Skip to Content

How to enable ‘httpmethod’ and ‘referrer url’ parameters in HTTP transaction logs for FortiAnalyzer or syslog or FortiSIEM

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to enable ‘httpmethod’ and ‘referrer url’ parameters in the HTTP transaction logs for FortiAnalyzer or syslog or FortiSIEM

Scope

ForitProxy.

Solution

The default HTTP transaction logs in Fortiproxy do not include information regarding the ‘http method’ and ‘referrer URL’ parameters.

The default HTTP transaction logs in Fortiproxy do not include information regarding the 'http method' and 'referrer URL' parameters.

To include ‘http method’ and ‘referralurl’ parameters in Fortiproxy logs, configure the Firewall policy to set log-http-transaction to all and enable extended-log:

config firewall policy
edit <policy id>
set logtraffic all
set logtraffic-start enable
set log-http-transaction all
set extended-log enable
next
end

After enabling the settings, the ‘http method’ and ‘referralurl’ parameter information are in the logs.

FortiProxy:

date=2024-08-12 time=13:12:47 eventtime=1723457567180725453 tz="+0300" logid="0010000099" type="traffic" subtype="http-transaction" level="notice" vd="root" srcip=10.212.3.1 dstip=147.182.197.70 clientip=10.212.3.1 scheme="http" srcport=64088 dstport=80 hostname="www.nekocloud.com" url="http://www.nekocloud.com/vendor/jquery-easing/jquery.easing.min.js" prefetch=0 policyid=23 sessionid=1231606552 transid=67108915 reqlength=360 resplength=1160 rcvdbyte=1160 sentbyte=360 resptype="normal" referralurl="http://www.nekocloud.com/" httpmethod="GET" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0" statuscode="200" rawdata="Time=336ms|Header-Host=www.nekocloud.com|Response-Content-Type=text/javascript" reqtime=1723457566 resptime=1723457567 respfinishtime=1723457567 duration=335 appcat="unscanned"

FortiAnalyzer:

logver=0704040603 idseq=229240816239902721 itime=1723453889 devid="FPX2KET318000006" devname="MRJ-FortiProxy-SEC-02" vd="root" date=2024-08-12 time=13:12:47 eventtime=1723457567180725453 tz="+0300" logid="0010000099" type="traffic" subtype="http-transaction" level="notice" srcip=10.212.3.1 dstip=147.182.197.70 clientip=10.212.3.1 scheme="http" srcport=64088 dstport=80 hostname="www.nekocloud.com" url="http://www.nekocloud.com/vendor/jquery-easing/jquery.easing.min.js" prefetch=0 policyid=23 sessionid=1231606552 transid=67108915 reqlength=360 resplength=1160 rcvdbyte=1160 sentbyte=360 resptype="normal" referralurl="http://www.nekocloud.com/" httpmethod="GET" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0" statuscode="200" rawdata="Time=336ms|Header-Host=www.nekocloud.com|Response-Content-Type=text/javascript" reqtime=1723457566 resptime=1723457567 respfinishtime=1723457567 duration=335 appcat="unscanned"