.bandwidth Measured or configured bandwidth value for the interface or flow. | plongs |
fortinet.banned_rule Identifier of the rule that marked the item as banned/blocked. | string |
fortinet.banned_src Source IP or MAC that has been placed on a temporary ban list. | string |
fortinet.banword Keyword that caused the DLP or WAF ban action. | string |
fortinet.bibandwidthavailable Current bidirectional bandwidth still available on the link (bps). | string |
fortinet.bibandwidthused Bandwidth used by the bi-directional tunnel or flow. | string |
fortinet.bid Bugtraq or vulnerability ID associated with an IPS signature. | string |
fortinet.botnetdomain Domain name flagged by FortiGuard as part of a botnet C2. | string |
fortinet.botnetip IP address flagged as part of botnet command-and-control. | string |
fortinet.bssid Basic Service Set Identifier of the access point involved. | string |
fortinet.c_bytes Total control-plane bytes transferred for this context. | plong |
fortinet.c_ggsn Control-plane GGSN identifier in mobile-network logs. | string |
fortinet.c_ggsn_teid Control-plane GGSN TEID recorded in GTP-C signalling messages. | pint |
fortinet.c_gsn Control-plane GGSN/PGW identifier in mobile-network context. | string |
fortinet.c_pkts Count of control-plane packets processed. | plong |
fortinet.c_sgsn Control-plane SGSN identifier in 3GPP logs. | string |
fortinet.c_sgsn_teid Control-plane SGSN TEID identifier in 3GPP mobile logs. | pint |
fortinet.call_id SIP or H.323 Call-ID associated with the VoIP session. | text_general |
fortinet.carrier_ep Carrier end-point identifier in LTE/5G logs. | string |
fortinet.cat Short category or threat code provided by the engine. | plong |
fortinet.catdesc Human-readable description for the UTM or threat category that matched. | text_general |
fortinet.category Primary category string (e.g., security, network, application). | text_general |
fortinet.cc Country code string (ISO-3166) provided in the certificate or geolocation. | string |
fortinet.ccertissuer Issuer Common-Name of the client certificate. | string |
fortinet.cdrcontent Content reconstructed by CDR (Content Disarm & Reconstruct). | string |
fortinet.centralnatid Central NAT rule ID that performed the address translation. | pint |
fortinet.cert Certificate common-name or fingerprint involved in the SSL inspection. | string |
fortinet.cert_type Type of certificate or PKI object (local-cert, ca, ocsp-staple). | string |
fortinet.certdesc Human-readable description embedded in the certificate object. | string |
fortinet.certhash Hash (SHA-1 / SHA-256) of the X.509 certificate inspected. | string |
fortinet.cfgattr Attribute or field within the object that changed. | string |
fortinet.cfgobj Specific configuration object (table/entry) that was modified. | string |
fortinet.cfgpath Configuration path or CLI hierarchy affected (e.g., "system interface port1"). | string |
fortinet.cfgtid Transaction or task ID of the configuration change. | string |
fortinet.cfgtxpower Configured transmit power value (dBm) for the radio interface. | pint |
fortinet.cfseid Content-Filter Security-Event identifier. | string |
fortinet.cfseidaddr IPv4 address involved in the Content-Filter Security-Event (CFSE) record. | string |
fortinet.cggsn6 Control-plane GGSN IPv6 address captured in mobile-core events. | string |
fortinet.cgsn6 IPv6 address of the core GGSN/PGW used in mobile-gateway recordings. | string |
fortinet.channel Wi-Fi channel number used by the AP radio that logged the event. | pint |
fortinet.channeltype Type of Wi-Fi channel (20 MHz, 40 MHz, 80 MHz, DFS). | string |
fortinet.chassisid Chassis identifier on FortiGate-7000/FortiChassis platforms. | pint |
fortinet.checksum Checksum value (CRC-32 / Adler-32) computed on the payload. | string |
fortinet.chgheaders List of HTTP header names that were added, removed or modified by the proxy/WAF. | string |
fortinet.cipher Symmetric cipher suite or algorithm in use for the session. | string |
fortinet.clashtunnelidx Index of the SSL/VPN tunnel that clashed with an existing entry. | pint |
fortinet.cldobjid Identifier of the cloud object (asset, rule, tag) referenced by CASB/Cloud logging. | string |
fortinet.client_addr IP address of the web or proxy client extracted from headers. | string |
fortinet.clientcert Subject DN or fingerprint of the client certificate used. | string |
fortinet.clientdeviceems EMS inventory status string showing whether the endpoint is managed, unmanaged or unknown. | string |
fortinet.clientdeviceid Endpoint device ID from EMS inventory correlated with the event. | string |
fortinet.clientdevicemanageable Indicates whether the endpoint is fully manageable by EMS/Fabric (yes/no). | string |
fortinet.clientdeviceowner Owner or user assigned to the client device (EMS mapping). | string |
fortinet.clientdevicetags List of endpoint tags assigned by EMS/FortiClient to the device. | string |
fortinet.cloudaction Action taken by FortiGate Cloud or CASB service (allow, block, quarantine). | string |
fortinet.clouddevice.Product Product model name supplied by the cloud device inventory. | text_general |
fortinet.clouddevice.Vendor Vendor field reported by an attached cloud device record. | text_general |
fortinet.clouddevice.Version Firmware or software version string from the cloud device. | string |
fortinet.clouduser Username received from a cloud-based identity provider or CASB. | text_general |
fortinet.cn Common-Name extracted from certificate or LDAP entry. | string |
fortinet.column Column index in a table or database referenced by the alert. | pint |
fortinet.command CLI command or REST API operation executed by the admin. | string |
fortinet.comment Administrator comment or annotation saved with the object. | text_general |
fortinet.community SNMP or routing community/VRF name referenced by the event. | string |
fortinet.configcountry Country code configured for Geo-IP or location filter. | string |
fortinet.connection_type Type of network or VPN connection (SSL-VPN, IPsec, L2TP, SSL-offload). | string |
fortinet.conserve Conserve-Mode indicator (enter, exit) when memory limit thresholds are reached. | string |
fortinet.constraint Policy or profile constraint string that limited the action (e.g., size > 10 MB). | string |
fortinet.contentdisarmed Boolean flag stating that the file was processed by CDR and disarmed. | string |
fortinet.contentencoding Content-Encoding header value observed in HTTP traffic. | string |
fortinet.contenttype MIME Content-Type header value detected in HTTP or SMTP traffic. | string |
fortinet.cookies HTTP Cookie header string extracted for web-filter or DLP inspection. | string |
fortinet.core CPU core number referenced by the performance or crash log. | pint |
fortinet.count Generic counter value (packets, events or objects) referred to by the log line. | plong |
fortinet.countapp Number of application sessions matching the same rule during aggregation. | plong |
fortinet.countav Number of antivirus detections aggregated in this log line. | pint |
fortinet.countcasb Number of CASB events aggregated in this record. | pint |
fortinet.countcifs Number of CIFS/SMB file accesses aggregated in the log. | pint |
fortinet.countdlp Number of Data-Leak-Prevention events aggregated. | pint |
fortinet.countdns Number of DNS requests aggregated in this record. | pint |
fortinet.countemail Number of e-mails processed or aggregated in this log record. | pint |
fortinet.countff Number of FortiSandbox file-filter events aggregated. | pint |
fortinet.counticap Number of ICAP transactions aggregated in the reporting interval. | pint |
fortinet.countips Number of IPS signature hits aggregated in the record. | pint |
fortinet.countsctpf Number of SCTP filter events aggregated in this log entry. | pint |
