upload

0100-fortigate_decoders.xml

@@ -0,0 +1,4426 @@
+<decoder name="fortinet-fortigate-firewall">
+  <prematch type="pcre2">^date=\d{4}-\d{2}-\d{2}\s+time=\d{2}:\d{2}:\d{2}\s+devname="[^"]*"\s+devid="[^"]*"\s+eventtime=\d+\s+tz="[^"]*"\s+logid="\d+"</prematch>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>devname="(\.*)"|devname=(\.*)\s|devname=(\.*)$</regex>
+  <order>devname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+accessctrl="(\.*)"|\s+accessctrl=(\.*)\s|\s+accessctrl=(\.*)$</regex>
+  <order>accessctrl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+accessproxy="(\.*)"|\s+accessproxy=(\.*)\s|\s+accessproxy=(\.*)$</regex>
+  <order>accessproxy</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+acct_stat="(\.*)"|\s+acct_stat=(\.*)\s|\s+acct_stat=(\.*)$</regex>
+  <order>acct_stat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+acktime="(\.*)"|\s+acktime=(\.*)\s|\s+acktime=(\.*)$</regex>
+  <order>acktime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+act="(\.*)"|\s+act=(\.*)\s|\s+act=(\.*)$</regex>
+  <order>act</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+action="(\.*)"|\s+action=(\.*)\s|\s+action=(\.*)$</regex>
+  <order>action</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+activity="(\.*)"|\s+activity=(\.*)\s|\s+activity=(\.*)$</regex>
+  <order>activity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+activitycategory="(\.*)"|\s+activitycategory=(\.*)\s|\s+activitycategory=(\.*)$</regex>
+  <order>activitycategory</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+addr="(\.*)"|\s+addr=(\.*)\s|\s+addr=(\.*)$</regex>
+  <order>addr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+addr_type="(\.*)"|\s+addr_type=(\.*)\s|\s+addr_type=(\.*)$</regex>
+  <order>addr_type</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+addrgrp="(\.*)"|\s+addrgrp=(\.*)\s|\s+addrgrp=(\.*)$</regex>
+  <order>addrgrp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+adgroup="(\.*)"|\s+adgroup=(\.*)\s|\s+adgroup=(\.*)$</regex>
+  <order>adgroup</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+admin="(\.*)"|\s+admin=(\.*)\s|\s+admin=(\.*)$</regex>
+  <order>admin</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+advpnsc="(\.*)"|\s+advpnsc=(\.*)\s|\s+advpnsc=(\.*)$</regex>
+  <order>advpnsc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+age="(\.*)"|\s+age=(\.*)\s|\s+age=(\.*)$</regex>
+  <order>age</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+agent="(\.*)"|\s+agent=(\.*)\s|\s+agent=(\.*)$</regex>
+  <order>agent</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+alarmid="(\.*)"|\s+alarmid=(\.*)\s|\s+alarmid=(\.*)$</regex>
+  <order>alarmid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+alert="(\.*)"|\s+alert=(\.*)\s|\s+alert=(\.*)$</regex>
+  <order>alert</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+analyticscksum="(\.*)"|\s+analyticscksum=(\.*)\s|\s+analyticscksum=(\.*)$</regex>
+  <order>analyticscksum</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+analyticssubmit="(\.*)"|\s+analyticssubmit=(\.*)\s|\s+analyticssubmit=(\.*)$</regex>
+  <order>analyticssubmit</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+anomaly="(\.*)"|\s+anomaly=(\.*)\s|\s+anomaly=(\.*)$</regex>
+  <order>anomaly</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+antiphishdc="(\.*)"|\s+antiphishdc=(\.*)\s|\s+antiphishdc=(\.*)$</regex>
+  <order>antiphishdc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+antiphishrule="(\.*)"|\s+antiphishrule=(\.*)\s|\s+antiphishrule=(\.*)$</regex>
+  <order>antiphishrule</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ap="(\.*)"|\s+ap=(\.*)\s|\s+ap=(\.*)$</regex>
+  <order>ap</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+apn="(\.*)"|\s+apn=(\.*)\s|\s+apn=(\.*)$</regex>
+  <order>apn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+app="(\.*)"|\s+app=(\.*)\s|\s+app=(\.*)$</regex>
+  <order>app</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+appact="(\.*)"|\s+appact=(\.*)\s|\s+appact=(\.*)$</regex>
+  <order>appact</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+appcat="(\.*)"|\s+appcat=(\.*)\s|\s+appcat=(\.*)$</regex>
+  <order>appcat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+apperror="(\.*)"|\s+apperror=(\.*)\s|\s+apperror=(\.*)$</regex>
+  <order>apperror</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+appid="(\.*)"|\s+appid=(\.*)\s|\s+appid=(\.*)$</regex>
+  <order>appid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+applist="(\.*)"|\s+applist=(\.*)\s|\s+applist=(\.*)$</regex>
+  <order>applist</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+apprisk="(\.*)"|\s+apprisk=(\.*)\s|\s+apprisk=(\.*)$</regex>
+  <order>apprisk</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+apscan="(\.*)"|\s+apscan=(\.*)\s|\s+apscan=(\.*)$</regex>
+  <order>apscan</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+apsn="(\.*)"|\s+apsn=(\.*)\s|\s+apsn=(\.*)$</regex>
+  <order>apsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+apstatus="(\.*)"|\s+apstatus=(\.*)\s|\s+apstatus=(\.*)$</regex>
+  <order>apstatus</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+aptype="(\.*)"|\s+aptype=(\.*)\s|\s+aptype=(\.*)$</regex>
+  <order>aptype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+assigned="(\.*)"|\s+assigned=(\.*)\s|\s+assigned=(\.*)$</regex>
+  <order>assigned</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+assignip="(\.*)"|\s+assignip=(\.*)\s|\s+assignip=(\.*)$</regex>
+  <order>assignip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+attachment="(\.*)"|\s+attachment=(\.*)\s|\s+attachment=(\.*)$</regex>
+  <order>attachment</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+attack="(\.*)"|\s+attack=(\.*)\s|\s+attack=(\.*)$</regex>
+  <order>attack</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+attackcontext="(\.*)"|\s+attackcontext=(\.*)\s|\s+attackcontext=(\.*)$</regex>
+  <order>attackcontext</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+attackcontextid="(\.*)"|\s+attackcontextid=(\.*)\s|\s+attackcontextid=(\.*)$</regex>
+  <order>attackcontextid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+attackid="(\.*)"|\s+attackid=(\.*)\s|\s+attackid=(\.*)$</regex>
+  <order>attackid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+auditid="(\.*)"|\s+auditid=(\.*)\s|\s+auditid=(\.*)$</regex>
+  <order>auditid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+auditreporttype="(\.*)"|\s+auditreporttype=(\.*)\s|\s+auditreporttype=(\.*)$</regex>
+  <order>auditreporttype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+auditscore="(\.*)"|\s+auditscore=(\.*)\s|\s+auditscore=(\.*)$</regex>
+  <order>auditscore</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+audittime="(\.*)"|\s+audittime=(\.*)\s|\s+audittime=(\.*)$</regex>
+  <order>audittime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+authalgo="(\.*)"|\s+authalgo=(\.*)\s|\s+authalgo=(\.*)$</regex>
+  <order>authalgo</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+authgrp="(\.*)"|\s+authgrp=(\.*)\s|\s+authgrp=(\.*)$</regex>
+  <order>authgrp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+authid="(\.*)"|\s+authid=(\.*)\s|\s+authid=(\.*)$</regex>
+  <order>authid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+authproto="(\.*)"|\s+authproto=(\.*)\s|\s+authproto=(\.*)$</regex>
+  <order>authproto</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+authserver="(\.*)"|\s+authserver=(\.*)\s|\s+authserver=(\.*)$</regex>
+  <order>authserver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+bandwidth="(\.*)"|\s+bandwidth=(\.*)\s|\s+bandwidth=(\.*)$</regex>
+  <order>bandwidth</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+banned_rule="(\.*)"|\s+banned_rule=(\.*)\s|\s+banned_rule=(\.*)$</regex>
+  <order>banned_rule</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+banned_src="(\.*)"|\s+banned_src=(\.*)\s|\s+banned_src=(\.*)$</regex>
+  <order>banned_src</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+banword="(\.*)"|\s+banword=(\.*)\s|\s+banword=(\.*)$</regex>
+  <order>banword</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+bibandwidth="(\.*)"|\s+bibandwidth=(\.*)\s|\s+bibandwidth=(\.*)$</regex>
+  <order>bibandwidth</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+bibandwidthavailable="(\.*)"|\s+bibandwidthavailable=(\.*)\s|\s+bibandwidthavailable=(\.*)$</regex>
+  <order>bibandwidthavailable</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+bibandwidthused="(\.*)"|\s+bibandwidthused=(\.*)\s|\s+bibandwidthused=(\.*)$</regex>
+  <order>bibandwidthused</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+botnetdomain="(\.*)"|\s+botnetdomain=(\.*)\s|\s+botnetdomain=(\.*)$</regex>
+  <order>botnetdomain</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+botnetip="(\.*)"|\s+botnetip=(\.*)\s|\s+botnetip=(\.*)$</regex>
+  <order>botnetip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+bssid="(\.*)"|\s+bssid=(\.*)\s|\s+bssid=(\.*)$</regex>
+  <order>bssid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+call_id="(\.*)"|\s+call_id=(\.*)\s|\s+call_id=(\.*)$</regex>
+  <order>call_id</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+carrier_ep="(\.*)"|\s+carrier_ep=(\.*)\s|\s+carrier_ep=(\.*)$</regex>
+  <order>carrier_ep</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+casb="(\.*)"|\s+casb=(\.*)\s|\s+casb=(\.*)$</regex>
+  <order>casb</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cat="(\.*)"|\s+cat=(\.*)\s|\s+cat=(\.*)$</regex>
+  <order>cat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+catdesc="(\.*)"|\s+catdesc=(\.*)\s|\s+catdesc=(\.*)$</regex>
+  <order>catdesc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+category="(\.*)"|\s+category=(\.*)\s|\s+category=(\.*)$</regex>
+  <order>category</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cc="(\.*)"|\s+cc=(\.*)\s|\s+cc=(\.*)$</regex>
+  <order>cc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ccertissuer="(\.*)"|\s+ccertissuer=(\.*)\s|\s+ccertissuer=(\.*)$</regex>
+  <order>ccertissuer</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cdrcontent="(\.*)"|\s+cdrcontent=(\.*)\s|\s+cdrcontent=(\.*)$</regex>
+  <order>cdrcontent</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+centralnatid="(\.*)"|\s+centralnatid=(\.*)\s|\s+centralnatid=(\.*)$</regex>
+  <order>centralnatid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cert="(\.*)"|\s+cert=(\.*)\s|\s+cert=(\.*)$</regex>
+  <order>cert</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+certdesc="(\.*)"|\s+certdesc=(\.*)\s|\s+certdesc=(\.*)$</regex>
+  <order>certdesc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+certhash="(\.*)"|\s+certhash=(\.*)\s|\s+certhash=(\.*)$</regex>
+  <order>certhash</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfgattr="(\.*)"|\s+cfgattr=(\.*)\s|\s+cfgattr=(\.*)$</regex>
+  <order>cfgattr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfgobj="(\.*)"|\s+cfgobj=(\.*)\s|\s+cfgobj=(\.*)$</regex>
+  <order>cfgobj</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfgpath="(\.*)"|\s+cfgpath=(\.*)\s|\s+cfgpath=(\.*)$</regex>
+  <order>cfgpath</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfgtid="(\.*)"|\s+cfgtid=(\.*)\s|\s+cfgtid=(\.*)$</regex>
+  <order>cfgtid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfgtxpower="(\.*)"|\s+cfgtxpower=(\.*)\s|\s+cfgtxpower=(\.*)$</regex>
+  <order>cfgtxpower</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfseid="(\.*)"|\s+cfseid=(\.*)\s|\s+cfseid=(\.*)$</regex>
+  <order>cfseid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cfseidaddr="(\.*)"|\s+cfseidaddr=(\.*)\s|\s+cfseidaddr=(\.*)$</regex>
+  <order>cfseidaddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cggsn="(\.*)"|\s+cggsn=(\.*)\s|\s+cggsn=(\.*)$</regex>
+  <order>cggsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cgsn="(\.*)"|\s+cgsn=(\.*)\s|\s+cgsn=(\.*)$</regex>
+  <order>cgsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+channel="(\.*)"|\s+channel=(\.*)\s|\s+channel=(\.*)$</regex>
+  <order>channel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+channeltype="(\.*)"|\s+channeltype=(\.*)\s|\s+channeltype=(\.*)$</regex>
+  <order>channeltype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+chassisid="(\.*)"|\s+chassisid=(\.*)\s|\s+chassisid=(\.*)$</regex>
