DescriptionThis article describes time-related fields in FortiAnalyzer.SolutionThe FortiAnalyzer (FAZ) has four time-related log fields: date, time, dtime and itime.
itime is generated by FAZ when it receives a log (with SQL enabled) i.e. FAZ local time.
dtime is calculated by FAZ in UTC using 'data' and 'time' fields received from the FortiGate.
SQL: Only dtime and itime are inserted into sql tables.
GUI: GUI 'Date/time' column is calculated based on itime
Raw Logs: FAZ Raw logs include all four fields.
FAZ logs:
itime=2014-12-29
15:35:09 vd=root rcvdbyte=4831 srccountry=Reserved app=HTTP
transip=172.17.97.181 logver=52 date=2014-12-29 dstip=91.209.8.22
duration=23 sentbyte=578 transport=50925 group=SSO_Guest_Users
service=HTTP proto=6 user=guest devid=FGVM010000016443
poluuid=d2f8f562-8fa2-51e4-e6a8-32600e0bd677 dstport=80 type=traffic
devname=FGTVM52 dtime=2014-12-29 15:35:07 trandisp=snat sessionid=91254
itime_t=1419896109 policyid=5 srcintf=port2 srcip=192.168.1.205
offset_idx=139690533087533 sentpkt=6 level=notice appcat=Not.Scanned
srcport=50925 logid=13 subtype=forward rcvdpkt=7 dstcountry=Bulgaria
time=15:35:07 action=close dstintf=port1
In SQL reporting, these fields have a built-in function to convert the long integer into human readable time format:
- from_itime(itime)
- from_dtime(dtime)