fortinet.countssh Number of SSH sessions aggregated in this record. | pint |
fortinet.countssl Number of SSL sessions processed within the period. | plong |
fortinet.countvpatch Number of virtual-patch IPS signatures triggered. | pint |
fortinet.countwaf Number of WAF events aggregated in the log entry. | pint |
fortinet.countweb Number of web filter events aggregated in this record. | plong |
fortinet.cpaddr Control-Plane IPv4 address associated with the mobile-data session. | string |
fortinet.cpaddr6 Control-plane IPv6 address associated with the session. | string |
fortinet.cpdladdr Control-plane data-list IP address associated with the session. | string |
fortinet.cpdladdr6 Control-Plane IPv6 address in the CP-DL record. | string |
fortinet.cpdlisraddr Control-plane downlink IP address included in CP-DL data-lists (LTE/5G). | string |
fortinet.cpdlisraddr6 Control-Plane Data-List IPv6 address recorded (LTE/5G analytics). | string |
fortinet.cpdlisrteid Control-plane TEID used in LTE/5G CP data list. | pint |
fortinet.cpdlteid Control-Plane Tunnel-Endpoint-ID used in the CP-DL (LTE/5G) context. | pint |
fortinet.cpteid Control-Plane Tunnel-Endpoint-ID associated with the log record. | pint |
fortinet.cpu CPU utilisation percentage recorded at log time. | plong |
fortinet.cpuladdr IPv4 address of the control-plane user (CPU-laddr) inside the FortiGate kernel. | string |
fortinet.cpuladdr6 IPv6 address of the control-plane user space (CPU-laddr6). | string |
fortinet.cpulteid Control-Plane User-TEID value recorded in GTP control logs. | pint |
fortinet.craction Content-filtering action taken (block, exempt, monitor). | plong |
fortinet.criticalcount Number of critical findings within an audit or scan. | plong |
fortinet.crl Identifier or URL of the Certificate Revocation List consulted during validation. | string |
fortinet.crlevel Content rating level assigned by FortiGuard (high, medium, low). | string |
fortinet.crscore Numeric content risk score (0-100) calculated for the request. | plong |
fortinet.csgsn6 Control-plane SGSN IPv6 address logged in mobile-core events. | string |
fortinet.cveid CVE identifier of the vulnerability detected. | string |
fortinet.daddr Destination address field used when the context is neither IPv4 nor IPv6 specific (MAC, URI, etc.). | string |
fortinet.daemon Name of the internal FortiOS daemon that generated the message. | string |
fortinet.datarange Content-length range or byte-range header value seen in HTTP. | string |
fortinet.ddnsserver Name or address of the dynamic-DNS provider used. | string |
fortinet.deny_cause Short reason string returned for an access denial. | string |
fortinet.desc Free-form description string supplied by the subsystem. | text_general |
fortinet.detectionmethod Technique that produced the detection (signature, heuristic, ML). | string |
fortinet.devid Device ID of the FortiGate (usually serial number). | string |
fortinet.devintfname Interface name as known on the FortiGate (e.g., "port2", "ssl.root"). | string |
fortinet.devname Configured hostname of the FortiGate that produced the log. | string |
fortinet.devtype Device type detected for an endpoint (server, phone, printer). | string |
fortinet.dhcp_msg DHCP message-type involved (DISCOVER, OFFER, ACK, NAK). | text_general |
fortinet.dintf Name of the dataplane interface referenced in the SD-WAN decision. | string |
fortinet.dir Simple direction label (rx, tx, in, out) used by the module. | string |
fortinet.direction Direction of the configuration change (set, unset, add, delete). | string |
fortinet.disk Disk number or partition associated with the event. | string |
fortinet.disklograte Current log-writing throughput to local disk (bytes / s). | plong |
fortinet.dlpextra Additional DLP metadata (keywords, offsets) captured for the match. | string |
fortinet.docsource Origin of the document (scanner, upload, cloud) in DLP logging. | string |
fortinet.domainctrlauthstate Authentication state reported by the domain controller (success, fail, locked). | pint |
fortinet.domainctrlauthtype Authentication type used by the domain controller (Kerberos, NTLM). | pint |
fortinet.domainctrldomain Active-Directory domain name involved in the authentication. | string |
fortinet.domainctrlip IP address of the domain controller contacted for authentication. | string |
fortinet.domainctrlname Hostname of the domain controller contacted. | string |
fortinet.domainctrlprotocoltype Protocol used to talk to the domain controller (LDAP, LDAPS, SMB). | pint |
fortinet.domainctrlusername Username sent to the domain controller for authentication. | string |
fortinet.domainfilteridx Index of the domain-filter profile that matched. | pint |
fortinet.domainfilterlist Name of the domain-filter list that matched this DNS request. | string |
fortinet.downbandwidthmeasured Measured downstream bandwidth (e.g., Speed Test) in kbps/mbps. | string |
fortinet.ds Differentiated-Services (DSCP) codepoint value observed. | string |
fortinet.dst_host Hostname or FQDN of the destination server. | text_general |
fortinet.dst_int Numeric index or short name of the destination interface. | text_general |
fortinet.dst_port Alternate destination port field (integer). | pint |
fortinet.dstauthserver Name or IP of the authentication server used on the destination side. | string |
fortinet.dstcity City derived from geolocation of the destination IP. | string |
fortinet.dstcountry Country code or name of the destination IP. | string |
fortinet.dstdevtype Destination host device type if fingerprinting is available. | string |
fortinet.dstepid Endpoint ID assigned by EMS/FortiClient for the destination. | string |
fortinet.dsteuid Endpoint unique ID (EUID) for the destination object. | string |
fortinet.dstfamily OS or firmware family detected on the destination (Windows, iOS). | string |
fortinet.dsthwvendor Hardware vendor string for the destination device. | string |
fortinet.dsthwversion Hardware version/model of the destination device. | string |
fortinet.dstinetsvc FortiGuard Internet Service DB entry matched for the destination. | string |
fortinet.dstintf Outgoing interface that forwarded the traffic. | string |
fortinet.dstintfrole Role assigned to the destination interface (lan, wan, dmz, undefined). | string |
fortinet.dstip Destination IP address involved in the session. | text_general |
fortinet.dstmac MAC address of the destination host if known. | text_general |
fortinet.dstname FQDN or alias name resolved for the destination IP. | string |
fortinet.dstosname Operating-system name detected on the destination host. | text_general |
fortinet.dstowner Owner or user of the destination endpoint from EMS/AD mapping. | text_general |
fortinet.dstport Layer-4 destination port number. | pint |
fortinet.dstregion Geographical region derived from the destination IP. | string |
fortinet.dstreputation FortiGuard reputation score for the destination IP/domain. | plong |
fortinet.dstserver Server type detected at the destination (Apache, IIS, Nginx). | string |
fortinet.dstssid Destination SSID to which a wireless frame was addressed. | string |
fortinet.dstswversion Software version detected on the destination host. | string |
fortinet.dstthreatfeed Name of the external threat-feed that flagged the destination. | string |
fortinet.dstunauthuser Unauthenticated username observed at the destination side. | string |
fortinet.dstunauthusersource Source (e.g., WAD, proxy) that reported the unauthenticated user. | string |
fortinet.dstuser Username on the destination system referenced by the action. | text_general |
fortinet.dstuuid Endpoint UUID of the destination device. | string |
fortinet.dtlexp Expiry date/time of the data-leak protection quota or license. | string |