+  <order>chassisid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+checksum="(\.*)"|\s+checksum=(\.*)\s|\s+checksum=(\.*)$</regex>
+  <order>checksum</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+chgheaders="(\.*)"|\s+chgheaders=(\.*)\s|\s+chgheaders=(\.*)$</regex>
+  <order>chgheaders</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cipher="(\.*)"|\s+cipher=(\.*)\s|\s+cipher=(\.*)$</regex>
+  <order>cipher</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clashtunnelidx="(\.*)"|\s+clashtunnelidx=(\.*)\s|\s+clashtunnelidx=(\.*)$</regex>
+  <order>clashtunnelidx</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cldobjid="(\.*)"|\s+cldobjid=(\.*)\s|\s+cldobjid=(\.*)$</regex>
+  <order>cldobjid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+client_addr="(\.*)"|\s+client_addr=(\.*)\s|\s+client_addr=(\.*)$</regex>
+  <order>client_addr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clientcert="(\.*)"|\s+clientcert=(\.*)\s|\s+clientcert=(\.*)$</regex>
+  <order>clientcert</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clientdeviceems="(\.*)"|\s+clientdeviceems=(\.*)\s|\s+clientdeviceems=(\.*)$</regex>
+  <order>clientdeviceems</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clientdeviceid="(\.*)"|\s+clientdeviceid=(\.*)\s|\s+clientdeviceid=(\.*)$</regex>
+  <order>clientdeviceid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clientdevicemanageable="(\.*)"|\s+clientdevicemanageable=(\.*)\s|\s+clientdevicemanageable=(\.*)$</regex>
+  <order>clientdevicemanageable</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clientdeviceowner="(\.*)"|\s+clientdeviceowner=(\.*)\s|\s+clientdeviceowner=(\.*)$</regex>
+  <order>clientdeviceowner</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clientdevicetags="(\.*)"|\s+clientdevicetags=(\.*)\s|\s+clientdevicetags=(\.*)$</regex>
+  <order>clientdevicetags</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cloudaction="(\.*)"|\s+cloudaction=(\.*)\s|\s+cloudaction=(\.*)$</regex>
+  <order>cloudaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clouddevice="(\.*)"|\s+clouddevice=(\.*)\s|\s+clouddevice=(\.*)$</regex>
+  <order>clouddevice</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+clouduser="(\.*)"|\s+clouduser=(\.*)\s|\s+clouduser=(\.*)$</regex>
+  <order>clouduser</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cmdbpathname="(\.*)"|\s+cmdbpathname=(\.*)\s|\s+cmdbpathname=(\.*)$</regex>
+  <order>cmdbpathname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cmdbtablename="(\.*)"|\s+cmdbtablename=(\.*)\s|\s+cmdbtablename=(\.*)$</regex>
+  <order>cmdbtablename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cn="(\.*)"|\s+cn=(\.*)\s|\s+cn=(\.*)$</regex>
+  <order>cn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+column="(\.*)"|\s+column=(\.*)\s|\s+column=(\.*)$</regex>
+  <order>column</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+command="(\.*)"|\s+command=(\.*)\s|\s+command=(\.*)$</regex>
+  <order>command</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+comment="(\.*)"|\s+comment=(\.*)\s|\s+comment=(\.*)$</regex>
+  <order>comment</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+community="(\.*)"|\s+community=(\.*)\s|\s+community=(\.*)$</regex>
+  <order>community</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+components="(\.*)"|\s+components=(\.*)\s|\s+components=(\.*)$</regex>
+  <order>components</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+configcountry="(\.*)"|\s+configcountry=(\.*)\s|\s+configcountry=(\.*)$</regex>
+  <order>configcountry</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+conflictcount="(\.*)"|\s+conflictcount=(\.*)\s|\s+conflictcount=(\.*)$</regex>
+  <order>conflictcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+connection_type="(\.*)"|\s+connection_type=(\.*)\s|\s+connection_type=(\.*)$</regex>
+  <order>connection_type</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+conserve="(\.*)"|\s+conserve=(\.*)\s|\s+conserve=(\.*)$</regex>
+  <order>conserve</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+constraint="(\.*)"|\s+constraint=(\.*)\s|\s+constraint=(\.*)$</regex>
+  <order>constraint</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+contentdisarmed="(\.*)"|\s+contentdisarmed=(\.*)\s|\s+contentdisarmed=(\.*)$</regex>
+  <order>contentdisarmed</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+contentencoding="(\.*)"|\s+contentencoding=(\.*)\s|\s+contentencoding=(\.*)$</regex>
+  <order>contentencoding</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+contenttype="(\.*)"|\s+contenttype=(\.*)\s|\s+contenttype=(\.*)$</regex>
+  <order>contenttype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cookies="(\.*)"|\s+cookies=(\.*)\s|\s+cookies=(\.*)$</regex>
+  <order>cookies</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+core="(\.*)"|\s+core=(\.*)\s|\s+core=(\.*)$</regex>
+  <order>core</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+count="(\.*)"|\s+count=(\.*)\s|\s+count=(\.*)$</regex>
+  <order>count</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countapp="(\.*)"|\s+countapp=(\.*)\s|\s+countapp=(\.*)$</regex>
+  <order>countapp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countav="(\.*)"|\s+countav=(\.*)\s|\s+countav=(\.*)$</regex>
+  <order>countav</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countcasb="(\.*)"|\s+countcasb=(\.*)\s|\s+countcasb=(\.*)$</regex>
+  <order>countcasb</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countcifs="(\.*)"|\s+countcifs=(\.*)\s|\s+countcifs=(\.*)$</regex>
+  <order>countcifs</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countdlp="(\.*)"|\s+countdlp=(\.*)\s|\s+countdlp=(\.*)$</regex>
+  <order>countdlp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countdns="(\.*)"|\s+countdns=(\.*)\s|\s+countdns=(\.*)$</regex>
+  <order>countdns</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countemail="(\.*)"|\s+countemail=(\.*)\s|\s+countemail=(\.*)$</regex>
+  <order>countemail</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countff="(\.*)"|\s+countff=(\.*)\s|\s+countff=(\.*)$</regex>
+  <order>countff</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+counticap="(\.*)"|\s+counticap=(\.*)\s|\s+counticap=(\.*)$</regex>
+  <order>counticap</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countips="(\.*)"|\s+countips=(\.*)\s|\s+countips=(\.*)$</regex>
+  <order>countips</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countsctpf="(\.*)"|\s+countsctpf=(\.*)\s|\s+countsctpf=(\.*)$</regex>
+  <order>countsctpf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countssh="(\.*)"|\s+countssh=(\.*)\s|\s+countssh=(\.*)$</regex>
+  <order>countssh</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countssl="(\.*)"|\s+countssl=(\.*)\s|\s+countssl=(\.*)$</regex>
+  <order>countssl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countvpatch="(\.*)"|\s+countvpatch=(\.*)\s|\s+countvpatch=(\.*)$</regex>
+  <order>countvpatch</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countwaf="(\.*)"|\s+countwaf=(\.*)\s|\s+countwaf=(\.*)$</regex>
+  <order>countwaf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countweb="(\.*)"|\s+countweb=(\.*)\s|\s+countweb=(\.*)$</regex>
+  <order>countweb</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+countztna="(\.*)"|\s+countztna=(\.*)\s|\s+countztna=(\.*)$</regex>
+  <order>countztna</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpaddr="(\.*)"|\s+cpaddr=(\.*)\s|\s+cpaddr=(\.*)$</regex>
+  <order>cpaddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpdladdr="(\.*)"|\s+cpdladdr=(\.*)\s|\s+cpdladdr=(\.*)$</regex>
+  <order>cpdladdr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpdlisraddr="(\.*)"|\s+cpdlisraddr=(\.*)\s|\s+cpdlisraddr=(\.*)$</regex>
+  <order>cpdlisraddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpdlisrteid="(\.*)"|\s+cpdlisrteid=(\.*)\s|\s+cpdlisrteid=(\.*)$</regex>
+  <order>cpdlisrteid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpdlteid="(\.*)"|\s+cpdlteid=(\.*)\s|\s+cpdlteid=(\.*)$</regex>
+  <order>cpdlteid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpteid="(\.*)"|\s+cpteid=(\.*)\s|\s+cpteid=(\.*)$</regex>
+  <order>cpteid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpu="(\.*)"|\s+cpu=(\.*)\s|\s+cpu=(\.*)$</regex>
+  <order>cpu</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpuladdr="(\.*)"|\s+cpuladdr=(\.*)\s|\s+cpuladdr=(\.*)$</regex>
+  <order>cpuladdr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cpulteid="(\.*)"|\s+cpulteid=(\.*)\s|\s+cpulteid=(\.*)$</regex>
+  <order>cpulteid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+craction="(\.*)"|\s+craction=(\.*)\s|\s+craction=(\.*)$</regex>
+  <order>craction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+created="(\.*)"|\s+created=(\.*)\s|\s+created=(\.*)$</regex>
+  <order>created</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+criticalcount="(\.*)"|\s+criticalcount=(\.*)\s|\s+criticalcount=(\.*)$</regex>
+  <order>criticalcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+crl="(\.*)"|\s+crl=(\.*)\s|\s+crl=(\.*)$</regex>
+  <order>crl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+crlevel="(\.*)"|\s+crlevel=(\.*)\s|\s+crlevel=(\.*)$</regex>
+  <order>crlevel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+crscore="(\.*)"|\s+crscore=(\.*)\s|\s+crscore=(\.*)$</regex>
+  <order>crscore</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+csgsn="(\.*)"|\s+csgsn=(\.*)\s|\s+csgsn=(\.*)$</regex>
+  <order>csgsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+cveid="(\.*)"|\s+cveid=(\.*)\s|\s+cveid=(\.*)$</regex>
+  <order>cveid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+daddr="(\.*)"|\s+daddr=(\.*)\s|\s+daddr=(\.*)$</regex>
+  <order>daddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+daemon="(\.*)"|\s+daemon=(\.*)\s|\s+daemon=(\.*)$</regex>
+  <order>daemon</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+datarange="(\.*)"|\s+datarange=(\.*)\s|\s+datarange=(\.*)$</regex>
+  <order>datarange</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>date="(\.*)"|date=(\.*)\s|date=(\.*)$</regex>
+  <order>date</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ddnsserver="(\.*)"|\s+ddnsserver=(\.*)\s|\s+ddnsserver=(\.*)$</regex>
+  <order>ddnsserver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+deny_cause="(\.*)"|\s+deny_cause=(\.*)\s|\s+deny_cause=(\.*)$</regex>
+  <order>deny_cause</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+desc="(\.*)"|\s+desc=(\.*)\s|\s+desc=(\.*)$</regex>
+  <order>desc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+detectionmethod="(\.*)"|\s+detectionmethod=(\.*)\s|\s+detectionmethod=(\.*)$</regex>
+  <order>detectionmethod</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+devid="(\.*)"|\s+devid=(\.*)\s|\s+devid=(\.*)$</regex>
+  <order>devid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+devintfname="(\.*)"|\s+devintfname=(\.*)\s|\s+devintfname=(\.*)$</regex>
+  <order>devintfname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+devtype="(\.*)"|\s+devtype=(\.*)\s|\s+devtype=(\.*)$</regex>
+  <order>devtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dhcp_msg="(\.*)"|\s+dhcp_msg=(\.*)\s|\s+dhcp_msg=(\.*)$</regex>
+  <order>dhcp_msg</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dintf="(\.*)"|\s+dintf=(\.*)\s|\s+dintf=(\.*)$</regex>
+  <order>dintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dir="(\.*)"|\s+dir=(\.*)\s|\s+dir=(\.*)$</regex>
+  <order>dir</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+direction="(\.*)"|\s+direction=(\.*)\s|\s+direction=(\.*)$</regex>
+  <order>direction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+disk="(\.*)"|\s+disk=(\.*)\s|\s+disk=(\.*)$</regex>
+  <order>disk</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+disklograte="(\.*)"|\s+disklograte=(\.*)\s|\s+disklograte=(\.*)$</regex>
+  <order>disklograte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dlp="(\.*)"|\s+dlp=(\.*)\s|\s+dlp=(\.*)$</regex>
+  <order>dlp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dlpextra="(\.*)"|\s+dlpextra=(\.*)\s|\s+dlpextra=(\.*)$</regex>
+  <order>dlpextra</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dns="(\.*)"|\s+dns=(\.*)\s|\s+dns=(\.*)$</regex>
