Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (21)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | fortisiem.appTransportProto fortisiem.ipProto | strings |
gen.dest.interface Network interface used for the destination connection. | fortisiem.destIntfName | strings |
gen.dest.ip Destination IP address. | fortisiem.destIpAddr | text_general |
gen.dest.port Destination port number. | fortisiem.destIpPort | pint |
gen.dest.mac MAC address of the destination device. | fortisiem.destMACAddr | string |
gen.file.name File name associated with the event. | fortisiem.fileName fortisiem.filePath | strings |
gen.file.path Full file path associated with the event. | fortisiem.fileName fortisiem.filePath | strings |
gen.severity Normalized severity field across log sources. | fortisiem.header.severity | strings |
gen.src.ip Source IP address. | fortisiem.hostIpAddr fortisiem.srcIpAddr | text_general |
gen.src.mac MAC address of the source device. | fortisiem.hostMACAddr fortisiem.srcMACAddr | string |
gen.hostname Normalized hostname of the system generating the log. | fortisiem.hostName | text_general |
gen.proxy.method HTTP request method (e.g., GET, POST). | fortisiem.httpMethod | string |
gen.proxy.referrer HTTP referrer header value. | fortisiem.httpReferrer | string |
gen.proxy.userAgent User agent string from the HTTP request. | fortisiem.httpUserAgent | string |
gen.proxy.bytesReceived Bytes received through the proxy session. | fortisiem.recvBytes | pint |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | fortisiem.recvBytes | plong |
gen.firewall.rule Firewall rule that triggered the event. | fortisiem.ruleName | strings |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | fortisiem.sentBytes | plong |
gen.proxy.bytesSent Bytes sent through the proxy session. | fortisiem.sentBytes | pint |
gen.src.interface Network interface used for the source connection. | fortisiem.srcIntfName | strings |
gen.src.port Source port number. | fortisiem.srcIpPort | pint |
Reference-Specific Fields (72)
| Field | Type |
|---|---|
fortisiem.appCategory Application category identified for the traffic or event. | string |
fortisiem.appTransportProto Transport protocol used by the application (e.g., TCP, UDP). | string |
fortisiem.count Count of occurrences or packets associated with this event. | plong |
fortisiem.customer Customer or tenant name in multi-tenant deployments. | string |
fortisiem.destAction Action taken on the destination side (allow, block, etc.). | string |
fortisiem.destDomain Destination domain name involved in the event. | string |
fortisiem.destIntfName Name of the destination network interface. | string |
fortisiem.destIpAddr Destination IP address for the session or flow. | string |
fortisiem.destIpPort Destination port number. | pint |
fortisiem.destMACAddr Destination MAC address seen on the network. | string |
fortisiem.destName Logical name or label of the destination host or service. | string |
fortisiem.destServiceName Service name on the destination (HTTP, DNS, etc.). | string |
fortisiem.destUser Username authenticated at the destination. | string |
fortisiem.destUserId Unique identifier of the destination user. | plong |
fortisiem.destUserPriv Privilege level of the destination user. | string |
fortisiem.deviceIdentification Identifier of the device reporting the event. | string |
fortisiem.deviceTime9 Timestamp from the device, in milliseconds since epoch. | plong |
fortisiem.domain Domain or realm associated with the event or user. | string |
fortisiem.endTime9 Event end time, in milliseconds since epoch. | plong |
fortisiem.errReason Error reason or message if the event indicates a fault. | text_general |
fortisiem.event Raw event message as received by FortiSIEM. | text_general |
fortisiem.extEventId External event identifier, if correlated from another system. | plong |
fortisiem.fileAccess Type of file access (read, write, delete, etc.). | string |
fortisiem.fileId Unique identifier of the file accessed. | string |
fortisiem.fileModificationTime9 File modification time, in milliseconds since epoch. | plong |
fortisiem.fileName Name of the file involved in the event. | string |
fortisiem.filePath Full path of the file involved in the event. | string |
fortisiem.fileSize Size of the file in bytes. | plong |
fortisiem.fileType Type or extension of the file (exe, txt, docx, etc.). | string |
fortisiem.hashCode Hash value of the file or payload (MD5, SHA1, etc.). | string |
fortisiem.header.eventClassID CEF event class ID field. | string |
fortisiem.header.message CEF message field with the event summary. | text_general |
fortisiem.header.product CEF product field indicating the log source product. | string |
fortisiem.header.productVersion CEF product version field. | string |
fortisiem.header.severity CEF severity field indicating event criticality. | pint |
fortisiem.header.vendor CEF same-vendor field indicating the log source vendor. | string |
fortisiem.hostIpAddr IP address of the host generating the event. | string |
fortisiem.hostMACAddr MAC address of the host generating the event. | string |
fortisiem.hostName Hostname of the device generating the event. | string |
fortisiem.httpCookie HTTP cookie string sent by the client. | string |
fortisiem.httpMethod HTTP method used (GET, POST, PUT, DELETE). | string |
fortisiem.httpReferrer Value of the HTTP Referer header. | string |
fortisiem.httpUserAgent User-Agent header string from the HTTP request. | string |
fortisiem.inIncidentEventIdList List of incident-related event IDs this record belongs to. | string |
fortisiem.incidentDetail Detailed description if the event is linked to an incident. | text_general |
fortisiem.incidentId Identifier of the incident in FortiSIEM. | string |
fortisiem.infoURL URL to additional information or documentation for the event. | string |
fortisiem.ipProto IP protocol number (e.g., 6 for TCP, 17 for UDP). | string |
fortisiem.msg Free-form message field with event-specific details. | text_general |
fortisiem.phCustId Placeholder customer ID for future use. | string |
fortisiem.postNATHostIpAddr Host IP address after NAT translation. | string |
fortisiem.postNATSrcIpAddr Source IP address after NAT translation. | string |
fortisiem.postNATSrcIpPort Source port after NAT translation. | string |
fortisiem.procId Process identifier on the host. | string |
fortisiem.procName Name of the process generating the event. | string |
fortisiem.rawEvent Unparsed raw event string. | text_general |
fortisiem.recvBytes Number of bytes received by the host. | plong |
fortisiem.ruleName Name of the FortiSIEM rule that matched this event. | string |
fortisiem.sentBytes Number of bytes sent by the host. | plong |
fortisiem.serviceName Name of the service or application involved. | string |
fortisiem.srcDomain Source domain or realm of the user or device. | string |
fortisiem.srcIntfName Name of the source network interface. | string |
fortisiem.srcIpAddr Source IP address that initiated the event. | string |
fortisiem.srcIpPort Source port that initiated the connection or event. | plong |
fortisiem.srcMACAddr MAC address of the source device. | string |
fortisiem.srcName Logical name of the source host or user. | string |
fortisiem.srcUser Username of the source that initiated the event. | string |
fortisiem.srcUserPriv Privilege level of the source user. | string |
fortisiem.startTime9 Event start time, in milliseconds since epoch. | plong |
fortisiem.supervisorName Name of the supervising controller or manager. | string |
fortisiem.targetProcId Process ID on the target host. | string |
fortisiem.targetProcName Name of the process on the target host. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.