FortiSIEM Event Attribute Master List Troubleshooting

1 Reply
Event Attribute Master List

This section describes the master list of event attributes. Events are parsed into these attributes and used in Accelops analytics. There are 4 broad categories of event attributes

Generic Attributes

Network Attributes

System Attributes

Application Attributes

Environmental Attributes

Generic Attributes
Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_CPU_UTIL
Event Name eventName string
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
IPS Event Risk

Rating

 ipsEvRR
IPS Event Threat

Rating

 ipsEvTR
Event ID eventId
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Device Time deviceTime Date
Event Action eventAction uint16
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Reporting Device

Name

 reptDevName string
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Relaying Device

Name

 relayDevName string
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Poll Interval pollIntv uint32 Polling interval in seconds
Customer ID phCustId
Customer Name customer
Agent ID phAgentId
Event Rate (/sec) eventsPerSec
Peak Event Rate

(/sec)

 peakEventsPerSec
Event Parse

Status

 eventParsedOK
Incident Source incidentSrc
Incident Target incidentTarget
Incident Reporting

IP

 incidentRptIp
Incident Trigger

Attribute List

 triggerAttrList
Incident Detail incidentDetail
Incident ID incidentId
Incident Status incidentStatus
Incident First

Occurrence Time

 incidentFirstSeen
Incident Last

Occurrence Time

 incidentLastSeen
Incident Ticket ID incidentTicketId
Incident Ticket

Status

 incidentTicketStatus
Incident Ticket

User

 incidentTicketUser
Incident

Comments

 incidentComments
Incident View

Status

 incidentViewStatus
Incident View

Users

 incidentViewUsers
Incident Cleared

Time

 incidentClearedTime
Incident Cleared

User

 incidentClearedUser
Incident Cleared

Reason

 incidentClearedReason
Incident

Notification

Recipients

 incidentNotiRecipients
Network Attributes
Name Id Type Description
Source IP srcIpAddr IP Source IP address of the flow
Source Host Name srcName
Host IP hostIpAddr IP
Host Name hostName
Dest IP destIpAddr IP Destination IP address of the flow
Dest Name destName
Source MAC srcMACAddr
Dest MAC destMACAddr
Host MAC hostMACAddr
IP Protocol ipProto uint16 IP protocol e.g. TCP/UDP/GRE/ICMP etc
Source TCP/UDP Port srcIpPort uint16 Source TCP/UDP port
Dest TCP/UDP Port destIpPort uint16 Destination TCP/UDP port
ICMP Type icmpType uint16 ICMP type
ICMP Code icmpCode uint16 ICMP code
IP Type of Service tos uchar IP Type of Service
Sent TCP flags srcDestTCPFlags uchar OR-ed TCP Flags from Source to Destination
Received TCP flags destSrcTCPFlags uchar OR-ed TCP Flags from Destination to Source
Source Intf SNMP Index srcSnmpIntfIndex uint16 Source SNMP interface index
Dest Intf SNMP Index destSnmpIntfIndex uint16 Destination SNMP interface index
Source Intf name srcIntfName
Dest Intf Name destIntfName
Host Intf Name intfName
Source Autonomous System Number srcASNum uint16 Source Autonomous number

 

Dest Autonomous System Number destASNum uint16 Destination Autonomous number
Source VLAN srcVLAN
Dest VLAN destVLAN
Host VLAN hostVLAN
Sent Bytes sentBytes uint32 Sent Bytes in this flow
Sent Packets sentPkts uint32 Sent Packets in this flow
Sent Bytes Rate (/sec) sentBytesPerSec
Received Bytes recvBytes uint32 Received Bytes in this flow
Received Packets recvPkts uint32 received Packets in this flow
Received Bytes Rate (/sec) recvBytesPerSec
Total Bytes totBytes
Total Packets totPkts
Total Byte rate (/sec) totBytesPerSec
Total Packet Rate (/sec) totPktsPerSec
Duration durationMsec
Intf Out Queue Length outQlen
In Packet Error inIntfPktErr
Out Packet Error outIntfPktErr
In Packet Error Pct inIntfPktErrPct
Out Packet Error Pct outIntfPktErrPct
In Intf Util inIntfUtil double
Out Intf Util outIntfUtil double
In Packet Discard inIntfPktDiscarded
Out Packet Discard outIntfPktDiscarded
In Packet Discard Pct inIntfPktDiscardedPct
Out Packet Discard Pct outIntfPktDiscarded
Source Firewall Zone srcFwZone
Dest Firewall Zone destFwZone
Min Jitter minJitterMs
Max Jitter maxJitterMs
Avg Jitter avgJitterMs
Min SD Jitter minJitterSDMs
Max SD Jitter maxJitterSDMs
Avg SD Jitter avgJitterSDMs
Min DS Jitter minJitterDSMs
Max DS Jitter maxJitterDSMs
Avg DS Jitter avgJitterDSMs
Packets Lost pktLost
Packets SD Lost pktLostSD
Packets DS Lost pktLostDS
Packets Missing pktMIA
Packets Late pktLate
Packets Out-of-Seq pktOutSeq
VoIP MOS Score mosScore
VoIP ICPIF Score icpifScore
VoIP Codec codec
VoIP Phone Status voIPPhoneStatus
Calling Party Number callingPartyNumber
Original Called Party Number originalCalledPartyNumber