+  <order>dns</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+docsource="(\.*)"|\s+docsource=(\.*)\s|\s+docsource=(\.*)$</regex>
+  <order>docsource</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrlauthstate="(\.*)"|\s+domainctrlauthstate=(\.*)\s|\s+domainctrlauthstate=(\.*)$</regex>
+  <order>domainctrlauthstate</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrlauthtype="(\.*)"|\s+domainctrlauthtype=(\.*)\s|\s+domainctrlauthtype=(\.*)$</regex>
+  <order>domainctrlauthtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrldomain="(\.*)"|\s+domainctrldomain=(\.*)\s|\s+domainctrldomain=(\.*)$</regex>
+  <order>domainctrldomain</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrlip="(\.*)"|\s+domainctrlip=(\.*)\s|\s+domainctrlip=(\.*)$</regex>
+  <order>domainctrlip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrlname="(\.*)"|\s+domainctrlname=(\.*)\s|\s+domainctrlname=(\.*)$</regex>
+  <order>domainctrlname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrlprotocoltype="(\.*)"|\s+domainctrlprotocoltype=(\.*)\s|\s+domainctrlprotocoltype=(\.*)$</regex>
+  <order>domainctrlprotocoltype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainctrlusername="(\.*)"|\s+domainctrlusername=(\.*)\s|\s+domainctrlusername=(\.*)$</regex>
+  <order>domainctrlusername</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainfilteridx="(\.*)"|\s+domainfilteridx=(\.*)\s|\s+domainfilteridx=(\.*)$</regex>
+  <order>domainfilteridx</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+domainfilterlist="(\.*)"|\s+domainfilterlist=(\.*)\s|\s+domainfilterlist=(\.*)$</regex>
+  <order>domainfilterlist</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+downbandwidthmeasured="(\.*)"|\s+downbandwidthmeasured=(\.*)\s|\s+downbandwidthmeasured=(\.*)$</regex>
+  <order>downbandwidthmeasured</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ds="(\.*)"|\s+ds=(\.*)\s|\s+ds=(\.*)$</regex>
+  <order>ds</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dst_host="(\.*)"|\s+dst_host=(\.*)\s|\s+dst_host=(\.*)$</regex>
+  <order>dst_host</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dst_int="(\.*)"|\s+dst_int=(\.*)\s|\s+dst_int=(\.*)$</regex>
+  <order>dst_int</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dst_port="(\.*)"|\s+dst_port=(\.*)\s|\s+dst_port=(\.*)$</regex>
+  <order>dst_port</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstauthserver="(\.*)"|\s+dstauthserver=(\.*)\s|\s+dstauthserver=(\.*)$</regex>
+  <order>dstauthserver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstcity="(\.*)"|\s+dstcity=(\.*)\s|\s+dstcity=(\.*)$</regex>
+  <order>dstcity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstcountry="(\.*)"|\s+dstcountry=(\.*)\s|\s+dstcountry=(\.*)$</regex>
+  <order>dstcountry</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstdevtype="(\.*)"|\s+dstdevtype=(\.*)\s|\s+dstdevtype=(\.*)$</regex>
+  <order>dstdevtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstfamily="(\.*)"|\s+dstfamily=(\.*)\s|\s+dstfamily=(\.*)$</regex>
+  <order>dstfamily</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dsthwvendor="(\.*)"|\s+dsthwvendor=(\.*)\s|\s+dsthwvendor=(\.*)$</regex>
+  <order>dsthwvendor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dsthwversion="(\.*)"|\s+dsthwversion=(\.*)\s|\s+dsthwversion=(\.*)$</regex>
+  <order>dsthwversion</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstinetsvc="(\.*)"|\s+dstinetsvc=(\.*)\s|\s+dstinetsvc=(\.*)$</regex>
+  <order>dstinetsvc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstintf="(\.*)"|\s+dstintf=(\.*)\s|\s+dstintf=(\.*)$</regex>
+  <order>dstintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstintfrole="(\.*)"|\s+dstintfrole=(\.*)\s|\s+dstintfrole=(\.*)$</regex>
+  <order>dstintfrole</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstip="(\.*)"|\s+dstip=(\.*)\s|\s+dstip=(\.*)$</regex>
+  <order>dstip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstmac="(\.*)"|\s+dstmac=(\.*)\s|\s+dstmac=(\.*)$</regex>
+  <order>dstmac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstname="(\.*)"|\s+dstname=(\.*)\s|\s+dstname=(\.*)$</regex>
+  <order>dstname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstosname="(\.*)"|\s+dstosname=(\.*)\s|\s+dstosname=(\.*)$</regex>
+  <order>dstosname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstport="(\.*)"|\s+dstport=(\.*)\s|\s+dstport=(\.*)$</regex>
+  <order>dstport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstregion="(\.*)"|\s+dstregion=(\.*)\s|\s+dstregion=(\.*)$</regex>
+  <order>dstregion</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstreputation="(\.*)"|\s+dstreputation=(\.*)\s|\s+dstreputation=(\.*)$</regex>
+  <order>dstreputation</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstserver="(\.*)"|\s+dstserver=(\.*)\s|\s+dstserver=(\.*)$</regex>
+  <order>dstserver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstssid="(\.*)"|\s+dstssid=(\.*)\s|\s+dstssid=(\.*)$</regex>
+  <order>dstssid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstswversion="(\.*)"|\s+dstswversion=(\.*)\s|\s+dstswversion=(\.*)$</regex>
+  <order>dstswversion</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstthreatfeed="(\.*)"|\s+dstthreatfeed=(\.*)\s|\s+dstthreatfeed=(\.*)$</regex>
+  <order>dstthreatfeed</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstunauthuser="(\.*)"|\s+dstunauthuser=(\.*)\s|\s+dstunauthuser=(\.*)$</regex>
+  <order>dstunauthuser</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstunauthusersource="(\.*)"|\s+dstunauthusersource=(\.*)\s|\s+dstunauthusersource=(\.*)$</regex>
+  <order>dstunauthusersource</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstuser="(\.*)"|\s+dstuser=(\.*)\s|\s+dstuser=(\.*)$</regex>
+  <order>dstuser</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dstuuid="(\.*)"|\s+dstuuid=(\.*)\s|\s+dstuuid=(\.*)$</regex>
+  <order>dstuuid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dtlexp="(\.*)"|\s+dtlexp=(\.*)\s|\s+dtlexp=(\.*)$</regex>
+  <order>dtlexp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+dtype="(\.*)"|\s+dtype=(\.*)\s|\s+dtype=(\.*)$</regex>
+  <order>dtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+duid="(\.*)"|\s+duid=(\.*)\s|\s+duid=(\.*)$</regex>
+  <order>duid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+duration="(\.*)"|\s+duration=(\.*)\s|\s+duration=(\.*)$</regex>
+  <order>duration</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+durationdelta="(\.*)"|\s+durationdelta=(\.*)\s|\s+durationdelta=(\.*)$</regex>
+  <order>durationdelta</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+eapolcnt="(\.*)"|\s+eapolcnt=(\.*)\s|\s+eapolcnt=(\.*)$</regex>
+  <order>eapolcnt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+eapoltype="(\.*)"|\s+eapoltype=(\.*)\s|\s+eapoltype=(\.*)$</regex>
+  <order>eapoltype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+emailfilter="(\.*)"|\s+emailfilter=(\.*)\s|\s+emailfilter=(\.*)$</regex>
+  <order>emailfilter</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+emsconnection="(\.*)"|\s+emsconnection=(\.*)\s|\s+emsconnection=(\.*)$</regex>
+  <order>emsconnection</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+encrypt="(\.*)"|\s+encrypt=(\.*)\s|\s+encrypt=(\.*)$</regex>
+  <order>encrypt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+encryption="(\.*)"|\s+encryption=(\.*)\s|\s+encryption=(\.*)$</regex>
+  <order>encryption</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+end="(\.*)"|\s+end=(\.*)\s|\s+end=(\.*)$</regex>
+  <order>end</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+endusraddress="(\.*)"|\s+endusraddress=(\.*)\s|\s+endusraddress=(\.*)$</regex>
+  <order>endusraddress</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+epoch="(\.*)"|\s+epoch=(\.*)\s|\s+epoch=(\.*)$</regex>
+  <order>epoch</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+error="(\.*)"|\s+error=(\.*)\s|\s+error=(\.*)$</regex>
+  <order>error</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+error_num="(\.*)"|\s+error_num=(\.*)\s|\s+error_num=(\.*)$</regex>
+  <order>error_num</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+errorcount="(\.*)"|\s+errorcount=(\.*)\s|\s+errorcount=(\.*)$</regex>
+  <order>errorcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+espauth="(\.*)"|\s+espauth=(\.*)\s|\s+espauth=(\.*)$</regex>
+  <order>espauth</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+esptransform="(\.*)"|\s+esptransform=(\.*)\s|\s+esptransform=(\.*)$</regex>
+  <order>esptransform</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+event="(\.*)"|\s+event=(\.*)\s|\s+event=(\.*)$</regex>
+  <order>event</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+event_id="(\.*)"|\s+event_id=(\.*)\s|\s+event_id=(\.*)$</regex>
+  <order>event_id</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+eventid="(\.*)"|\s+eventid=(\.*)\s|\s+eventid=(\.*)$</regex>
+  <order>eventid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+eventsubtype="(\.*)"|\s+eventsubtype=(\.*)\s|\s+eventsubtype=(\.*)$</regex>
+  <order>eventsubtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+eventtime="(\.*)"|\s+eventtime=(\.*)\s|\s+eventtime=(\.*)$</regex>
+  <order>eventtime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+eventtype="(\.*)"|\s+eventtype=(\.*)\s|\s+eventtype=(\.*)$</regex>
+  <order>eventtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+exch="(\.*)"|\s+exch=(\.*)\s|\s+exch=(\.*)$</regex>
+  <order>exch</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+exchange="(\.*)"|\s+exchange=(\.*)\s|\s+exchange=(\.*)$</regex>
+  <order>exchange</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+expectedsignature="(\.*)"|\s+expectedsignature=(\.*)\s|\s+expectedsignature=(\.*)$</regex>
+  <order>expectedsignature</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+expiry="(\.*)"|\s+expiry=(\.*)\s|\s+expiry=(\.*)$</regex>
+  <order>expiry</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+extension="(\.*)"|\s+extension=(\.*)\s|\s+extension=(\.*)$</regex>
+  <order>extension</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+faiaction="(\.*)"|\s+faiaction=(\.*)\s|\s+faiaction=(\.*)$</regex>
+  <order>faiaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+faiconfidence="(\.*)"|\s+faiconfidence=(\.*)\s|\s+faiconfidence=(\.*)$</regex>
+  <order>faiconfidence</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+faifileid="(\.*)"|\s+faifileid=(\.*)\s|\s+faifileid=(\.*)$</regex>
+  <order>faifileid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+faifiletype="(\.*)"|\s+faifiletype=(\.*)\s|\s+faifiletype=(\.*)$</regex>
+  <order>faifiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+failuredev="(\.*)"|\s+failuredev=(\.*)\s|\s+failuredev=(\.*)$</regex>
+  <order>failuredev</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+faiseverity="(\.*)"|\s+faiseverity=(\.*)\s|\s+faiseverity=(\.*)$</regex>
+  <order>faiseverity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fams_pause="(\.*)"|\s+fams_pause=(\.*)\s|\s+fams_pause=(\.*)$</regex>
+  <order>fams_pause</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fazlograte="(\.*)"|\s+fazlograte=(\.*)\s|\s+fazlograte=(\.*)$</regex>
+  <order>fazlograte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fctemsname="(\.*)"|\s+fctemsname=(\.*)\s|\s+fctemsname=(\.*)$</regex>
+  <order>fctemsname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fctemssn="(\.*)"|\s+fctemssn=(\.*)\s|\s+fctemssn=(\.*)$</regex>
+  <order>fctemssn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fctuid="(\.*)"|\s+fctuid=(\.*)\s|\s+fctuid=(\.*)$</regex>
+  <order>fctuid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+field="(\.*)"|\s+field=(\.*)\s|\s+field=(\.*)$</regex>
+  <order>field</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+file="(\.*)"|\s+file=(\.*)\s|\s+file=(\.*)$</regex>
+  <order>file</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filefilter="(\.*)"|\s+filefilter=(\.*)\s|\s+filefilter=(\.*)$</regex>
+  <order>filefilter</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filehash="(\.*)"|\s+filehash=(\.*)\s|\s+filehash=(\.*)$</regex>
+  <order>filehash</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filehashsrc="(\.*)"|\s+filehashsrc=(\.*)\s|\s+filehashsrc=(\.*)$</regex>
+  <order>filehashsrc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filename="(\.*)"|\s+filename=(\.*)\s|\s+filename=(\.*)$</regex>
