FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vschmitt_FTNT
Article Id 197404
Description
In FortiAnalyzer Log View, Event / System , the administrator can add "More Columns" to the view.

The column list includes User name, Admin Name, Virtual Domain and VDOM Name.

So the administrator could wrongly choose Admin Name and VDOM Name trying to get the user and VDOM attribute of the Event Log, but it would not return anything.

Instead the column User Name and Virtual Domain would gather the good information from the Event Log

 
Consider this event log:

          itime=2020-04-10 11:27:02 vd=root dstepid=3 cfgtid=8782704 devid=FGT92 cfgpath=system.vdom logdesc=Object attribute configured msg=Edit system.vdom vdom1idseq=149669063503642629 type=event eventtime=1586510817 dtime=2020-04-10 11:26:57 devname=clusterha_FGT92D dsteuid=0 cfgattr=vcluster-id[0->1] itime_t=1586510822 user=admin date=2020-04-10 level=information epid=3 logid=0100044547 subtype=system ui=GUI(171.23.4.3) time=11:26:57 action=Edit euid=3

The vd attribute is linked to Virtual Domain in the GUI.

The user attribute is linked to User in the GUI.

Solution
 VDOM Name field.

As per FortiGate Log Message Reference:
vd -"Virtual Domain" - The virtual domain where the traffic was logged. (Or action is occurred).
vdname - "VDOM Name" - The name of the virtual domain where the VDOM has been moved to.

The "VDOM Name" field is used with Virtual Cluster only, and contain name of moved (or added) vdom, since vd will be "root" in this case.

faz_column_vcluster.PNG



     Admin Name field

    This field is used for user quarantine and gather the information of which administrator did the action.
    1.When user do quarantine by source address on FortiView, check the Log->System Events on GUI and CLI of the FortiGate, you will see the below log,

    1: date=2017-02-06 time=15:49:36 logid="0100043776" type="event" subtype="system" level="notice" vd="root" logdesc="NAC quarantine" srcip=192.168.4.47 action="ban-ip" banned_src="admin" admin="admin" duration=1800 msg="An administrative ban  was created"

    2.When user undo quarantine by source address on Monitor->User Quarantine, check Log->System Events on GUI and CLI, you will see the below log,

    1: date=2017-02-06 time=15:55:26 logid="0100043776" type="event" subtype="system" level="notice" vd="root" logdesc="NAC quarantine" srcip=N/A action="clear-bans" banned_src="admin" admin="admin" msg="A ban was cleared"

    So this field admin will be shown in FortiAnalyzer to show which admin asked for an administrative ban.

 faz_column_bannedip.PNG

 


Contributors