fortinet.dtype Device-type code supplied by NAC or CTAP profiling. | string |
fortinet.duid DHCPv6 DUID value presented by the requesting host. | string |
fortinet.duration Session duration or log aggregation time in milliseconds. | plong |
fortinet.durationdelta Incremental session duration added since previous delta sample (ms). | pint |
fortinet.dvid Device ID of the destination endpoint in EMS inventory. | string |
fortinet.eapolcnt Number of EAPOL frames exchanged during Wi-Fi authentication. | pint |
fortinet.eapoltype EAPOL (802.1X) message type (start, logon, key, logoff). | string |
fortinet.emsconnection Connection status string reported by FortiClient EMS. | string |
fortinet.emstag Endpoint tag value assigned by FortiClient EMS to the device for policy matching. | string |
fortinet.emstag2 FortiClient EMS second-stage tag value applied to the endpoint. | string |
fortinet.encrypt Boolean indicating that the item is encrypted (true/false). | boolean |
fortinet.encryption Encryption suite or cipher in use (AES-256-GCM, TKIP, WEP-104). | string |
fortinet.end_usr_address User-plane IP address assigned to the mobile subscriber. | string |
fortinet.endusraddress6 IPv6 address assigned to the mobile subscriber (user-plane). | string |
fortinet.epid Endpoint profile ID associated with the session. | string |
fortinet.epoch Epoch timestamp in seconds for high-precision timing. | plong |
fortinet.error Human-readable error string returned by subsystem or API. | text_general |
fortinet.error_num Numeric error or errno value produced by the subsystem. | text_general |
fortinet.espauth Authentication algorithm used for ESP (e.g., SHA-256). | string |
fortinet.esptransform IPsec ESP transform suite negotiated for the tunnel. | string |
fortinet.euid Endpoint unique identifier for the source device (global). | string |
fortinet.event_id Numeric event identifier used internally. | plong |
fortinet.eventid Numeric event identifier specific to the Fortinet log schema. | pint |
fortinet.eventsubtype Fine-grained event subtype string emitted by the module. | text_general |
fortinet.eventtime Original event timestamp parsed from the log data (ISO-8601). | pdate |
fortinet.eventtype High-level FortiOS event class (system, user, ha, router, etc.). | string |
fortinet.exch IKE exchange mode or phase value (main, aggressive). | string |
fortinet.exchange IKE exchange mode / TLS cipher negotiation string recorded for the VPN or SSL session. | string |
fortinet.expiry Expiration date/time of a certificate, lease or token. | pdate |
fortinet.extension File-name extension or MIME subtype identified in the object. | string |
fortinet.extinvalid Boolean flag indicating the external certificate or URL was invalid. | pint |
fortinet.exttotal Total amount of external resource (quota, objects) referenced by the event. | pint |
fortinet.failuredev Name or serial of the device reporting a failure state. | string |
fortinet.fams_pause Indicates FortiAnalyzer message submission was paused (true/false). | pint |
fortinet.fazlograte Current log-forwarding rate to FortiAnalyzer in logs / second. | plong |
fortinet.fctemsname Hostname of the FortiClient EMS instance involved. | string |
fortinet.fctemssn Serial number of the FortiClient EMS server that issued the verdict. | string |
fortinet.fctuid FortiClient unique user ID tied to the endpoint. | string |
fortinet.field Field name referenced in a validation error or policy rule. | string |
fortinet.file File path or object name processed by AV, DLP or WAF. | string |
fortinet.filefilter Name of the file-filter profile that generated the log. | string |
fortinet.filehash Hash of the processed file after any transformation (target hash). | string |
fortinet.filehashsrc Hash of the original file before processing (source hash). | string |
fortinet.filename Name of the file that was accessed, transferred or scanned. | text_general |
fortinet.filesize Size of the transferred or scanned file in bytes. | plong |
fortinet.filetype Detected file type or MIME subtype extracted by the content scanner. | string |
fortinet.filtercat Filter category label assigned by UTM module. | string |
fortinet.filtertype Subtype of content or security filter (header, body, script). | string |
fortinet.fortiguardresp Raw FortiGuard service response string captured for debugging. | string |
fortinet.forwardedfor X-Forwarded-For header value preserved by the proxy. | string |
fortinet.fqdn Fully-qualified domain name associated with the IP / object in the event. | string |
fortinet.frametype IEEE 802.11 frame-type value observed in wireless traffic (management, control, data). | string |
fortinet.freediskstorage Free disk space on the FortiGate at the time of logging (bytes). | plong |
fortinet.from Sender address or source name (context-dependent). | text_general |
fortinet.from6 IPv6 source address logged when separate from IPv4 field. | string |
fortinet.from_vcluster ID of the virtual cluster member that generated the message. | pint |
fortinet.fsaverdict Verdict returned by FortiSandbox analysis (malicious, clean, suspicious). | string |
fortinet.ftlkintf FortiLink interface name that connects the FortiSwitch stack. | string |
fortinet.fwdsrv Forwarding server name or IP used for log or email forwarding. | string |
fortinet.fwserver_name Hostname of the FortiWeb or upstream server used for forwarding. | string |
fortinet.gateway Default gateway IP or interface name referenced by the event. | string |
fortinet.gatewayid Identifier of the upstream Internet gateway used by SD-WAN. | pint |
fortinet.green Boolean / string flag signalling secure "green" rating (e.g., SSL inspection passthrough). | string |
fortinet.group Name of the user, address or device group involved. | text_general |
fortinet.groupid Numeric group identifier used internally by FortiOS. | pint |
fortinet.ha_group High-availability group ID to which the device belongs. | string |
fortinet.ha_prio Device priority value within the HA cluster (higher wins). | plong |
fortinet.ha_role High-availability role of the device at the time (primary, secondary, slave, master). | string |
fortinet.handshake Textual summary of TLS/IKE handshake details. | string |
fortinet.hash Hash (MD5, SHA-256, etc.) calculated for the file or packet payload. | string |
fortinet.headerteid Tunnel-Endpoint-ID found in the packet header (GTP-U). | pint |
fortinet.healthcheck Result of a periodic health check (pass, warn, fail). | string |
fortinet.highcount Number of high-severity findings within the audit. | plong |
fortinet.host Host header value or hostname extracted from the request. | string |
fortinet.hostkeystatus Status of the SSH host key validation (ok, mismatch, unknown). | string |
fortinet.hostname Hostname extracted from the session (SNI, HTTP Host, etc.). | text_general |
fortinet.hseid Hash Security Event identifier used by file-security analytics. | string |
fortinet.httpcode HTTP status code returned by a web request inspected by the firewall. | pint |
fortinet.httpmethod HTTP request method (GET, POST, PUT, DELETE, ...). | string |
fortinet.iaid Identity Association ID used in DHCPv6 address assignment. | pint |
fortinet.icbaction ICAP/ICB processing action (allow, replace, remove). | string |
fortinet.icbconfidence Confidence score returned by ICAP/ICB scanner for the verdict. | string |
fortinet.icbfileid Identifier for the file processed by ICAP/ICB service. | string |
fortinet.icbfiletype File type string returned by ICAP/ICB content scanner. | string |
fortinet.icbseverity ICAP/ICB engine severity rating for the scanned content. | string |
fortinet.icbverdict Scan verdict string returned by the ICAP/ICB service. | string |