+  <order>filename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filesize="(\.*)"|\s+filesize=(\.*)\s|\s+filesize=(\.*)$</regex>
+  <order>filesize</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filetype="(\.*)"|\s+filetype=(\.*)\s|\s+filetype=(\.*)$</regex>
+  <order>filetype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filtercat="(\.*)"|\s+filtercat=(\.*)\s|\s+filtercat=(\.*)$</regex>
+  <order>filtercat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filteridx="(\.*)"|\s+filteridx=(\.*)\s|\s+filteridx=(\.*)$</regex>
+  <order>filteridx</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filtername="(\.*)"|\s+filtername=(\.*)\s|\s+filtername=(\.*)$</regex>
+  <order>filtername</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+filtertype="(\.*)"|\s+filtertype=(\.*)\s|\s+filtertype=(\.*)$</regex>
+  <order>filtertype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fndraction="(\.*)"|\s+fndraction=(\.*)\s|\s+fndraction=(\.*)$</regex>
+  <order>fndraction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fndrconfidence="(\.*)"|\s+fndrconfidence=(\.*)\s|\s+fndrconfidence=(\.*)$</regex>
+  <order>fndrconfidence</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fndrfileid="(\.*)"|\s+fndrfileid=(\.*)\s|\s+fndrfileid=(\.*)$</regex>
+  <order>fndrfileid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fndrfiletype="(\.*)"|\s+fndrfiletype=(\.*)\s|\s+fndrfiletype=(\.*)$</regex>
+  <order>fndrfiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fndrseverity="(\.*)"|\s+fndrseverity=(\.*)\s|\s+fndrseverity=(\.*)$</regex>
+  <order>fndrseverity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fndrverdict="(\.*)"|\s+fndrverdict=(\.*)\s|\s+fndrverdict=(\.*)$</regex>
+  <order>fndrverdict</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+forti="(\.*)"|\s+forti=(\.*)\s|\s+forti=(\.*)$</regex>
+  <order>forti</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fortiguardresp="(\.*)"|\s+fortiguardresp=(\.*)\s|\s+fortiguardresp=(\.*)$</regex>
+  <order>fortiguardresp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+forwardedfor="(\.*)"|\s+forwardedfor=(\.*)\s|\s+forwardedfor=(\.*)$</regex>
+  <order>forwardedfor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fqdn="(\.*)"|\s+fqdn=(\.*)\s|\s+fqdn=(\.*)$</regex>
+  <order>fqdn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+frametype="(\.*)"|\s+frametype=(\.*)\s|\s+frametype=(\.*)$</regex>
+  <order>frametype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+freediskstorage="(\.*)"|\s+freediskstorage=(\.*)\s|\s+freediskstorage=(\.*)$</regex>
+  <order>freediskstorage</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+from="(\.*)"|\s+from=(\.*)\s|\s+from=(\.*)$</regex>
+  <order>from</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+from_vcluster="(\.*)"|\s+from_vcluster=(\.*)\s|\s+from_vcluster=(\.*)$</regex>
+  <order>from_vcluster</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fsaaction="(\.*)"|\s+fsaaction=(\.*)\s|\s+fsaaction=(\.*)$</regex>
+  <order>fsaaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fsafileid="(\.*)"|\s+fsafileid=(\.*)\s|\s+fsafileid=(\.*)$</regex>
+  <order>fsafileid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fsafiletype="(\.*)"|\s+fsafiletype=(\.*)\s|\s+fsafiletype=(\.*)$</regex>
+  <order>fsafiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fsaseverity="(\.*)"|\s+fsaseverity=(\.*)\s|\s+fsaseverity=(\.*)$</regex>
+  <order>fsaseverity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fsaverdict="(\.*)"|\s+fsaverdict=(\.*)\s|\s+fsaverdict=(\.*)$</regex>
+  <order>fsaverdict</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ftlkintf="(\.*)"|\s+ftlkintf=(\.*)\s|\s+ftlkintf=(\.*)$</regex>
+  <order>ftlkintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fwdsrv="(\.*)"|\s+fwdsrv=(\.*)\s|\s+fwdsrv=(\.*)$</regex>
+  <order>fwdsrv</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+fwserver_name="(\.*)"|\s+fwserver_name=(\.*)\s|\s+fwserver_name=(\.*)$</regex>
+  <order>fwserver_name</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+gateway="(\.*)"|\s+gateway=(\.*)\s|\s+gateway=(\.*)$</regex>
+  <order>gateway</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+gatewayid="(\.*)"|\s+gatewayid=(\.*)\s|\s+gatewayid=(\.*)$</regex>
+  <order>gatewayid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+green="(\.*)"|\s+green=(\.*)\s|\s+green=(\.*)$</regex>
+  <order>green</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+group="(\.*)"|\s+group=(\.*)\s|\s+group=(\.*)$</regex>
+  <order>group</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+groupid="(\.*)"|\s+groupid=(\.*)\s|\s+groupid=(\.*)$</regex>
+  <order>groupid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+gtp="(\.*)"|\s+gtp=(\.*)\s|\s+gtp=(\.*)$</regex>
+  <order>gtp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ha="(\.*)"|\s+ha=(\.*)\s|\s+ha=(\.*)$</regex>
+  <order>ha</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ha_group="(\.*)"|\s+ha_group=(\.*)\s|\s+ha_group=(\.*)$</regex>
+  <order>ha_group</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ha_role="(\.*)"|\s+ha_role=(\.*)\s|\s+ha_role=(\.*)$</regex>
+  <order>ha_role</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+handshake="(\.*)"|\s+handshake=(\.*)\s|\s+handshake=(\.*)$</regex>
+  <order>handshake</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+headerteid="(\.*)"|\s+headerteid=(\.*)\s|\s+headerteid=(\.*)$</regex>
+  <order>headerteid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+healthcheck="(\.*)"|\s+healthcheck=(\.*)\s|\s+healthcheck=(\.*)$</regex>
+  <order>healthcheck</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+highcount="(\.*)"|\s+highcount=(\.*)\s|\s+highcount=(\.*)$</regex>
+  <order>highcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+host="(\.*)"|\s+host=(\.*)\s|\s+host=(\.*)$</regex>
+  <order>host</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+hostkeystatus="(\.*)"|\s+hostkeystatus=(\.*)\s|\s+hostkeystatus=(\.*)$</regex>
+  <order>hostkeystatus</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+hostname="(\.*)"|\s+hostname=(\.*)\s|\s+hostname=(\.*)$</regex>
+  <order>hostname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+hseid="(\.*)"|\s+hseid=(\.*)\s|\s+hseid=(\.*)$</regex>
+  <order>hseid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+httpcode="(\.*)"|\s+httpcode=(\.*)\s|\s+httpcode=(\.*)$</regex>
+  <order>httpcode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+httpmethod="(\.*)"|\s+httpmethod=(\.*)\s|\s+httpmethod=(\.*)$</regex>
+  <order>httpmethod</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+iaid="(\.*)"|\s+iaid=(\.*)\s|\s+iaid=(\.*)$</regex>
+  <order>iaid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icap="(\.*)"|\s+icap=(\.*)\s|\s+icap=(\.*)$</regex>
+  <order>icap</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icbaction="(\.*)"|\s+icbaction=(\.*)\s|\s+icbaction=(\.*)$</regex>
+  <order>icbaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icbconfidence="(\.*)"|\s+icbconfidence=(\.*)\s|\s+icbconfidence=(\.*)$</regex>
+  <order>icbconfidence</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icbfileid="(\.*)"|\s+icbfileid=(\.*)\s|\s+icbfileid=(\.*)$</regex>
+  <order>icbfileid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icbfiletype="(\.*)"|\s+icbfiletype=(\.*)\s|\s+icbfiletype=(\.*)$</regex>
+  <order>icbfiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icbseverity="(\.*)"|\s+icbseverity=(\.*)\s|\s+icbseverity=(\.*)$</regex>
+  <order>icbseverity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icbverdict="(\.*)"|\s+icbverdict=(\.*)\s|\s+icbverdict=(\.*)$</regex>
+  <order>icbverdict</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icmpcode="(\.*)"|\s+icmpcode=(\.*)\s|\s+icmpcode=(\.*)$</regex>
+  <order>icmpcode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icmpid="(\.*)"|\s+icmpid=(\.*)\s|\s+icmpid=(\.*)$</regex>
+  <order>icmpid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+icmptype="(\.*)"|\s+icmptype=(\.*)\s|\s+icmptype=(\.*)$</regex>
+  <order>icmptype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+identifier="(\.*)"|\s+identifier=(\.*)\s|\s+identifier=(\.*)$</regex>
+  <order>identifier</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ietype="(\.*)"|\s+ietype=(\.*)\s|\s+ietype=(\.*)$</regex>
+  <order>ietype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+imei="(\.*)"|\s+imei=(\.*)\s|\s+imei=(\.*)$</regex>
+  <order>imei</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+imsi="(\.*)"|\s+imsi=(\.*)\s|\s+imsi=(\.*)$</regex>
+  <order>imsi</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+in_spi="(\.*)"|\s+in_spi=(\.*)\s|\s+in_spi=(\.*)$</regex>
+  <order>in_spi</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+inbandwidth="(\.*)"|\s+inbandwidth=(\.*)\s|\s+inbandwidth=(\.*)$</regex>
+  <order>inbandwidth</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+inbandwidthavailable="(\.*)"|\s+inbandwidthavailable=(\.*)\s|\s+inbandwidthavailable=(\.*)$</regex>
+  <order>inbandwidthavailable</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+inbandwidthused="(\.*)"|\s+inbandwidthused=(\.*)\s|\s+inbandwidthused=(\.*)$</regex>
+  <order>inbandwidthused</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+incidentserialno="(\.*)"|\s+incidentserialno=(\.*)\s|\s+incidentserialno=(\.*)$</regex>
+  <order>incidentserialno</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+infectedfilelevel="(\.*)"|\s+infectedfilelevel=(\.*)\s|\s+infectedfilelevel=(\.*)$</regex>
+  <order>infectedfilelevel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+infectedfilename="(\.*)"|\s+infectedfilename=(\.*)\s|\s+infectedfilename=(\.*)$</regex>
+  <order>infectedfilename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+infectedfilesize="(\.*)"|\s+infectedfilesize=(\.*)\s|\s+infectedfilesize=(\.*)$</regex>
+  <order>infectedfilesize</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+infectedfiletype="(\.*)"|\s+infectedfiletype=(\.*)\s|\s+infectedfiletype=(\.*)$</regex>
+  <order>infectedfiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+infection="(\.*)"|\s+infection=(\.*)\s|\s+infection=(\.*)$</regex>
+  <order>infection</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+informationsource="(\.*)"|\s+informationsource=(\.*)\s|\s+informationsource=(\.*)$</regex>
+  <order>informationsource</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+init="(\.*)"|\s+init=(\.*)\s|\s+init=(\.*)$</regex>
+  <order>init</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+initiator="(\.*)"|\s+initiator=(\.*)\s|\s+initiator=(\.*)$</regex>
+  <order>initiator</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+interface="(\.*)"|\s+interface=(\.*)\s|\s+interface=(\.*)$</regex>
+  <order>interface</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+intf="(\.*)"|\s+intf=(\.*)\s|\s+intf=(\.*)$</regex>
+  <order>intf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+invalidmac="(\.*)"|\s+invalidmac=(\.*)\s|\s+invalidmac=(\.*)$</regex>
+  <order>invalidmac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ip="(\.*)"|\s+ip=(\.*)\s|\s+ip=(\.*)$</regex>
+  <order>ip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ipaddr="(\.*)"|\s+ipaddr=(\.*)\s|\s+ipaddr=(\.*)$</regex>
+  <order>ipaddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ips="(\.*)"|\s+ips=(\.*)\s|\s+ips=(\.*)$</regex>
+  <order>ips</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+iptype="(\.*)"|\s+iptype=(\.*)\s|\s+iptype=(\.*)$</regex>
+  <order>iptype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+issuer="(\.*)"|\s+issuer=(\.*)\s|\s+issuer=(\.*)$</regex>
+  <order>issuer</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+jitter="(\.*)"|\s+jitter=(\.*)\s|\s+jitter=(\.*)$</regex>
+  <order>jitter</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+keyalgo="(\.*)"|\s+keyalgo=(\.*)\s|\s+keyalgo=(\.*)$</regex>
+  <order>keyalgo</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+keysize="(\.*)"|\s+keysize=(\.*)\s|\s+keysize=(\.*)$</regex>
+  <order>keysize</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+keyword="(\.*)"|\s+keyword=(\.*)\s|\s+keyword=(\.*)$</regex>
+  <order>keyword</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+kind="(\.*)"|\s+kind=(\.*)\s|\s+kind=(\.*)$</regex>