 

Final Called Party Number finalCalledPartyNumber
Call Connect Time dateTimeConnect
Call Disconnect Time dateTimeDisconnect
Call Duration callDuration
CBQoS Policy Name qosPolicy
CBQoS Class Name qosClass
CBQoS Conform KBps qosConformRate
CBQoS Exceeded KBps qosExceedRate
CBQoS Violated KBps qosViolateRate
CBQoS PrePolice KBps qosPrePoliceRate
CBQoS PostPolice KBps qosPostPoliceRate
CBQoS Drop KBps qosDropRate
CBQoS Drop Pct qosDropPct
CBQoS Curr Queue Length qosCurrQueue
CBQoS Max Queue Length qosMaxQueue
CBQoS Discarded Pkt qosDiscardPkt
OSPF State ospfState
BGP State bgpState
OSPF Area Id ospfAreaId
Source FiberChannel WWN Id srcWWN
Dest FiberChannel WWN Id destWWN
wlanSsid
wlanControllerIp
wlanContrHostName
wlanUserCount
wlanSuppChannels
wlanSendutil
wlanRecvUtil
wlanChannelUtil
wlanPoorSNRUserCount
ifLoadProfile
ifIntefProfile
ifCoverageProfile
ifNoiseProfile
wlanRssi
wlanSnr
wlanMobilityStatus
wlanProtocol
wlanAssocUpTime
wlanMaxHostTxmitRate
ifCoverageIndx
ifNoseIndx
ifIntefIndex
System Attributes
Name Id Type Description
Computer computer
Target Computer targetComputer

 

Domain domain
Target Domain targetDomain
Source Domain srcDomain
Destination Domain destDomain
Operating System Type osType
Operating System

Version

 osVersion
File Name fileName
Object Type osObjType
Object Name osObjName
Target Object Type targetOsObjType
Target Object Name targetOsObjName
Object Handle osObjHandleID
Object Access Type osObjAccessType
Object Action osObjAction
System Uptime sysUpTime
System Uptime Pct sysUpTimePct double
System Downtime sysDownTime
CPU Name cpuName string
CPU utilization cpuUtil double Overall CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system.
User CPU Utilization userCpuUtil double User CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
System CPU Utilization sysCpuUtil double System CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
Memory Name memName string
Memory Utilization memUtil double
Free memory (KB) freeMemKB uint32
Buffer Memory (KB) bufMemKB uint32
Cache Memory (KB) cacheMemKB uint32
Swap Memory Utilization swapMemUtil double
Free Swap Memory (KB) freeSwapMemKB uint32
Minimum Swap Memory

(KB)

 memMinimumSwap uint32
Swap Memory Error

Message

 swapMemErrorString string
Swap Read (Pages/sec) swapInRate double
Swap Write (Pages/sec) swapOutRate double
Total Swap (Pages/sec) swapRate double
Swap Read (KBps) swapReadKBytesPerSec
Swap Write (KBps) swapWriteKBytesPerSec
Total Read I/O Rate

(KBps)

 ioReadKBytesPerSec
Total Write I/O Rate

(KBps)

 ioWriteKBytesPerSec
Disk Name diskName
Disk Utilization diskUtil
Free Disk (MB) freeDiskMB
Total Disk (MB) totalDiskMB
Used Disk (MB) usedDiskMB
Disk Queue Length diskQLen

 