fortinet.icmpcode ICMP code value associated with the echo / error message. | string |
fortinet.icmpid Identifier field extracted from the ICMP echo request / reply. | string |
fortinet.icmptype ICMP type value (0 = echo-reply, 8 = echo-request, etc.). | string |
fortinet.id Generic identifier local to the log type (policy ID, rule ID, etc.). | string |
fortinet.identifier Additional string identifier (transaction ID, custom tag). | string |
fortinet.ietype ICMP echo-type or IKE exchange-type value. | pint |
fortinet.imei_sv International Mobile Equipment Identity & Software Version of the handset. | string |
fortinet.imsi International Mobile Subscriber Identity associated with the session. | string |
fortinet.in_spi Inbound Security Parameter Index associated with the IPsec SA. | string |
fortinet.inbandwidthavailable Available inbound bandwidth on the interface or SD-WAN link. | string |
fortinet.inbandwidthused Current inbound bandwidth consumed on the interface / SD-WAN link. | string |
fortinet.incidentserialno Incident serial number assigned by FortiAnalyzer/FortiSIEM. | plong |
fortinet.infectedfilelevel Risk level (low, medium, high) assigned to the infected file by the AV engine. | pint |
fortinet.infectedfilename Name of the file that the antivirus engine flagged as infected. | string |
fortinet.infectedfilesize Size in bytes of the file that was flagged as infected by the AV engine. | plong |
fortinet.infectedfiletype File type (MIME / extension) of the object flagged as infected. | string |
fortinet.infection Verdict string describing the infection type detected by AV/IPS. | string |
fortinet.informationsource Source module or feed that provided threat intelligence. | string |
fortinet.init Boolean flag indicating that the module is in its initialisation phase. | string |
fortinet.initiator Flag or ID indicating that this peer initiated the VPN or session handshake. | string |
fortinet.interface Generic interface name referenced by the log. | string |
fortinet.intf Short alias of the network interface. | string |
fortinet.invalidmac MAC address that failed validation (e.g., malformed or broadcast). | string |
fortinet.ip Generic IP address field when context-specific name is unavailable. | text_general |
fortinet.ipaddr Generic IP address field when neither src nor dst is implied by context. | string |
fortinet.iptype IP address family type: IPv4, IPv6 or dual-stack. | string |
fortinet.issuer Issuer Distinguished Name of the X.509 certificate. | string |
fortinet.itype Information-type or ICMP message class recorded by the subsystem. | string |
fortinet.jitter Packet delay variation (ms) measured during SLA monitoring. | string |
fortinet.keyalgo Public-key algorithm (RSA, ECDSA, Ed25519) identified in the certificate. | string |
fortinet.keysize Key-length in bits of the public-key used in the TLS / SSH session or certificate (e.g., 2048, 4096). | pint |
fortinet.keyword Keyword matched during DLP or CASB scanning. | string |
fortinet.kind Generic kind or class label supplied by the parser. | string |
fortinet.kxcurve Elliptic-curve name used during ECDHE/ECDSA key exchange (e.g., secp256r1). | string |
fortinet.kxproto Key-exchange protocol selected (IKEv1, IKEv2, TLS1.3-ECDHE, etc.). | string |
fortinet.lanin Incoming traffic volume on LAN interface in bytes. | plong |
fortinet.lanout Outgoing traffic volume on LAN interface in bytes. | plong |
fortinet.latency One-way or round-trip latency (ms) measured for the flow. | string |
fortinet.lease Lifetime of the DHCP/IP assignment or license lease in seconds. | pint |
fortinet.level Syslog severity or FortiOS log level (notice, warning, error). | string |
fortinet.license_limit Licensed maximum value (users, tunnels, endpoints) relevant to the event. | string |
fortinet.limit Configured upper limit for the resource (bandwidth, sessions, files). | pint |
fortinet.line Configuration line or rule index referenced in the log. | string |
fortinet.linked_nsapi GPRS/3GPP NSAPI index linked to the mobile-data session. | pint |
fortinet.live Live/active flag or counter showing that the session is still valid. | pint |
fortinet.local Boolean string indicating the object originates from the local device. | string |
fortinet.localdevcount Number of locally discovered devices on the LAN/VLAN. | pint |
fortinet.locip Local IP address after source-NAT or interface binding. | text_general |
fortinet.locport Local-side TCP/UDP port value after NAT or interface translation. | pint |
fortinet.log Raw log fragment captured for troubleshooting. | string |
fortinet.logdesc Narrative text explaining the log-entry type as generated by FortiOS. | text_general |
fortinet.logflag Bitmask or flag set denoting where the log is stored (disk, forward, syslog). | string |
fortinet.logid FortiOS internal log ID representing the event type. | string |
fortinet.login Username entered during the authentication attempt that triggered the log. | string |
fortinet.logsrc Identifier of the log source (device or module). | string |
fortinet.logver Version of the log format (e.g., "2.0" for new style). | string |
fortinet.lowcount Number of low-severity findings within an audit or scan. | plong |
fortinet.mac Generic MAC address field used when src/dst context is unclear. | string |
fortinet.malform_data Count of malformed data units observed. | pint |
fortinet.malform_desc Description of malformed or suspicious traffic detected. | string |
fortinet.manuf Manufacturer string derived from MAC OUI or device fingerprint. | string |
fortinet.masterdstmac Destination MAC address as seen by the master unit in an HA pair. | text_general |
fortinet.mastersrcmac Source MAC address as observed by the HA master unit. | text_general |
fortinet.matchfilename Filename that matched a DLP or file-filter rule. | string |
fortinet.matchfiletype Detected file type that matched the filter or rule. | string |
fortinet.mediumcount Number of medium-severity findings within an audit or scan. | plong |
fortinet.mem Memory utilisation percentage recorded at log time. | plong |
fortinet.member Name/ID of the object that is a member of a group or cluster affected by the event. | string |
fortinet.meshmode Operating mode of a FortiMesh unit (mesh-leaf, mesh-root). | string |
fortinet.messageId Unique e-mail or syslog message identifier captured in the log. | string |
fortinet.message_type Subtype or category of the system message (info, alert, error). | string |
fortinet.method HTTP request method such as GET, POST, PUT, DELETE. | string |
fortinet.mgmtcnt Count of management packets processed (SNMP, SSH) during interval. | pint |
fortinet.mitm Flag indicating a potential Man-in-the-Middle anomaly was detected. | string |
fortinet.mode Operating mode of the FortiGate unit when the event occurred (NAT, transparent, flow, proxy). | string |
fortinet.model Hardware model string of the FortiGate or attached device. | string |
fortinet.module Internal FortiOS module that produced the log line (e.g., wad, dpd, ips). | string |
fortinet.monitor_name Name of the monitored object in FortiMonitor or SDN integration. | string |
fortinet.monitor_type Type of monitor (ping, tcp, http, jitter) defined in SD-WAN SLA. | string |
fortinet.moscodec Codec name used when the MOS score was calculated (G.711, Opus). | string |
fortinet.mosvalue Mean Opinion Score value calculated for VoIP or video quality. | string |
fortinet.mpsk Multi-pre-shared-key identifier applied in WPA2/WPA3-Enterprise WLAN deployments. | string |
fortinet.msg Free-form message text included in the FortiGate log entry. | string |
fortinet.msg_type Numeric or textual message-type identifier. | pint |
fortinet.msgtypename Verbose message-type name resolved from numeric msg_type. | string |