+  <order>kind</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+kxcurve="(\.*)"|\s+kxcurve=(\.*)\s|\s+kxcurve=(\.*)$</regex>
+  <order>kxcurve</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+kxproto="(\.*)"|\s+kxproto=(\.*)\s|\s+kxproto=(\.*)$</regex>
+  <order>kxproto</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+lanin="(\.*)"|\s+lanin=(\.*)\s|\s+lanin=(\.*)$</regex>
+  <order>lanin</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+lanout="(\.*)"|\s+lanout=(\.*)\s|\s+lanout=(\.*)$</regex>
+  <order>lanout</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+latency="(\.*)"|\s+latency=(\.*)\s|\s+latency=(\.*)$</regex>
+  <order>latency</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+lease="(\.*)"|\s+lease=(\.*)\s|\s+lease=(\.*)$</regex>
+  <order>lease</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+level="(\.*)"|\s+level=(\.*)\s|\s+level=(\.*)$</regex>
+  <order>level</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+license_limit="(\.*)"|\s+license_limit=(\.*)\s|\s+license_limit=(\.*)$</regex>
+  <order>license_limit</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+limit="(\.*)"|\s+limit=(\.*)\s|\s+limit=(\.*)$</regex>
+  <order>limit</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+line="(\.*)"|\s+line=(\.*)\s|\s+line=(\.*)$</regex>
+  <order>line</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+linked="(\.*)"|\s+linked=(\.*)\s|\s+linked=(\.*)$</regex>
+  <order>linked</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+live="(\.*)"|\s+live=(\.*)\s|\s+live=(\.*)$</regex>
+  <order>live</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+local="(\.*)"|\s+local=(\.*)\s|\s+local=(\.*)$</regex>
+  <order>local</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+localdevcount="(\.*)"|\s+localdevcount=(\.*)\s|\s+localdevcount=(\.*)$</regex>
+  <order>localdevcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+locip="(\.*)"|\s+locip=(\.*)\s|\s+locip=(\.*)$</regex>
+  <order>locip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+locport="(\.*)"|\s+locport=(\.*)\s|\s+locport=(\.*)$</regex>
+  <order>locport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+log="(\.*)"|\s+log=(\.*)\s|\s+log=(\.*)$</regex>
+  <order>log</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+logdesc="(\.*)"|\s+logdesc=(\.*)\s|\s+logdesc=(\.*)$</regex>
+  <order>logdesc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+logid="(\.*)"|\s+logid=(\.*)\s|\s+logid=(\.*)$</regex>
+  <order>logid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+login="(\.*)"|\s+login=(\.*)\s|\s+login=(\.*)$</regex>
+  <order>login</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+logsrc="(\.*)"|\s+logsrc=(\.*)\s|\s+logsrc=(\.*)$</regex>
+  <order>logsrc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+lowcount="(\.*)"|\s+lowcount=(\.*)\s|\s+lowcount=(\.*)$</regex>
+  <order>lowcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mac="(\.*)"|\s+mac=(\.*)\s|\s+mac=(\.*)$</regex>
+  <order>mac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+malform_data="(\.*)"|\s+malform_data=(\.*)\s|\s+malform_data=(\.*)$</regex>
+  <order>malform_data</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+malform_desc="(\.*)"|\s+malform_desc=(\.*)\s|\s+malform_desc=(\.*)$</regex>
+  <order>malform_desc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+manuf="(\.*)"|\s+manuf=(\.*)\s|\s+manuf=(\.*)$</regex>
+  <order>manuf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+masterdstmac="(\.*)"|\s+masterdstmac=(\.*)\s|\s+masterdstmac=(\.*)$</regex>
+  <order>masterdstmac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mastersrcmac="(\.*)"|\s+mastersrcmac=(\.*)\s|\s+mastersrcmac=(\.*)$</regex>
+  <order>mastersrcmac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+matchfilename="(\.*)"|\s+matchfilename=(\.*)\s|\s+matchfilename=(\.*)$</regex>
+  <order>matchfilename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+matchfiletype="(\.*)"|\s+matchfiletype=(\.*)\s|\s+matchfiletype=(\.*)$</regex>
+  <order>matchfiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+max="(\.*)"|\s+max=(\.*)\s|\s+max=(\.*)$</regex>
+  <order>max</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mediumcount="(\.*)"|\s+mediumcount=(\.*)\s|\s+mediumcount=(\.*)$</regex>
+  <order>mediumcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mem="(\.*)"|\s+mem=(\.*)\s|\s+mem=(\.*)$</regex>
+  <order>mem</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+member="(\.*)"|\s+member=(\.*)\s|\s+member=(\.*)$</regex>
+  <order>member</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+meshmode="(\.*)"|\s+meshmode=(\.*)\s|\s+meshmode=(\.*)$</regex>
+  <order>meshmode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+message_type="(\.*)"|\s+message_type=(\.*)\s|\s+message_type=(\.*)$</regex>
+  <order>message_type</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+method="(\.*)"|\s+method=(\.*)\s|\s+method=(\.*)$</regex>
+  <order>method</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mgmtcnt="(\.*)"|\s+mgmtcnt=(\.*)\s|\s+mgmtcnt=(\.*)$</regex>
+  <order>mgmtcnt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mitm="(\.*)"|\s+mitm=(\.*)\s|\s+mitm=(\.*)$</regex>
+  <order>mitm</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mode="(\.*)"|\s+mode=(\.*)\s|\s+mode=(\.*)$</regex>
+  <order>mode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+model="(\.*)"|\s+model=(\.*)\s|\s+model=(\.*)$</regex>
+  <order>model</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+module="(\.*)"|\s+module=(\.*)\s|\s+module=(\.*)$</regex>
+  <order>module</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+monitor="(\.*)"|\s+monitor=(\.*)\s|\s+monitor=(\.*)$</regex>
+  <order>monitor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+moscodec="(\.*)"|\s+moscodec=(\.*)\s|\s+moscodec=(\.*)$</regex>
+  <order>moscodec</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mosvalue="(\.*)"|\s+mosvalue=(\.*)\s|\s+mosvalue=(\.*)$</regex>
+  <order>mosvalue</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mpsk="(\.*)"|\s+mpsk=(\.*)\s|\s+mpsk=(\.*)$</regex>
+  <order>mpsk</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+msg="(\.*)"|\s+msg=(\.*)\s|\s+msg=(\.*)$</regex>
+  <order>msg</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+msgtypename="(\.*)"|\s+msgtypename=(\.*)\s|\s+msgtypename=(\.*)$</regex>
+  <order>msgtypename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+msisdn="(\.*)"|\s+msisdn=(\.*)\s|\s+msisdn=(\.*)$</regex>
+  <order>msisdn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+mtu="(\.*)"|\s+mtu=(\.*)\s|\s+mtu=(\.*)$</regex>
+  <order>mtu</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+nai="(\.*)"|\s+nai=(\.*)\s|\s+nai=(\.*)$</regex>
+  <order>nai</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+name="(\.*)"|\s+name=(\.*)\s|\s+name=(\.*)$</regex>
+  <order>name</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+nat="(\.*)"|\s+nat=(\.*)\s|\s+nat=(\.*)$</regex>
+  <order>nat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+neighbor="(\.*)"|\s+neighbor=(\.*)\s|\s+neighbor=(\.*)$</regex>
+  <order>neighbor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+netid="(\.*)"|\s+netid=(\.*)\s|\s+netid=(\.*)$</regex>
+  <order>netid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+networktransfertime="(\.*)"|\s+networktransfertime=(\.*)\s|\s+networktransfertime=(\.*)$</regex>
+  <order>networktransfertime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+new_status="(\.*)"|\s+new_status=(\.*)\s|\s+new_status=(\.*)$</regex>
+  <order>new_status</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+new_value="(\.*)"|\s+new_value=(\.*)\s|\s+new_value=(\.*)$</regex>
+  <order>new_value</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+newchannel="(\.*)"|\s+newchannel=(\.*)\s|\s+newchannel=(\.*)$</regex>
+  <order>newchannel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+newchassisid="(\.*)"|\s+newchassisid=(\.*)\s|\s+newchassisid=(\.*)$</regex>
+  <order>newchassisid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+newslot="(\.*)"|\s+newslot=(\.*)\s|\s+newslot=(\.*)$</regex>
+  <order>newslot</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+newvalue="(\.*)"|\s+newvalue=(\.*)\s|\s+newvalue=(\.*)$</regex>
+  <order>newvalue</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+nextstat="(\.*)"|\s+nextstat=(\.*)\s|\s+nextstat=(\.*)$</regex>
+  <order>nextstat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+noise="(\.*)"|\s+noise=(\.*)\s|\s+noise=(\.*)$</regex>
+  <order>noise</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+notafter="(\.*)"|\s+notafter=(\.*)\s|\s+notafter=(\.*)$</regex>
+  <order>notafter</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+notbefore="(\.*)"|\s+notbefore=(\.*)\s|\s+notbefore=(\.*)$</regex>
+  <order>notbefore</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+nsapi="(\.*)"|\s+nsapi=(\.*)\s|\s+nsapi=(\.*)$</regex>
+  <order>nsapi</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+numpassmember="(\.*)"|\s+numpassmember=(\.*)\s|\s+numpassmember=(\.*)$</regex>
+  <order>numpassmember</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+old_status="(\.*)"|\s+old_status=(\.*)\s|\s+old_status=(\.*)$</regex>
+  <order>old_status</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+old_value="(\.*)"|\s+old_value=(\.*)\s|\s+old_value=(\.*)$</regex>
+  <order>old_value</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+oldchannel="(\.*)"|\s+oldchannel=(\.*)\s|\s+oldchannel=(\.*)$</regex>
+  <order>oldchannel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+oldchassisid="(\.*)"|\s+oldchassisid=(\.*)\s|\s+oldchassisid=(\.*)$</regex>
+  <order>oldchassisid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+oldslot="(\.*)"|\s+oldslot=(\.*)\s|\s+oldslot=(\.*)$</regex>
+  <order>oldslot</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+oldsn="(\.*)"|\s+oldsn=(\.*)\s|\s+oldsn=(\.*)$</regex>
+  <order>oldsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+oldvalue="(\.*)"|\s+oldvalue=(\.*)\s|\s+oldvalue=(\.*)$</regex>
+  <order>oldvalue</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+oldwprof="(\.*)"|\s+oldwprof=(\.*)\s|\s+oldwprof=(\.*)$</regex>
+  <order>oldwprof</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+onwire="(\.*)"|\s+onwire=(\.*)\s|\s+onwire=(\.*)$</regex>
+  <order>onwire</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+opercountry="(\.*)"|\s+opercountry=(\.*)\s|\s+opercountry=(\.*)$</regex>
+  <order>opercountry</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+operdrmamode="(\.*)"|\s+operdrmamode=(\.*)\s|\s+operdrmamode=(\.*)$</regex>
+  <order>operdrmamode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+opertxpower="(\.*)"|\s+opertxpower=(\.*)\s|\s+opertxpower=(\.*)$</regex>
+  <order>opertxpower</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+osname="(\.*)"|\s+osname=(\.*)\s|\s+osname=(\.*)$</regex>
+  <order>osname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+out_spi="(\.*)"|\s+out_spi=(\.*)\s|\s+out_spi=(\.*)$</regex>
+  <order>out_spi</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+outbandwidth="(\.*)"|\s+outbandwidth=(\.*)\s|\s+outbandwidth=(\.*)$</regex>
+  <order>outbandwidth</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+outbandwidthavailable="(\.*)"|\s+outbandwidthavailable=(\.*)\s|\s+outbandwidthavailable=(\.*)$</regex>
+  <order>outbandwidthavailable</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+outbandwidthused="(\.*)"|\s+outbandwidthused=(\.*)\s|\s+outbandwidthused=(\.*)$</regex>
+  <order>outbandwidthused</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+outintf="(\.*)"|\s+outintf=(\.*)\s|\s+outintf=(\.*)$</regex>
+  <order>outintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+packetloss="(\.*)"|\s+packetloss=(\.*)\s|\s+packetloss=(\.*)$</regex>
+  <order>packetloss</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+parameters="(\.*)"|\s+parameters=(\.*)\s|\s+parameters=(\.*)$</regex>
+  <order>parameters</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+passedcount="(\.*)"|\s+passedcount=(\.*)\s|\s+passedcount=(\.*)$</regex>
+  <order>passedcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+passwd="(\.*)"|\s+passwd=(\.*)\s|\s+passwd=(\.*)$</regex>
