This article explains how FortiAnalyzer
handles the field change from Status
to Action in FortiOS logs starting in
FortiOS 5.2.
It also summarizes what the possible values are for status and action fields.
As outlined in the FortiOS Log
Reference documentations for v5.0 and v5.2, changes were made in v5.2 for the
name of the status.
FortiGate v4.3 and v5.0 use status
while FortiGate v5.2 and later uses action.
FortiAnalyzer v5.2.x needs to handle both FortiGate v5.0 and v5.2 logs. When
FortiAnalyzer collects logs, it does not distinguish log versions so it creates
a set of all log fields and values.
In more recent FortiAnalyzer versions (v5.2.x and higher), the FortiAnalyzer
only records action, placing the status value (if included) in the action field.
For FortiGate v5.0, the status field
in the traffic log could have five possible values:
For FortiGate v5.2, action could have six possible values:
The FortiGate Log Message Reference v5.0 and FortiOS Log Reference Guide v5.2 are both available in the Fortinet Document Library.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.