fortinet.msisdn Mobile-Station-ISDN number (phone number) of the subscriber. | string |
fortinet.mtu Maximum-Transmission-Unit size configured or detected for the interface. | pint |
fortinet.nai Network Access Identifier (EAP/802.1X) string provided by the client. | string |
fortinet.name Object or profile name involved (e.g., address-book entry, policy name). | string |
fortinet.nat Translation summary string (snat, dnat, central-nat, none). | string |
fortinet.neighbor Neighbor identifier in routing or wireless-mesh contexts. | string |
fortinet.netid Network identifier string (SSID, MPLS label, VRF) referenced by the event. | string |
fortinet.networktransfertime End-to-end network transfer time metric recorded by SpeedTest. | string |
fortinet.new_status New status value after the configuration or state change. | string |
fortinet.new_value Value after a configuration change or detected difference. | string |
fortinet.newchannel Wi-Fi channel configured after the channel-switch event. | pint |
fortinet.newchassisid Chassis ID reported for the replacement or newly added module. | pint |
fortinet.newslot Chassis or blade slot number after a hardware migration. | pint |
fortinet.newvalue Value after the configuration change (post-state) for audit purposes. | string |
fortinet.nextstat Following state or status code reported by the module. | plong |
fortinet.noise Background noise level in dBm measured by the wireless radio. | pint |
fortinet.notafter Expiration date of a certificate or license (ISO-8601). | pdate |
fortinet.notbefore Not-Before timestamp from the X.509 certificate validity period. | pdate |
fortinet.nsapi Network Service Access Point Identifier from GTP sessions. | pint |
fortinet.numpassmember Number of cluster members operating in 'pass' state. | pint |
fortinet.old_status Previous status value before the change or transition. | string |
fortinet.old_value Value before the change, for audit comparison. | string |
fortinet.oldchannel Wi-Fi channel number before the AP performed the channel switch. | pint |
fortinet.oldchassisid Previous chassis ID before hardware replacement. | pint |
fortinet.oldslot Chassis or blade slot number prior to a hardware replacement or migration. | pint |
fortinet.oldsn Previous serial number before the replacement event. | string |
fortinet.oldvalue Previous value of the configuration attribute before change. | string |
fortinet.oldwprof Name of the previous wireless profile before the change. | string |
fortinet.onwire Boolean flag showing whether the wireless client is presently on-wire (Ethernet). | string |
fortinet.operation Operation keyword describing the admin action (create, update, delete). | string |
fortinet.opercountry ISO-3166 country code configured as operating location of the FortiGate (e.g., for RF compliance). | string |
fortinet.operdrmamode Current DRAM operating mode (e.g., performance, low-power) for hardware analytics. | string |
fortinet.opertxpower Operating transmit power of the radio in dBm. | pint |
fortinet.osname Operating-system name detected on the source host or endpoint. | text_general |
fortinet.out_spi Outbound Security Parameter Index for IPsec SA. | string |
fortinet.outbandwidthavailable Remaining outbound bandwidth on the interface or SD-WAN link at log time. | string |
fortinet.outbandwidthused Current outbound bandwidth consumed on the interface / SD-WAN link. | string |
fortinet.outintf Outgoing (egress) interface that forwarded the traffic. | string |
fortinet.packetloss Percentage of packet loss measured during SLA or speed test. | string |
fortinet.parameters Query string or command parameters recorded with the action. | string |
fortinet.passedcount Number of checks that passed successfully in the audit. | plong |
fortinet.passwd Obfuscated password string included in the configuration change. | string |
fortinet.path Filesystem or URL path involved in the event. | string |
fortinet.pathname Filesystem or URL path referenced in the event. | string |
fortinet.pdstport Original destination port before any NAT translation. | pint |
fortinet.peer Peer hostname or identifier in VPN or HA context. | string |
fortinet.peer_notif Notification message text received from the VPN peer. | text_general |
fortinet.phase2_name Name of the IPsec Phase-2 selector that owns the SA. | text_general |
fortinet.phone Phone number or IMSI associated with the user or session. | string |
fortinet.pid Process ID reported by the FortiOS subsystem that raised the log. | pint |
fortinet.policy_id Second variant of the security policy numeric ID. | plong |
fortinet.policyid Numeric identifier of the security policy that matched the session. | string |
fortinet.policymode Policy processing mode (flow, proxy, tap) selected for session. | string |
fortinet.policyname Admin-defined name of the firewall or proxy policy. | string |
fortinet.policytype Policy class such as "firewall", "shaping", "proxy" or "do policy". | string |
fortinet.poluuid Universally unique identifier (UUID) of the policy object. | string |
fortinet.poolname Name of the DHCP / IPsec address pool used for assignment. | string |
fortinet.port Generic port field when a more specific src/dst label is absent. | pint |
fortinet.portbegin Lower boundary of the destination port-range specified in a policy. | pint |
fortinet.portend Upper boundary of the port-range used in policy or service object. | pint |
fortinet.probeproto Probe protocol used for health monitoring (ICMP, TCP). | string |
fortinet.process Process name or ID on the FortiGate that triggered the message. | string |
fortinet.processtime Processing time in milliseconds spent inside the FortiGate datapath. | pint |
fortinet.product Product identifier referenced (malware family, license, SKU). | string |
fortinet.profile Name of the applied security profile (AV, IPS, WebFilter). | string |
fortinet.profiletype Type of security profile (antivirus, IPS, DLP, application control). | string |
fortinet.proto IP protocol number of the flow (e.g., 6 = TCP, 17 = UDP). | string |
fortinet.protocol Named application protocol when more specific than the layer-4 proto field. | string |
fortinet.proxyapptype Application type handled by the proxy (HTTP, SOCKS). | string |
fortinet.psrcport Original source port before NAT translation. | pint |
fortinet.qclass DNS query class (IN, CH, HS) extracted from the packet. | string |
fortinet.qname Fully-qualified domain name queried in the DNS request. | string |
fortinet.qtype Human-readable DNS query-type (A, AAAA, MX, TXT) parsed from the request. | string |
fortinet.qtypeval Numeric DNS query-type value (1 =A, 28 = AAAA, etc.). | pint |
fortinet.quarskip Flag indicating that quarantine was skipped for the file/session. | string |
fortinet.quotaexceeded Boolean flag that the user/object has exceeded its assigned quota. | string |
fortinet.quotamax Maximum quota value configured for the user or object. | plong |
fortinet.quotatype Type of quota being enforced (user, group, per-IP, file-quota). | string |
fortinet.quotaused Amount of quota already consumed by the user/object (bytes, seconds, hits). | plong |
fortinet.radioband Wireless frequency band used (2.4 GHz, 5 GHz, 6 GHz). | string |
fortinet.radioid Radio interface index on the FortiAP that handled the frame. | pint |
fortinet.radioidclosest ID of the radio that had the strongest signal to the client. | pint |
fortinet.radioiddetected ID of the radio interface that detected the wireless client. | pint |
fortinet.rai Routing-Area-Identity value in mobile-core signalling logs. | string |
fortinet.rat_type Radio-access-technology type (LTE, NR, GSM) recorded in mobile logs. | string |
fortinet.rate Measured throughput or packet-rate value (context-dependent units). | pint |