+  <order>passwd</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+path="(\.*)"|\s+path=(\.*)\s|\s+path=(\.*)$</regex>
+  <order>path</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+pathname="(\.*)"|\s+pathname=(\.*)\s|\s+pathname=(\.*)$</regex>
+  <order>pathname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+pdstport="(\.*)"|\s+pdstport=(\.*)\s|\s+pdstport=(\.*)$</regex>
+  <order>pdstport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+peer="(\.*)"|\s+peer=(\.*)\s|\s+peer=(\.*)$</regex>
+  <order>peer</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+peer_notif="(\.*)"|\s+peer_notif=(\.*)\s|\s+peer_notif=(\.*)$</regex>
+  <order>peer_notif</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+phase="(\.*)"|\s+phase=(\.*)\s|\s+phase=(\.*)$</regex>
+  <order>phase</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+phone="(\.*)"|\s+phone=(\.*)\s|\s+phone=(\.*)$</regex>
+  <order>phone</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+pid="(\.*)"|\s+pid=(\.*)\s|\s+pid=(\.*)$</regex>
+  <order>pid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+policy_id="(\.*)"|\s+policy_id=(\.*)\s|\s+policy_id=(\.*)$</regex>
+  <order>policy_id</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+policyid="(\.*)"|\s+policyid=(\.*)\s|\s+policyid=(\.*)$</regex>
+  <order>policyid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+policymode="(\.*)"|\s+policymode=(\.*)\s|\s+policymode=(\.*)$</regex>
+  <order>policymode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+policyname="(\.*)"|\s+policyname=(\.*)\s|\s+policyname=(\.*)$</regex>
+  <order>policyname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+policytype="(\.*)"|\s+policytype=(\.*)\s|\s+policytype=(\.*)$</regex>
+  <order>policytype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+poluuid="(\.*)"|\s+poluuid=(\.*)\s|\s+poluuid=(\.*)$</regex>
+  <order>poluuid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+poolname="(\.*)"|\s+poolname=(\.*)\s|\s+poolname=(\.*)$</regex>
+  <order>poolname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+port="(\.*)"|\s+port=(\.*)\s|\s+port=(\.*)$</regex>
+  <order>port</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+portbegin="(\.*)"|\s+portbegin=(\.*)\s|\s+portbegin=(\.*)$</regex>
+  <order>portbegin</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+portend="(\.*)"|\s+portend=(\.*)\s|\s+portend=(\.*)$</regex>
+  <order>portend</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+probeproto="(\.*)"|\s+probeproto=(\.*)\s|\s+probeproto=(\.*)$</regex>
+  <order>probeproto</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+process="(\.*)"|\s+process=(\.*)\s|\s+process=(\.*)$</regex>
+  <order>process</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+processtime="(\.*)"|\s+processtime=(\.*)\s|\s+processtime=(\.*)$</regex>
+  <order>processtime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+product="(\.*)"|\s+product=(\.*)\s|\s+product=(\.*)$</regex>
+  <order>product</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+profile="(\.*)"|\s+profile=(\.*)\s|\s+profile=(\.*)$</regex>
+  <order>profile</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+profiletype="(\.*)"|\s+profiletype=(\.*)\s|\s+profiletype=(\.*)$</regex>
+  <order>profiletype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+proto="(\.*)"|\s+proto=(\.*)\s|\s+proto=(\.*)$</regex>
+  <order>proto</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+protocol="(\.*)"|\s+protocol=(\.*)\s|\s+protocol=(\.*)$</regex>
+  <order>protocol</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+proxyapptype="(\.*)"|\s+proxyapptype=(\.*)\s|\s+proxyapptype=(\.*)$</regex>
+  <order>proxyapptype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+psrcport="(\.*)"|\s+psrcport=(\.*)\s|\s+psrcport=(\.*)$</regex>
+  <order>psrcport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+qclass="(\.*)"|\s+qclass=(\.*)\s|\s+qclass=(\.*)$</regex>
+  <order>qclass</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+qname="(\.*)"|\s+qname=(\.*)\s|\s+qname=(\.*)$</regex>
+  <order>qname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+qtype="(\.*)"|\s+qtype=(\.*)\s|\s+qtype=(\.*)$</regex>
+  <order>qtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+qtypeval="(\.*)"|\s+qtypeval=(\.*)\s|\s+qtypeval=(\.*)$</regex>
+  <order>qtypeval</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+quarskip="(\.*)"|\s+quarskip=(\.*)\s|\s+quarskip=(\.*)$</regex>
+  <order>quarskip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+quotaexceeded="(\.*)"|\s+quotaexceeded=(\.*)\s|\s+quotaexceeded=(\.*)$</regex>
+  <order>quotaexceeded</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+quotamax="(\.*)"|\s+quotamax=(\.*)\s|\s+quotamax=(\.*)$</regex>
+  <order>quotamax</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+quotatype="(\.*)"|\s+quotatype=(\.*)\s|\s+quotatype=(\.*)$</regex>
+  <order>quotatype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+quotaused="(\.*)"|\s+quotaused=(\.*)\s|\s+quotaused=(\.*)$</regex>
+  <order>quotaused</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+radioband="(\.*)"|\s+radioband=(\.*)\s|\s+radioband=(\.*)$</regex>
+  <order>radioband</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+radioid="(\.*)"|\s+radioid=(\.*)\s|\s+radioid=(\.*)$</regex>
+  <order>radioid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+radioidclosest="(\.*)"|\s+radioidclosest=(\.*)\s|\s+radioidclosest=(\.*)$</regex>
+  <order>radioidclosest</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+radioiddetected="(\.*)"|\s+radioiddetected=(\.*)\s|\s+radioiddetected=(\.*)$</regex>
+  <order>radioiddetected</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rai="(\.*)"|\s+rai=(\.*)\s|\s+rai=(\.*)$</regex>
+  <order>rai</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rat="(\.*)"|\s+rat=(\.*)\s|\s+rat=(\.*)$</regex>
+  <order>rat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rate="(\.*)"|\s+rate=(\.*)\s|\s+rate=(\.*)$</regex>
+  <order>rate</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ratemethod="(\.*)"|\s+ratemethod=(\.*)\s|\s+ratemethod=(\.*)$</regex>
+  <order>ratemethod</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rawdata="(\.*)"|\s+rawdata=(\.*)\s|\s+rawdata=(\.*)$</regex>
+  <order>rawdata</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rawdataid="(\.*)"|\s+rawdataid=(\.*)\s|\s+rawdataid=(\.*)$</regex>
+  <order>rawdataid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rcode="(\.*)"|\s+rcode=(\.*)\s|\s+rcode=(\.*)$</regex>
+  <order>rcode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rcvdbyte="(\.*)"|\s+rcvdbyte=(\.*)\s|\s+rcvdbyte=(\.*)$</regex>
+  <order>rcvdbyte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rcvddelta="(\.*)"|\s+rcvddelta=(\.*)\s|\s+rcvddelta=(\.*)$</regex>
+  <order>rcvddelta</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rcvdpkt="(\.*)"|\s+rcvdpkt=(\.*)\s|\s+rcvdpkt=(\.*)$</regex>
+  <order>rcvdpkt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rcvdpktdelta="(\.*)"|\s+rcvdpktdelta=(\.*)\s|\s+rcvdpktdelta=(\.*)$</regex>
+  <order>rcvdpktdelta</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+realserverid="(\.*)"|\s+realserverid=(\.*)\s|\s+realserverid=(\.*)$</regex>
+  <order>realserverid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+reason="(\.*)"|\s+reason=(\.*)\s|\s+reason=(\.*)$</regex>
+  <order>reason</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+received="(\.*)"|\s+received=(\.*)\s|\s+received=(\.*)$</regex>
+  <order>received</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+receivedsignature="(\.*)"|\s+receivedsignature=(\.*)\s|\s+receivedsignature=(\.*)$</regex>
+  <order>receivedsignature</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+recipient="(\.*)"|\s+recipient=(\.*)\s|\s+recipient=(\.*)$</regex>
+  <order>recipient</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+red="(\.*)"|\s+red=(\.*)\s|\s+red=(\.*)$</regex>
+  <order>red</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ref="(\.*)"|\s+ref=(\.*)\s|\s+ref=(\.*)$</regex>
+  <order>ref</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+referralurl="(\.*)"|\s+referralurl=(\.*)\s|\s+referralurl=(\.*)$</regex>
+  <order>referralurl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+remip="(\.*)"|\s+remip=(\.*)\s|\s+remip=(\.*)$</regex>
+  <order>remip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+remote="(\.*)"|\s+remote=(\.*)\s|\s+remote=(\.*)$</regex>
+  <order>remote</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+remotetunnelid="(\.*)"|\s+remotetunnelid=(\.*)\s|\s+remotetunnelid=(\.*)$</regex>
+  <order>remotetunnelid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+remotewtptime="(\.*)"|\s+remotewtptime=(\.*)\s|\s+remotewtptime=(\.*)$</regex>
+  <order>remotewtptime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+remport="(\.*)"|\s+remport=(\.*)\s|\s+remport=(\.*)$</regex>
+  <order>remport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+replydstintf="(\.*)"|\s+replydstintf=(\.*)\s|\s+replydstintf=(\.*)$</regex>
+  <order>replydstintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+replysrcintf="(\.*)"|\s+replysrcintf=(\.*)\s|\s+replysrcintf=(\.*)$</regex>
+  <order>replysrcintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+reporttype="(\.*)"|\s+reporttype=(\.*)\s|\s+reporttype=(\.*)$</regex>
+  <order>reporttype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+reqtype="(\.*)"|\s+reqtype=(\.*)\s|\s+reqtype=(\.*)$</regex>
+  <order>reqtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+request_name="(\.*)"|\s+request_name=(\.*)\s|\s+request_name=(\.*)$</regex>
+  <order>request_name</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+result="(\.*)"|\s+result=(\.*)\s|\s+result=(\.*)$</regex>
+  <order>result</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+role="(\.*)"|\s+role=(\.*)\s|\s+role=(\.*)$</regex>
+  <order>role</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rssi="(\.*)"|\s+rssi=(\.*)\s|\s+rssi=(\.*)$</regex>
+  <order>rssi</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rsso_key="(\.*)"|\s+rsso_key=(\.*)\s|\s+rsso_key=(\.*)$</regex>
+  <order>rsso_key</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ruleid="(\.*)"|\s+ruleid=(\.*)\s|\s+ruleid=(\.*)$</regex>
+  <order>ruleid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+rulename="(\.*)"|\s+rulename=(\.*)\s|\s+rulename=(\.*)$</regex>
+  <order>rulename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+saasapp="(\.*)"|\s+saasapp=(\.*)\s|\s+saasapp=(\.*)$</regex>
+  <order>saasapp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+saasname="(\.*)"|\s+saasname=(\.*)\s|\s+saasname=(\.*)$</regex>
+  <order>saasname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+saddr="(\.*)"|\s+saddr=(\.*)\s|\s+saddr=(\.*)$</regex>
+  <order>saddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+san="(\.*)"|\s+san=(\.*)\s|\s+san=(\.*)$</regex>
+  <order>san</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+scantime="(\.*)"|\s+scantime=(\.*)\s|\s+scantime=(\.*)$</regex>
+  <order>scantime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+scertcname="(\.*)"|\s+scertcname=(\.*)\s|\s+scertcname=(\.*)$</regex>
+  <order>scertcname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+scertissuer="(\.*)"|\s+scertissuer=(\.*)\s|\s+scertissuer=(\.*)$</regex>
+  <order>scertissuer</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+scope="(\.*)"|\s+scope=(\.*)\s|\s+scope=(\.*)$</regex>
+  <order>scope</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+security="(\.*)"|\s+security=(\.*)\s|\s+security=(\.*)$</regex>
+  <order>security</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+selection="(\.*)"|\s+selection=(\.*)\s|\s+selection=(\.*)$</regex>
+  <order>selection</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sender="(\.*)"|\s+sender=(\.*)\s|\s+sender=(\.*)$</regex>
+  <order>sender</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sensitivity="(\.*)"|\s+sensitivity=(\.*)\s|\s+sensitivity=(\.*)$</regex>
+  <order>sensitivity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sensor="(\.*)"|\s+sensor=(\.*)\s|\s+sensor=(\.*)$</regex>
+  <order>sensor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sentbyte="(\.*)"|\s+sentbyte=(\.*)\s|\s+sentbyte=(\.*)$</regex>