Current Daily Disk

Growth

 diskGrowthMBDaily
Current Weekly Disk

Growth

 diskGrowthMBWeekly
Current Monthly Disk

Growth

 diskGrowthMBMonthly
Average Daily Disk

Growth

 avgDiskGrowthMBDaily
Average Weekly Disk

Growth

 avgDiskGrowthMBWeekly
Average Monthly Disk

Growth

 avgDiskGrowthMBMonthly
Days To Disk Full timeToDiskFull
RAID Group Id raidGrpId
RAID Type raidType
Application Attributes
Name Id Type Description
Application Name appName string Short descriptive name of the process, e.g. “Microsoft IIS”
Application Group Name appGroupName string Name of the application group to which the process belongs; e.g. “Microsoft IIS”
Software Name swProcName string Process/Executable name; e.g. svchost.exe
Software Param swParam string Process/Executable parameters, e.g. “-k iissvc”
CPU utilization cpuUtil double Process CPU utilization (between 0-100).
Memory utilization memUtil double Process memory utilization (between 0-100).
Real Peak Memory (KB) realMemPeakKBytes uint32 Peak real memory usage (KBytes).
Disk Read Rate (KBps) diskReadKBytesPerSec double Process disk read rate (KBytes/sec).
Disk Write Rate (KBps) diskWriteKBytesPerSec double Process disk write rate (KBytes/sec).
Environmental Attributes
Name Id Type Description
Hardware Status hwStatusCode string
Hardware Battery Status hwBatteryStatus
Hardware Disk Status hwDiskStatus
Hardware Power Supply Status hwPowerSupplyStatus
Hardware Temp Sensor Status hwTempSensorStatus
Hardware Fan Status hwFanStatus
Hardware Amp Status hwAmpStatus
Hardware Voltage Status hwVoltageStatus
Hardware Memory Status hwMemoryStatus
Hardware Log Status hwLogStatus
Hardware Processor Status hwProcStatus
Hardware Power Chord Status hwPowerChordStatus
Hardware Storage Controller Status hwStorageControllerStatus
HardwareStorage Channel  Status hwStorageChannelStatus
Hardware Storage Enclosure Status hwStorageEnclosureStatus

 

Hardware Power Supply Status hwStoragePowerSupplyStatus
Hardware Storage Fan Status hwStorageFanStatus
Hardware Storage Temp Status hwStorageTempStatus
Hardware EMM Status hwStorageEMMStatus
Hardware Log Disk Status logDiskStatus
Failed Power Supply Count hwFailedPowerSupplyCount
Storage LLC Status hwLLCStatus
Storage Link Status hwLinkStatus
Storage Port Status hwPortStatus
Hardware Misc Component Status hwMiscCompStatus
Host Spare Disk Count hwHotSpareDiskCount
UPS Battery Status upsBatteryStatus
UPS Remaining Battery Charge (Pct) upsRemainBatteryChargePct
UPS Replace Battery Indicator upsReplaceBatteryIndicator
UPS Time On Battery (sec) upsTimeOnBattery
UPS Output Status upsBasicOutputStatus
UPS Output Load upsAdvOutputLoad
UPS Output Voltage (V) upsAdvOutputVoltage
UPS Output Frequency (Hz) upsAdvOutputFreq
UPS  Battery Current (Amp) upsBatteryCurrent
UPS Battery Temperature (C) upsBatteryTempC
UPS Battery Voltage upsBatteryVoltage
UPS Estimated Time Remaining (sec) upsEstSecRemain
Temperature (C) envTempDegC
High Temperature Threshold (C) envTempHighThreshDegC
Low Temperature Threshold (C) envTempLowThreshDegC
Temperature Offset High (C) envTempOffHighDegC
Temperature Offset Low (C) envTempOffLowDegC
Temperature (F) envTempDegF
High Temperature Threshold (F) envTempHighThreshDegF
Low Temperature Threshold (F) envTempLowThreshDegF
Temperature Offset High (F) envTempOffHighDegF
Low Temperature Threshold (F) envTempOffLowDegF
Relative Humidity envHumidityRel
High Relative Humidity Threshold envHumidityRelHighThresh
Low Relative Humidity Threshold envHumidityRelLowThresh
Humidity Offset High envHumidityOffHigh
Humidity Offset Low envHumidityOffLow
Liebert HVAC System State lgpSystemState
Liebert HVAC Cooling State lgpCoolingState
Liebert HVAC Heating State lgpHeatingState
Liebert HVAC Humidifying State lgpHumidState
Liebert HVAC Dehumidifying State lgpDehumidState
Liebert HVAC Economy Cycle State lgpEconCycle
Liebert HVAC Fan State lgpFanState
Liebert HVAC Cooling capacity envCoolCap
Liebert HVAC Heating Capacity envHeatCap
outputVoltageXNVolts

 

 

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Event Attribute Master List Troubleshooting

  1. Andre

    Hi, Im training on a FortiSIEM all in one Supervisor VM and cant find any troubleshooting steps on phtools or what to do when the PH QueryMaster is down and am getting a critical health warning on localhost?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.