fortinet.ratemethod Traffic-shaping rate method in effect (static, guaranteed, max-burst). | string |
fortinet.rawdata Raw payload or binary data captured for forensics. | text_general |
fortinet.rawdataid Identifier linking to raw packet or PCAP data stored for forensics. | string |
fortinet.rcode DNS response code returned by the resolver (0=NOERROR, 3=NXDOMAIN). | pint |
fortinet.rcvdbyte Total bytes received from the client during the session. | plong |
fortinet.rcvddelta Bytes received since the previous delta sample in aggregated logs. | plong |
fortinet.rcvdpkt Total packets received from the client during the session. | plong |
fortinet.rcvdpktdelta Incremental number of packets received since the last sample. | pint |
fortinet.realserverid Identifier of the real server instance selected by SLB/Proxy. | pint |
fortinet.reason Human-readable reason phrase explaining the action. | text_general |
fortinet.recipient Recipient address / username in mail, proxy or DLP context. | string |
fortinet.red Colour classification of the file (e.g., red = malicious). | string |
fortinet.ref Reference number or URL associated with the ticket or workflow. | string |
fortinet.referralurl Full HTTP referrer / redirect URL captured in the request. | text_general |
fortinet.remip Remote peer IP address involved in the control message. | text_general |
fortinet.remote Boolean or string flag indicating that the object or user is remote (dial-up, SD-WAN, VPN). | string |
fortinet.remotetunnelid Numeric tunnel ID assigned by the remote VPN peer. | pint |
fortinet.remotewtptime Timestamp returned by a remote FortiWiFi Thin AP during time synchronisation. | pdate |
fortinet.remport Remote port value in VoIP or ICMP helper logs. | pint |
fortinet.replydstintf Outgoing interface used for the reply traffic (reverse session). | string |
fortinet.replysrcintf Incoming interface used for the reply path of asymmetric session. | string |
fortinet.reporttype Kind of report generated (summary, detail, compliance, forensic). | string |
fortinet.reqlength Length of the HTTP request (bytes) including headers and body. | plong |
fortinet.reqtime Request processing time in milliseconds. | plong |
fortinet.reqtype Request type or method specific to the subsystem (e.g., DHCPDISCOVER, ANQP). | string |
fortinet.request_name API or CLI request name executed by the administrator. | string |
fortinet.requesttype Specific request type keyword of the subsystem (e.g., REPORT, RETRIEVE). | string |
fortinet.respfinishtime Timestamp when the response transmission finished. | plong |
fortinet.resplength Length of the response payload in bytes. | plong |
fortinet.resptime Measured server response time in milliseconds. | plong |
fortinet.resptype Response type returned by the server (e.g., json, html, xml). | string |
fortinet.result Outcome string of the operation (success, fail, error). | string |
fortinet.role Device, user or admin role associated with the event (e.g., readonly, master). | string |
fortinet.rssi Received-Signal-Strength-Indicator in dBm measured for the client or AP. | pint |
fortinet.rsso_key Key string used by RSSO for mapping user sessions to policies. | string |
fortinet.ruleid Numeric rule identifier (policy, WAF, IPS) that matched the traffic. | pint |
fortinet.rulename Human-readable name of the policy or rule that generated the entry. | string |
fortinet.saasapp Name of the SaaS application detected in CASB analysis. | string |
fortinet.saasinfo Additional SaaS application identifiers or metadata (if available). | string |
fortinet.saasname Name of the SaaS application detected by CASB analysis. | string |
fortinet.saddr Source address (generic) when neither IPv4 nor IPv6 context applies. | string |
fortinet.san Subject-Alternative-Name value from the inspected certificate. | string |
fortinet.scantime Time taken to complete the scan, in milliseconds. | plong |
fortinet.scertcname Common-Name value from the server certificate in the TLS session. | text_general |
fortinet.scertissuer Issuer DN or CN from the server certificate. | text_general |
fortinet.scheme URL scheme observed (http, https, ftp, ssh). | string |
fortinet.scope Scope or domain to which the configuration or rule applies. | string |
fortinet.security Security level or mode string reported by the subsystem. | string |
fortinet.selection Selected option or menu node referenced by an admin action. | string |
fortinet.sender Sender address or identity in e-mail, syslog or messaging context. | string |
fortinet.sensitivity Sensitivity / confidentiality label assigned by DLP (public, confidential). | string |
fortinet.sentbyte Total bytes sent to the client during the session. | plong |
fortinet.sentdelta Bytes sent since the previous delta sample in aggregated logs. | plong |
fortinet.sentpkt Total packets sent to the client during the session. | plong |
fortinet.sentpktdelta Incremental packets sent since previous delta sample. | pint |
fortinet.seq Sequence number of the log message within the session or transaction. | string |
fortinet.seqnum Sequence number used by the subsystem to order fragmented logs. | pint |
fortinet.serial Short form of the device serial number (alternate to serialno). | pint |
fortinet.serialno Serial number of the FortiGate or FortiAP that generated the log. | string |
fortinet.server Backend or upstream server name referenced by the connection or probe. | text_general |
fortinet.serveraddr IP address of the server contacted. | string |
fortinet.servername Server-Name-Indication (SNI) host detected in TLS handshake. | string |
fortinet.serverresponsetime Time (ms) the backend server needed to start sending a response. | string |
fortinet.service Service object or application protocol recognized (e.g., HTTPS, DNS). | string |
fortinet.serviceid Numeric FortiOS service object ID that matched the connection. | pint |
fortinet.session_id Alternate session identifier used by VPN/SSL modules. | plong |
fortinet.sessionid Internal FortiOS session identifier (hexadecimal). | string |
fortinet.setuprate Rate at which sessions or tunnels were set up (per minute). | plong |
fortinet.severity Qualitative severity level (low, medium, high, critical) set by the module. | string |
fortinet.shaperdroprcvdbyte Bytes dropped by the traffic shaper on receive direction. | pint |
fortinet.shaperdropsentbyte Bytes dropped by the traffic shaper in transmit direction. | pint |
fortinet.shaperperipdropbyte Number of bytes dropped by the per-IP traffic shaper. | pint |
fortinet.shaperperipname Name of a per-IP traffic shaper that limited throughput. | string |
fortinet.shaperrcvdname Name of the traffic-shaper profile that limited received traffic. | string |
fortinet.shapersentname Name of the traffic shaper applied to egress packets. | string |
fortinet.shapingpolicyid Numeric ID of the traffic shaping / QoS policy. | pint |
fortinet.shapingpolicyname Name of the traffic-shaping or QoS policy applied. | string |
fortinet.sharename SMB/CIFS share name accessed in the file-sharing session. | string |
fortinet.signal Signal strength in dBm measured by the AP for the station. | pint |
fortinet.size Payload or object size in bytes recorded by the subsystem. | string |
fortinet.ski Subject-Key-Identifier extracted from the certificate. | string |
fortinet.slamap Name of the SD-WAN SLA map that evaluated the link. | string |
fortinet.slatargetid Identifier of the SD-WAN SLA target used to measure link quality. | pint |
fortinet.slctdrmamode Selected DRAM mode configured (balanced, powersave) for slot. | string |
fortinet.slot Hardware slot or fabric interface slot referenced (for chassis models). | pint |
fortinet.sn Serial number of the FortiGate device or log source. | string |