+  <order>sentbyte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sentdelta="(\.*)"|\s+sentdelta=(\.*)\s|\s+sentdelta=(\.*)$</regex>
+  <order>sentdelta</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sentpkt="(\.*)"|\s+sentpkt=(\.*)\s|\s+sentpkt=(\.*)$</regex>
+  <order>sentpkt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sentpktdelta="(\.*)"|\s+sentpktdelta=(\.*)\s|\s+sentpktdelta=(\.*)$</regex>
+  <order>sentpktdelta</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+seq="(\.*)"|\s+seq=(\.*)\s|\s+seq=(\.*)$</regex>
+  <order>seq</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+seqnum="(\.*)"|\s+seqnum=(\.*)\s|\s+seqnum=(\.*)$</regex>
+  <order>seqnum</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+serial="(\.*)"|\s+serial=(\.*)\s|\s+serial=(\.*)$</regex>
+  <order>serial</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+serialno="(\.*)"|\s+serialno=(\.*)\s|\s+serialno=(\.*)$</regex>
+  <order>serialno</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+server="(\.*)"|\s+server=(\.*)\s|\s+server=(\.*)$</regex>
+  <order>server</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+serveraddr="(\.*)"|\s+serveraddr=(\.*)\s|\s+serveraddr=(\.*)$</regex>
+  <order>serveraddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+servername="(\.*)"|\s+servername=(\.*)\s|\s+servername=(\.*)$</regex>
+  <order>servername</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+serverresponsetime="(\.*)"|\s+serverresponsetime=(\.*)\s|\s+serverresponsetime=(\.*)$</regex>
+  <order>serverresponsetime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+service="(\.*)"|\s+service=(\.*)\s|\s+service=(\.*)$</regex>
+  <order>service</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+serviceid="(\.*)"|\s+serviceid=(\.*)\s|\s+serviceid=(\.*)$</regex>
+  <order>serviceid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+session_id="(\.*)"|\s+session_id=(\.*)\s|\s+session_id=(\.*)$</regex>
+  <order>session_id</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sessionid="(\.*)"|\s+sessionid=(\.*)\s|\s+sessionid=(\.*)$</regex>
+  <order>sessionid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+setuprate="(\.*)"|\s+setuprate=(\.*)\s|\s+setuprate=(\.*)$</regex>
+  <order>setuprate</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+severity="(\.*)"|\s+severity=(\.*)\s|\s+severity=(\.*)$</regex>
+  <order>severity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shaperdroprcvdbyte="(\.*)"|\s+shaperdroprcvdbyte=(\.*)\s|\s+shaperdroprcvdbyte=(\.*)$</regex>
+  <order>shaperdroprcvdbyte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shaperdropsentbyte="(\.*)"|\s+shaperdropsentbyte=(\.*)\s|\s+shaperdropsentbyte=(\.*)$</regex>
+  <order>shaperdropsentbyte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shaperperipdropbyte="(\.*)"|\s+shaperperipdropbyte=(\.*)\s|\s+shaperperipdropbyte=(\.*)$</regex>
+  <order>shaperperipdropbyte</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shaperperipname="(\.*)"|\s+shaperperipname=(\.*)\s|\s+shaperperipname=(\.*)$</regex>
+  <order>shaperperipname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shaperrcvdname="(\.*)"|\s+shaperrcvdname=(\.*)\s|\s+shaperrcvdname=(\.*)$</regex>
+  <order>shaperrcvdname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shapersentname="(\.*)"|\s+shapersentname=(\.*)\s|\s+shapersentname=(\.*)$</regex>
+  <order>shapersentname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shapingpolicyid="(\.*)"|\s+shapingpolicyid=(\.*)\s|\s+shapingpolicyid=(\.*)$</regex>
+  <order>shapingpolicyid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+shapingpolicyname="(\.*)"|\s+shapingpolicyname=(\.*)\s|\s+shapingpolicyname=(\.*)$</regex>
+  <order>shapingpolicyname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sharename="(\.*)"|\s+sharename=(\.*)\s|\s+sharename=(\.*)$</regex>
+  <order>sharename</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+signal="(\.*)"|\s+signal=(\.*)\s|\s+signal=(\.*)$</regex>
+  <order>signal</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+size="(\.*)"|\s+size=(\.*)\s|\s+size=(\.*)$</regex>
+  <order>size</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ski="(\.*)"|\s+ski=(\.*)\s|\s+ski=(\.*)$</regex>
+  <order>ski</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+slamap="(\.*)"|\s+slamap=(\.*)\s|\s+slamap=(\.*)$</regex>
+  <order>slamap</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+slatargetid="(\.*)"|\s+slatargetid=(\.*)\s|\s+slatargetid=(\.*)$</regex>
+  <order>slatargetid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+slctdrmamode="(\.*)"|\s+slctdrmamode=(\.*)\s|\s+slctdrmamode=(\.*)$</regex>
+  <order>slctdrmamode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+slot="(\.*)"|\s+slot=(\.*)\s|\s+slot=(\.*)$</regex>
+  <order>slot</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sn="(\.*)"|\s+sn=(\.*)\s|\s+sn=(\.*)$</regex>
+  <order>sn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+snclosest="(\.*)"|\s+snclosest=(\.*)\s|\s+snclosest=(\.*)$</regex>
+  <order>snclosest</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sndetected="(\.*)"|\s+sndetected=(\.*)\s|\s+sndetected=(\.*)$</regex>
+  <order>sndetected</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+snetwork="(\.*)"|\s+snetwork=(\.*)\s|\s+snetwork=(\.*)$</regex>
+  <order>snetwork</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sni="(\.*)"|\s+sni=(\.*)\s|\s+sni=(\.*)$</regex>
+  <order>sni</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+snmeshparent="(\.*)"|\s+snmeshparent=(\.*)\s|\s+snmeshparent=(\.*)$</regex>
+  <order>snmeshparent</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+snprev="(\.*)"|\s+snprev=(\.*)\s|\s+snprev=(\.*)$</regex>
+  <order>snprev</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+snr="(\.*)"|\s+snr=(\.*)\s|\s+snr=(\.*)$</regex>
+  <order>snr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+source_mac="(\.*)"|\s+source_mac=(\.*)\s|\s+source_mac=(\.*)$</regex>
+  <order>source_mac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+speedtestserver="(\.*)"|\s+speedtestserver=(\.*)\s|\s+speedtestserver=(\.*)$</regex>
+  <order>speedtestserver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+spi="(\.*)"|\s+spi=(\.*)\s|\s+spi=(\.*)$</regex>
+  <order>spi</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+src_int="(\.*)"|\s+src_int=(\.*)\s|\s+src_int=(\.*)$</regex>
+  <order>src_int</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+src_port="(\.*)"|\s+src_port=(\.*)\s|\s+src_port=(\.*)$</regex>
+  <order>src_port</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srccity="(\.*)"|\s+srccity=(\.*)\s|\s+srccity=(\.*)$</regex>
+  <order>srccity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srccountry="(\.*)"|\s+srccountry=(\.*)\s|\s+srccountry=(\.*)$</regex>
+  <order>srccountry</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcdomain="(\.*)"|\s+srcdomain=(\.*)\s|\s+srcdomain=(\.*)$</regex>
+  <order>srcdomain</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcfamily="(\.*)"|\s+srcfamily=(\.*)\s|\s+srcfamily=(\.*)$</regex>
+  <order>srcfamily</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srchwvendor="(\.*)"|\s+srchwvendor=(\.*)\s|\s+srchwvendor=(\.*)$</regex>
+  <order>srchwvendor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srchwversion="(\.*)"|\s+srchwversion=(\.*)\s|\s+srchwversion=(\.*)$</regex>
+  <order>srchwversion</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcinetsvc="(\.*)"|\s+srcinetsvc=(\.*)\s|\s+srcinetsvc=(\.*)$</regex>
+  <order>srcinetsvc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcintf="(\.*)"|\s+srcintf=(\.*)\s|\s+srcintf=(\.*)$</regex>
+  <order>srcintf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcintfrole="(\.*)"|\s+srcintfrole=(\.*)\s|\s+srcintfrole=(\.*)$</regex>
+  <order>srcintfrole</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcip="(\.*)"|\s+srcip=(\.*)\s|\s+srcip=(\.*)$</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcmac="(\.*)"|\s+srcmac=(\.*)\s|\s+srcmac=(\.*)$</regex>
+  <order>srcmac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcmacvendor="(\.*)"|\s+srcmacvendor=(\.*)\s|\s+srcmacvendor=(\.*)$</regex>
+  <order>srcmacvendor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcname="(\.*)"|\s+srcname=(\.*)\s|\s+srcname=(\.*)$</regex>
+  <order>srcname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcport="(\.*)"|\s+srcport=(\.*)\s|\s+srcport=(\.*)$</regex>
+  <order>srcport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcregion="(\.*)"|\s+srcregion=(\.*)\s|\s+srcregion=(\.*)$</regex>
+  <order>srcregion</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcremote="(\.*)"|\s+srcremote=(\.*)\s|\s+srcremote=(\.*)$</regex>
+  <order>srcremote</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcreputation="(\.*)"|\s+srcreputation=(\.*)\s|\s+srcreputation=(\.*)$</regex>
+  <order>srcreputation</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcserver="(\.*)"|\s+srcserver=(\.*)\s|\s+srcserver=(\.*)$</regex>
+  <order>srcserver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcssid="(\.*)"|\s+srcssid=(\.*)\s|\s+srcssid=(\.*)$</regex>
+  <order>srcssid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcswversion="(\.*)"|\s+srcswversion=(\.*)\s|\s+srcswversion=(\.*)$</regex>
+  <order>srcswversion</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcthreatfeed="(\.*)"|\s+srcthreatfeed=(\.*)\s|\s+srcthreatfeed=(\.*)$</regex>
+  <order>srcthreatfeed</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+srcuuid="(\.*)"|\s+srcuuid=(\.*)\s|\s+srcuuid=(\.*)$</regex>
+  <order>srcuuid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sscname="(\.*)"|\s+sscname=(\.*)\s|\s+sscname=(\.*)$</regex>
+  <order>sscname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ssh="(\.*)"|\s+ssh=(\.*)\s|\s+ssh=(\.*)$</regex>
+  <order>ssh</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ssid="(\.*)"|\s+ssid=(\.*)\s|\s+ssid=(\.*)$</regex>
+  <order>ssid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ssl="(\.*)"|\s+ssl=(\.*)\s|\s+ssl=(\.*)$</regex>
+  <order>ssl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sslaction="(\.*)"|\s+sslaction=(\.*)\s|\s+sslaction=(\.*)$</regex>
+  <order>sslaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ssllocal="(\.*)"|\s+ssllocal=(\.*)\s|\s+ssllocal=(\.*)$</regex>
+  <order>ssllocal</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sslremote="(\.*)"|\s+sslremote=(\.*)\s|\s+sslremote=(\.*)$</regex>
+  <order>sslremote</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+stacount="(\.*)"|\s+stacount=(\.*)\s|\s+stacount=(\.*)$</regex>
+  <order>stacount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+stage="(\.*)"|\s+stage=(\.*)\s|\s+stage=(\.*)$</regex>
+  <order>stage</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+stamac="(\.*)"|\s+stamac=(\.*)\s|\s+stamac=(\.*)$</regex>
+  <order>stamac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+state="(\.*)"|\s+state=(\.*)\s|\s+state=(\.*)$</regex>
+  <order>state</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+status="(\.*)"|\s+status=(\.*)\s|\s+status=(\.*)$</regex>
+  <order>status</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+stitch="(\.*)"|\s+stitch=(\.*)\s|\s+stitch=(\.*)$</regex>
+  <order>stitch</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+stitchaction="(\.*)"|\s+stitchaction=(\.*)\s|\s+stitchaction=(\.*)$</regex>
+  <order>stitchaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+subject="(\.*)"|\s+subject=(\.*)\s|\s+subject=(\.*)$</regex>
+  <order>subject</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+submodule="(\.*)"|\s+submodule=(\.*)\s|\s+submodule=(\.*)$</regex>
+  <order>submodule</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+subservice="(\.*)"|\s+subservice=(\.*)\s|\s+subservice=(\.*)$</regex>
+  <order>subservice</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+subtype="(\.*)"|\s+subtype=(\.*)\s|\s+subtype=(\.*)$</regex>
+  <order>subtype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+successcount="(\.*)"|\s+successcount=(\.*)\s|\s+successcount=(\.*)$</regex>
+  <order>successcount</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchaclid="(\.*)"|\s+switchaclid=(\.*)\s|\s+switchaclid=(\.*)$</regex>
