Fortinet FortiGate
FortiGate next-gen firewall logs — traffic forwarding, UTM security modules (web filter, IPS, app control, DNS filter, antivirus), anomaly detection, and system operational events across the full FortiOS log taxonomy.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-fortigate/generator.yml \
--id fortigate \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| traffic-forward-close | Traffic Forward (session close) | ~46% | network |
| traffic-forward-deny | Traffic Forward (deny) | ~15% | network |
| utm-appctrl | Application Control | ~6% | network |
| traffic-local | Traffic Local (management) | ~5% | network |
| utm-webfilter | FortiGuard Web Filter | ~5% | network |
| utm-dns | DNS Filter/Logging | ~5% | network |
| event-system | System Admin Events | ~4% | authentication |
| utm-ips | IPS Signature Detection | ~4% | intrusion_detection |
| event-vpn | VPN Tunnel Events | ~3% | network |
| event-user | User Authentication | ~3% | authentication |
| utm-virus | Antivirus Detection | ~1% | malware |
| utm-anomaly | DoS/Anomaly Detection | ~1% | intrusion_detection |
Realism Features
- Weighted event distributions matching production FortiGate log volumes (traffic ~70%, UTM ~22%, events ~8%)
- FortiGate-specific fields — sessionid, vd, policyid, poluuid, trandisp, srccountry/dstcountry, crscore/crlevel
- Zone-aware routing with FortiGate interface naming (port1=WAN, port2=LAN, port3=DMZ)
- VPN tunnel correlation via shared state — tunnel-up events paired with tunnel-down events
- FortiGuard web categories with proper category IDs matching real FortiGuard classification
- GeoIP country names for external IPs weighted by real-world traffic patterns
Sample Output
{
"@timestamp": "2026-02-21T14:32:07+00:00",
"event": {
"action": "close",
"category": ["network"],
"code": "0000000013",
"dataset": "fortinet_fortigate.log",
"outcome": "success",
"type": ["connection", "end", "allowed"]
},
"source": { "ip": "10.1.1.11", "port": 60446 },
"destination": { "ip": "172.217.14.206", "port": 443 },
"network": { "application": "HTTPS.BROWSER", "direction": "outbound", "transport": "tcp" },
"observer": {
"name": "fg-01",
"product": "Fortigate",
"serial_number": "FG200F2024000001",
"vendor": "Fortinet"
},
"fortinet": {
"firewall": { "subtype": "forward", "type": "traffic", "vd": "root" }
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | fg-01 | FortiGate device hostname |
| domain | example.com | Domain name |
| serial_number | FG200F2024000001 | FortiGate serial number |
| vdom | root | Virtual domain name |
| nat_ip | 198.51.100.1 | NAT/public IP |
| agent_id | e4f8c1a2-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.