fortinet.snclosest Serial number of the FortiAP reporting the strongest signal for the client. | string |
fortinet.sndetected Serial number of the AP that detected the rogue/wireless client. | string |
fortinet.snetwork Source network object name matched in the policy. | string |
fortinet.sni Server Name Indication host observed in the TLS handshake. | text_general |
fortinet.snmeshparent Serial number of the mesh-root AP that this leaf attached to. | string |
fortinet.snprev Serial number of the unit before a hardware replacement or RMA. | string |
fortinet.snr Signal-to-noise ratio in dB reported by the wireless radio for the client. | pint |
fortinet.source_mac Layer-2 source MAC address recorded in the packet header. | string |
fortinet.speedtestserver Hostname or ID of the server selected for bandwidth measurement. | string |
fortinet.spi Security Parameter Index value for an IPsec SA referenced in the log. | string |
fortinet.src_int Internal interface index or name on the device. | string |
fortinet.src_port Alternate source port field (integer). | pint |
fortinet.srccity City derived from the source IP geolocation. | string |
fortinet.srccountry ISO country associated with the source IP address. | string |
fortinet.srcdomain Fully-qualified domain name resolved for the source IP address. | string |
fortinet.srcfamily Operating-system family detected on the source device (Windows, iOS). | string |
fortinet.srchwvendor Hardware vendor string of the source endpoint. | string |
fortinet.srchwversion Hardware model or version of the source endpoint. | string |
fortinet.srcinetsvc FortiGuard Internet-Service-DB entry matched for the source. | string |
fortinet.srcintf Incoming interface name that received the traffic. | string |
fortinet.srcintfrole Role of the source interface (lan, wan, dmz, undefined). | string |
fortinet.srcip IP address from which the connection originated. | text_general |
fortinet.srcmac Layer-2 source MAC address. | text_general |
fortinet.srcmacvendor OUI/vendor derived from the source MAC address. | string |
fortinet.srcname FQDN, alias or hostname associated with the source IP. | text_general |
fortinet.srcport Layer-4 source port number. | pint |
fortinet.srcregion Geographical region derived from the source IP address. | string |
fortinet.srcremote Boolean / string indicating the source is a remote node (dial-up, SD-WAN). | string |
fortinet.srcreputation Reputation score assigned to the source IP or domain. | pint |
fortinet.srcserver Server type detected on the source side (Apache, IIS). | text_general |
fortinet.srcssid SSID from which a wireless frame originated (roaming detection). | string |
fortinet.srcswversion Software version detected on the source endpoint. | string |
fortinet.srcthreatfeed Name of the external threat feed that flagged the source. | string |
fortinet.srcuuid Endpoint UUID of the source device from EMS/Fabric. | string |
fortinet.sscname Session scope or sensor context name associated with analytics. | string |
fortinet.ssid Service-Set Identifier of the wireless network concerned. | string |
fortinet.sslaction SSL inspection action (bypass, inspect, deep-scan). | string |
fortinet.stacount Number of wireless stations currently associated with the AP. | pint |
fortinet.stage Lifecycle stage at which the log was generated (e.g., "pre-login", "data", "post-scan"). | pint |
fortinet.stamac Station MAC address seen in wireless association. | string |
fortinet.state General state flag related to the module (up, down, enabled, disabled). | string |
fortinet.status Status flag of the event (OK, error, warning). | string |
fortinet.statuscode Numeric status or error code returned by subsystem. | string |
fortinet.stitch Automation Stitch policy associated with the event. | text_general |
fortinet.stitchaction Action node of the Stitch that executed (email, quarantine, webhook). | text_general |
fortinet.subCategory Secondary category label used for analytics and dashboards. | text_general |
fortinet.subject Subject line of the e-mail or description field in the ticket. | text_general |
fortinet.submodule Internal FortiOS sub-module that generated the log (e.g., wad, ips, pim). | string |
fortinet.subservice Sub-service string used by SD-WAN or service-recognition (e.g., skype-file-transfer). | string |
fortinet.subtype FortiOS log subtype such as "traffic", "event", "virus". | string |
fortinet.switchaclid Identifier of the FortiSwitch ACL that matched. | pint |
fortinet.switchautoip Auto-assigned management IP of a FortiSwitch discovered by FortiLink. | string |
fortinet.switchid Serial number or ID of the managed FortiSwitch. | string |
fortinet.switchinterface Interface name on the FortiSwitch referenced in the event. | string |
fortinet.switchl2capacity Layer-2 switching capacity (Gbps) reported for the FortiSwitch stack. | pint |
fortinet.switchl2count Number of Layer-2 switch entries or MACs currently learned. | pint |
fortinet.switchmirrorsession Name / ID of the FortiSwitch mirror session involved. | string |
fortinet.switchphysicalport Physical port name on the FortiSwitch that logged the event. | string |
fortinet.switchproto Switch management protocol in use (LLDP, CDP, STP). | string |
fortinet.switchsysteminterface System interface name on FortiSwitch where the event occurred. | string |
fortinet.switchtrunk Name of the FortiSwitch trunk interface referenced. | string |
fortinet.switchtrunkinterface Name of the switch-trunk interface referenced. | string |
fortinet.sync_status Status of HA/FGSP configuration or session synchronization (success, dirty, fail). | string |
fortinet.sync_type Type of data being synchronized (config, kernel, session, object). | string |
fortinet.sysuptime System up-time in seconds when the log was generated. | plong |
fortinet.tamac Transmitter MAC address in wireless logs. | string |
fortinet.threattype Threat class assigned by the security engine (malware, exploit, spam). | string |
fortinet.ticket Support or trouble-ticket number inserted by the admin or fabric. | string |
fortinet.timeoutdelete Timeout value after which an idle object or session will be deleted (seconds). | pint |
fortinet.tlsver Version of TLS detected in the handshake (e.g., TLS 1.3). | string |
fortinet.to Recipient address, user or object name (context-dependent). | text_general |
fortinet.to6 Destination IPv6 address field when separate from IPv4 context. | string |
fortinet.to_vcluster ID of the destination virtual-cluster member receiving the sync. | pint |
fortinet.total Aggregate count or size referenced by the record (context-dependent). | plong |
fortinet.totalsession Total number of sessions represented by this summary log. | plong |
fortinet.trace_id Unique trace identifier for diagnostics or call traces. | string |
fortinet.trandisp NAT translation disposition (snat, dnat, no-trans). | string |
fortinet.tranip Translated IP address produced by NAT or SD-WAN rule. | text_general |
fortinet.tranport Translated port number after NAT was applied. | pint |
fortinet.transid Transaction identifier used in DHCP, PPP or authentication exchange. | pint |
fortinet.transip Translated IP address after NAT was applied. | text_general |
fortinet.translationid Unique ID of the NAT or SD-WAN translation rule applied to this session. | pint |
fortinet.transport Transport identifier for GTP/LTE or similar logs. | plong |
fortinet.trigger Name of the automation stitch or log trigger that fired. | text_general |
fortinet.trueclntip Original client IP before proxy / X-Forwarded-For rewriting. | string |
fortinet.tunnel_idx Internal index number of the VPN tunnel in the FortiGate table. | pint |
fortinet.tunnelid Numeric or textual identifier of the VPN tunnel being logged. | plong |
