Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser fortinet-fortimail

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser fortinet-fortimail

Source Field	CPS Field	Description	Mapping
Vendor.log.date, Vendor.log.time	@timestamp	Event timestamp	Parsed from Vendor.log.date and Vendor.log.time using format function
Vendor.log.domain	destination.domain	Destination domain name	Copied from Vendor.log.domain (lowercased)
Vendor.log.dst_ip	destination.ip	Destination IP address	Copied from Vendor.log.dst_ip
None	ecs.version	ECS schema version	Static value: 8.17.0
Vendor.log.direction	email.direction	Email flow direction	Copied from Vendor.log.direction
Vendor.log.from	email.from.address[]	Sender email address	Extracted from Vendor.log.from using regex patterns
Vendor.log.message_id	email.message_id	Email message identifier	Copied from Vendor.log.message_id
Vendor.log.subject	email.subject	Email subject line	Copied from Vendor.log.subject
Vendor.log.to	email.to.address	Recipient email addresses	Parsed from Vendor.log.to using splitString function
Vendor.log.mailer	email.x_mailer	Email client information	Copied from Vendor.log.mailer
Vendor.log.action	event.action	Action performed	Copied from Vendor.log.action when not "none" or "unknown"
Vendor.log.type, Vendor.log.subtype	event.category[]	Event categorization	Array populated based on log type and subtype conditions
event.module, Vendor.log.type	event.dataset	Dataset identifier	Formatted using event.module and Vendor.log.type
Vendor.log.log_id	event.id	Event identifier	Copied from Vendor.log.log_id
None	event.kind	Event kind classification	Static value: event
None	event.module	Module name	Static value: fortimail
Vendor.log.status, Vendor.log.msg	event.outcome	Event outcome	Determined based on status and message content
Vendor.log.classifier	event.reason	Event classification reason	Copied from Vendor.log.classifier
Vendor.log.log_part	event.sequence	Event sequence number	Copied from Vendor.log.log_part
log.level	event.severity	Event severity score	Mapped from log.level using severity mapping
Vendor.log.type, Vendor.log.msg	event.type[]	Event type classification	Array populated based on log type and message patterns
Vendor.log.pri	log.level	Log priority level	Copied from Vendor.log.pri
log.syslog.priority, log.syslog.severity.code	log.syslog.facility.code	Syslog facility code	Calculated from log.syslog.priority and severity
@rawstring	log.syslog.priority	Syslog priority value	Extracted from syslog header using regex
log.level	log.syslog.severity.code	Syslog severity code	Mapped from log.level using severity codes
Vendor.log.ui	network.protocol	Network protocol	Extracted from Vendor.log.ui using regex pattern
Vendor.log.polid	rule.id	Policy rule identifier	Copied from Vendor.log.polid
Vendor.log.domain	server.domain	Server domain name	Copied from Vendor.log.domain (lowercased)
Vendor.log.client_name	source.address	Source hostname	Copied from Vendor.log.client_name (lowercased)
Vendor.log.client_cc	source.geo.country_iso_code	Source country code	Copied from Vendor.log.client_cc
Vendor.log.client_ip, Vendor.log.src, Vendor.log.ui	source.ip	Source IP address	Copied from Vendor.log.client_ip or Vendor.log.src when valid IP
Vendor.log.virus	threat.indicator.name	Threat indicator name	Copied from Vendor.log.virus
url.original	url.domain	URL domain component	Parsed from url.original
Vendor.log.url	url.original	Original URL	Copied from Vendor.log.url
Vendor.log.user	user.name	Username	Copied from Vendor.log.user when available

Enter search term