fortinet.tunnelip Virtual IP assigned to the tunnel or peer interface. | text_general |
fortinet.tunneltype Class of tunnel (site-to-site, SSL-VPN, GRE, VXLAN). | string |
fortinet.type High-level FortiOS log type (traffic, system, anomaly). | string |
fortinet.u_bytes Total user-plane bytes transferred for the session. | plong |
fortinet.u_ggsn User-plane GGSN identifier noted in GTP-U session logs. | string |
fortinet.u_ggsn_teid U-plane TEID assigned by the GGSN (3G/4G GTP-U). | pint |
fortinet.u_gsn Control-plane GGSN/PGW identifier (user-plane side) recorded in mobile-core events. | string |
fortinet.u_pkts Total user-plane packets counted for the connection. | plong |
fortinet.u_sgsn User-plane SGSN identifier referenced in mobile-network context. | string |
fortinet.u_sgsn_teid User-plane SGSN TEID value carried in GTP-U packets. | pint |
fortinet.ufseid Unique File Security Event identifier generated by the UTM engine. | string |
fortinet.ufseidaddr IP address referenced in the File-Security Event (UFSE). | string |
fortinet.uggsn6 User-plane GGSN/PGW IPv6 address captured in 3GPP GTP-U logs. | string |
fortinet.ugsn6 IPv6 address of the user-plane GGSN/PGW in mobile-network logs. | string |
fortinet.ui GUI module, page or wizard invoked by the administrator. | text_general |
fortinet.uli User Location Information (ULI) element captured in mobile-core logs. | string |
fortinet.ulimcc Mobile-country-code of the user-location cell (3G/4G). | pint |
fortinet.ulimnc User-location mobile-network country code (MNC) in LTE/5G logs. | pint |
fortinet.unauthuser Username observed but not authenticated on the firewall. | text_general |
fortinet.unauthusersource Subsystem that reported the unauthenticated user (e.g., WAD). | text_general |
fortinet.upbandwidthmeasured Measured upstream bandwidth during a speed or SLA test. | string |
fortinet.upgradedevice Serial number or hostname of the device that has just been upgraded. | string |
fortinet.upteid User-plane TEID value extracted from GTP-U packets. | pint |
fortinet.url Requested URL or domain extracted from HTTP/SNI. | text_general |
fortinet.urlfilteridx Numeric index of the URL-filter rule in the Web-Filter profile that matched the request. | pint |
fortinet.urlfilterlist Name of the URL-filter list that triggered the web-filter action. | string |
fortinet.urlsource Source from which the URL was extracted (referer, embed, manual). | string |
fortinet.urltype URL classification type (direct, redirect, iframe, ads). | string |
fortinet.used Quantity of resource or license currently consumed. | plong |
fortinet.used_for_type Subsystem or feature that currently consumes the referenced license/resource. | string |
fortinet.user Authenticated user name mapped to the session. | text_general |
fortinet.user_data Free-form user-defined data blob or tag preserved in the log for correlation. | string |
fortinet.useractivity Short text describing the action a user performed (login, upload, print). | string |
fortinet.useralt Alternate user string (e.g., UPN, secondary alias) captured for correlation. | text_general |
fortinet.usgsn6 User-plane SGSN IPv6 address in 3GPP GTP-U logs. | string |
fortinet.utmaction UTM module action taken (monitor, block, quarantine). | string |
fortinet.utmref Reference ID of the UTM profile, rule or signature. | string |
fortinet.uuid Universally unique identifier of the FortiGate object or policy. | string |
fortinet.vap Virtual Access-Point identifier on a FortiAP. | string |
fortinet.vapmode Wireless VAP operating mode (tunnel, bridge, mesh-leaf). | string |
fortinet.vcluster Identifier or name of the virtual cluster inside an FGCP HA group. | string |
fortinet.vcluster_member Member index of the FortiGate inside the virtual cluster that logged the event. | string |
fortinet.vcluster_state Current state of the virtual clustering subsystem (e.g., active, standby, split-brain). | string |
fortinet.vd Virtual domain (VDOM) name or numeric ID. | string |
fortinet.vdname Full name of the virtual domain (VDOM) instead of numeric vd. | string |
fortinet.vendor Hardware or software vendor string associated with the log entry. | string |
fortinet.vendorurl Vendor website URL recorded by vulnerability or asset scan. | string |
fortinet.version Protocol or data version string reported by the device. | string |
fortinet.versionmax Maximum protocol or software version supported by the peer. | string |
fortinet.versionmin Minimum supported protocol or software version detected. | string |
fortinet.videocategoryid Numeric ID of the FortiGuard video category detected. | pint |
fortinet.videocategoryname Textual name of the video category assigned by FortiGuard. | string |
fortinet.videochannelid Channel identifier extracted from the video service. | string |
fortinet.videodesc Description or title of video content detected by FortiGuard. | string |
fortinet.videoid Identifier of the video content accessed (e.g., YouTube ID). | string |
fortinet.videoinfosource Source from which video metadata was obtained (YouTube, Vimeo). | string |
fortinet.videotitle Title of the video content accessed. | string |
fortinet.violations Comma-separated list of policy or compliance violations. | string |
fortinet.vip Name of the Virtual-IP (DNAT) object that matched the connection. | string |
fortinet.virus Name of the malware signature that matched (if available). | string |
fortinet.viruscat Malware category assigned by AV engine (e.g., Trojan, Worm). | string |
fortinet.virusid Numeric malware signature ID that matched in the antivirus engine. | string |
fortinet.vlan VLAN ID associated with the frame or session. | pint |
fortinet.voip_proto VoIP protocol detected (SIP, H.323, MGCP). | string |
fortinet.vpntunnel Name of the VPN tunnel involved in the event. | text_general |
fortinet.vpntype Type of VPN (IPsec, SSL, L2TP, PPTP). | string |
fortinet.vrf VRF or routing-instance number associated with the flow. | pint |
fortinet.vulncat Vulnerability category (e.g., buffer-overflow, XSS). | string |
fortinet.vulncnt Total number of vulnerabilities detected during the scan run. | pint |
fortinet.vulnid Numeric internal vulnerability ID assigned by the scanner. | pint |
fortinet.vulnname Name of the vulnerability detected by scanner or IPS. | string |
fortinet.vulnresult Outcome string of the vulnerability scan on the object. | string |
fortinet.vwlid Identifier of the FortiGuard Video/Web-Log (VWL) policy entry. | pint |
fortinet.vwlname FortiGuard Video/Web-Log policy name that classified the traffic. | string |
fortinet.vwlquality FortiGuard Video/Web-Log (VWL) quality rating assigned to the media stream. | string |
fortinet.vwlservice FortiGuard Video/Web-Log Service category name. | string |
fortinet.vwpvlanid Virtual Wire Pair VLAN ID associated with the traffic. | pint |
fortinet.wanin Bytes received on WAN interface during the session. | plong |
fortinet.waninfo Serialized WAN-link or SD-WAN member diagnostics blob. | strings |
fortinet.wanoptapptype Application type handled by WAN-opt (HTTP, CIFS, MAPI). | string |
fortinet.wanout Bytes sent on WAN interface during the session. | plong |
fortinet.weakwepiv Count of weak WEP IV packets detected on the WLAN channel. | string |
fortinet.webmailprovider Recognised web-mail provider associated with the session. | string |
fortinet.wscode Web Service return code or FortiGuard reply code associated with the request. | plong |
fortinet.xauthgroup Group or realm name that the client supplied via XAuth during IPsec authentication. | string |
fortinet.xauthuser User name supplied via XAuth during IPsec authentication. | text_general |
fortinet.xid Transaction ID used in DHCP or PPP negotiations. | pint |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.