+  <order>switchaclid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchautoip="(\.*)"|\s+switchautoip=(\.*)\s|\s+switchautoip=(\.*)$</regex>
+  <order>switchautoip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchid="(\.*)"|\s+switchid=(\.*)\s|\s+switchid=(\.*)$</regex>
+  <order>switchid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchinterface="(\.*)"|\s+switchinterface=(\.*)\s|\s+switchinterface=(\.*)$</regex>
+  <order>switchinterface</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchl="(\.*)"|\s+switchl=(\.*)\s|\s+switchl=(\.*)$</regex>
+  <order>switchl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchmirrorsession="(\.*)"|\s+switchmirrorsession=(\.*)\s|\s+switchmirrorsession=(\.*)$</regex>
+  <order>switchmirrorsession</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchphysicalport="(\.*)"|\s+switchphysicalport=(\.*)\s|\s+switchphysicalport=(\.*)$</regex>
+  <order>switchphysicalport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchproto="(\.*)"|\s+switchproto=(\.*)\s|\s+switchproto=(\.*)$</regex>
+  <order>switchproto</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchsysteminterface="(\.*)"|\s+switchsysteminterface=(\.*)\s|\s+switchsysteminterface=(\.*)$</regex>
+  <order>switchsysteminterface</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchtrunk="(\.*)"|\s+switchtrunk=(\.*)\s|\s+switchtrunk=(\.*)$</regex>
+  <order>switchtrunk</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+switchtrunkinterface="(\.*)"|\s+switchtrunkinterface=(\.*)\s|\s+switchtrunkinterface=(\.*)$</regex>
+  <order>switchtrunkinterface</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+sysuptime="(\.*)"|\s+sysuptime=(\.*)\s|\s+sysuptime=(\.*)$</regex>
+  <order>sysuptime</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tamac="(\.*)"|\s+tamac=(\.*)\s|\s+tamac=(\.*)$</regex>
+  <order>tamac</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+threattype="(\.*)"|\s+threattype=(\.*)\s|\s+threattype=(\.*)$</regex>
+  <order>threattype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ticket="(\.*)"|\s+ticket=(\.*)\s|\s+ticket=(\.*)$</regex>
+  <order>ticket</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+time="(\.*)"|\s+time=(\.*)\s|\s+time=(\.*)$</regex>
+  <order>time</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+timeoutdelete="(\.*)"|\s+timeoutdelete=(\.*)\s|\s+timeoutdelete=(\.*)$</regex>
+  <order>timeoutdelete</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+timestamp="(\.*)"|\s+timestamp=(\.*)\s|\s+timestamp=(\.*)$</regex>
+  <order>timestamp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tlsver="(\.*)"|\s+tlsver=(\.*)\s|\s+tlsver=(\.*)$</regex>
+  <order>tlsver</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+to="(\.*)"|\s+to=(\.*)\s|\s+to=(\.*)$</regex>
+  <order>to</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+to_vcluster="(\.*)"|\s+to_vcluster=(\.*)\s|\s+to_vcluster=(\.*)$</regex>
+  <order>to_vcluster</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+total="(\.*)"|\s+total=(\.*)\s|\s+total=(\.*)$</regex>
+  <order>total</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+totalsession="(\.*)"|\s+totalsession=(\.*)\s|\s+totalsession=(\.*)$</regex>
+  <order>totalsession</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+traffic="(\.*)"|\s+traffic=(\.*)\s|\s+traffic=(\.*)$</regex>
+  <order>traffic</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+trandisp="(\.*)"|\s+trandisp=(\.*)\s|\s+trandisp=(\.*)$</regex>
+  <order>trandisp</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tranip="(\.*)"|\s+tranip=(\.*)\s|\s+tranip=(\.*)$</regex>
+  <order>tranip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tranport="(\.*)"|\s+tranport=(\.*)\s|\s+tranport=(\.*)$</regex>
+  <order>tranport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+transid="(\.*)"|\s+transid=(\.*)\s|\s+transid=(\.*)$</regex>
+  <order>transid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+transip="(\.*)"|\s+transip=(\.*)\s|\s+transip=(\.*)$</regex>
+  <order>transip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+translationid="(\.*)"|\s+translationid=(\.*)\s|\s+translationid=(\.*)$</regex>
+  <order>translationid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+transport="(\.*)"|\s+transport=(\.*)\s|\s+transport=(\.*)$</regex>
+  <order>transport</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+trigger="(\.*)"|\s+trigger=(\.*)\s|\s+trigger=(\.*)$</regex>
+  <order>trigger</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+trueclntip="(\.*)"|\s+trueclntip=(\.*)\s|\s+trueclntip=(\.*)$</regex>
+  <order>trueclntip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tunnel="(\.*)"|\s+tunnel=(\.*)\s|\s+tunnel=(\.*)$</regex>
+  <order>tunnel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tunnelid="(\.*)"|\s+tunnelid=(\.*)\s|\s+tunnelid=(\.*)$</regex>
+  <order>tunnelid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tunnelip="(\.*)"|\s+tunnelip=(\.*)\s|\s+tunnelip=(\.*)$</regex>
+  <order>tunnelip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tunneltype="(\.*)"|\s+tunneltype=(\.*)\s|\s+tunneltype=(\.*)$</regex>
+  <order>tunneltype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+type="(\.*)"|\s+type=(\.*)\s|\s+type=(\.*)$</regex>
+  <order>type</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+tz="(\.*)"|\s+tz=(\.*)\s|\s+tz=(\.*)$</regex>
+  <order>tz</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ufseid="(\.*)"|\s+ufseid=(\.*)\s|\s+ufseid=(\.*)$</regex>
+  <order>ufseid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ufseidaddr="(\.*)"|\s+ufseidaddr=(\.*)\s|\s+ufseidaddr=(\.*)$</regex>
+  <order>ufseidaddr</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+uggsn="(\.*)"|\s+uggsn=(\.*)\s|\s+uggsn=(\.*)$</regex>
+  <order>uggsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ugsn="(\.*)"|\s+ugsn=(\.*)\s|\s+ugsn=(\.*)$</regex>
+  <order>ugsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ui="(\.*)"|\s+ui=(\.*)\s|\s+ui=(\.*)$</regex>
+  <order>ui</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+uli="(\.*)"|\s+uli=(\.*)\s|\s+uli=(\.*)$</regex>
+  <order>uli</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ulimcc="(\.*)"|\s+ulimcc=(\.*)\s|\s+ulimcc=(\.*)$</regex>
+  <order>ulimcc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+ulimnc="(\.*)"|\s+ulimnc=(\.*)\s|\s+ulimnc=(\.*)$</regex>
+  <order>ulimnc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+unauthuser="(\.*)"|\s+unauthuser=(\.*)\s|\s+unauthuser=(\.*)$</regex>
+  <order>unauthuser</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+unauthusersource="(\.*)"|\s+unauthusersource=(\.*)\s|\s+unauthusersource=(\.*)$</regex>
+  <order>unauthusersource</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+unit="(\.*)"|\s+unit=(\.*)\s|\s+unit=(\.*)$</regex>
+  <order>unit</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+upbandwidthmeasured="(\.*)"|\s+upbandwidthmeasured=(\.*)\s|\s+upbandwidthmeasured=(\.*)$</regex>
+  <order>upbandwidthmeasured</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+upgradedevice="(\.*)"|\s+upgradedevice=(\.*)\s|\s+upgradedevice=(\.*)$</regex>
+  <order>upgradedevice</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+upteid="(\.*)"|\s+upteid=(\.*)\s|\s+upteid=(\.*)$</regex>
+  <order>upteid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+url="(\.*)"|\s+url=(\.*)\s|\s+url=(\.*)$</regex>
+  <order>url</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+urlfilteridx="(\.*)"|\s+urlfilteridx=(\.*)\s|\s+urlfilteridx=(\.*)$</regex>
+  <order>urlfilteridx</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+urlfilterlist="(\.*)"|\s+urlfilterlist=(\.*)\s|\s+urlfilterlist=(\.*)$</regex>
+  <order>urlfilterlist</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+urlsource="(\.*)"|\s+urlsource=(\.*)\s|\s+urlsource=(\.*)$</regex>
+  <order>urlsource</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+urltype="(\.*)"|\s+urltype=(\.*)\s|\s+urltype=(\.*)$</regex>
+  <order>urltype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+used="(\.*)"|\s+used=(\.*)\s|\s+used=(\.*)$</regex>
+  <order>used</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+used_for="(\.*)"|\s+used_for=(\.*)\s|\s+used_for=(\.*)$</regex>
+  <order>used_for</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+user="(\.*)"|\s+user=(\.*)\s|\s+user=(\.*)$</regex>
+  <order>user</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+user_data="(\.*)"|\s+user_data=(\.*)\s|\s+user_data=(\.*)$</regex>
+  <order>user_data</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+useractivity="(\.*)"|\s+useractivity=(\.*)\s|\s+useractivity=(\.*)$</regex>
+  <order>useractivity</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+useralt="(\.*)"|\s+useralt=(\.*)\s|\s+useralt=(\.*)$</regex>
+  <order>useralt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+usgsn="(\.*)"|\s+usgsn=(\.*)\s|\s+usgsn=(\.*)$</regex>
+  <order>usgsn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+utmaction="(\.*)"|\s+utmaction=(\.*)\s|\s+utmaction=(\.*)$</regex>
+  <order>utmaction</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vap="(\.*)"|\s+vap=(\.*)\s|\s+vap=(\.*)$</regex>
+  <order>vap</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vapmode="(\.*)"|\s+vapmode=(\.*)\s|\s+vapmode=(\.*)$</regex>
+  <order>vapmode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vcluster="(\.*)"|\s+vcluster=(\.*)\s|\s+vcluster=(\.*)$</regex>
+  <order>vcluster</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vcluster_member="(\.*)"|\s+vcluster_member=(\.*)\s|\s+vcluster_member=(\.*)$</regex>
+  <order>vcluster_member</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vcluster_state="(\.*)"|\s+vcluster_state=(\.*)\s|\s+vcluster_state=(\.*)$</regex>
+  <order>vcluster_state</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vd="(\.*)"|\s+vd=(\.*)\s|\s+vd=(\.*)$</regex>
+  <order>vd</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vdname="(\.*)"|\s+vdname=(\.*)\s|\s+vdname=(\.*)$</regex>
+  <order>vdname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vendor="(\.*)"|\s+vendor=(\.*)\s|\s+vendor=(\.*)$</regex>
+  <order>vendor</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vendorurl="(\.*)"|\s+vendorurl=(\.*)\s|\s+vendorurl=(\.*)$</regex>
+  <order>vendorurl</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+version="(\.*)"|\s+version=(\.*)\s|\s+version=(\.*)$</regex>
+  <order>version</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+versionmax="(\.*)"|\s+versionmax=(\.*)\s|\s+versionmax=(\.*)$</regex>
+  <order>versionmax</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+versionmin="(\.*)"|\s+versionmin=(\.*)\s|\s+versionmin=(\.*)$</regex>
+  <order>versionmin</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videocategoryid="(\.*)"|\s+videocategoryid=(\.*)\s|\s+videocategoryid=(\.*)$</regex>
+  <order>videocategoryid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videocategoryname="(\.*)"|\s+videocategoryname=(\.*)\s|\s+videocategoryname=(\.*)$</regex>
+  <order>videocategoryname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videochannelid="(\.*)"|\s+videochannelid=(\.*)\s|\s+videochannelid=(\.*)$</regex>
+  <order>videochannelid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videodesc="(\.*)"|\s+videodesc=(\.*)\s|\s+videodesc=(\.*)$</regex>
+  <order>videodesc</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videoid="(\.*)"|\s+videoid=(\.*)\s|\s+videoid=(\.*)$</regex>
+  <order>videoid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videoinfosource="(\.*)"|\s+videoinfosource=(\.*)\s|\s+videoinfosource=(\.*)$</regex>
+  <order>videoinfosource</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+videotitle="(\.*)"|\s+videotitle=(\.*)\s|\s+videotitle=(\.*)$</regex>
+  <order>videotitle</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+violations="(\.*)"|\s+violations=(\.*)\s|\s+violations=(\.*)$</regex>
+  <order>violations</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vip="(\.*)"|\s+vip=(\.*)\s|\s+vip=(\.*)$</regex>
+  <order>vip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+virtual="(\.*)"|\s+virtual=(\.*)\s|\s+virtual=(\.*)$</regex>
+  <order>virtual</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+virus="(\.*)"|\s+virus=(\.*)\s|\s+virus=(\.*)$</regex>
+  <order>virus</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+viruscat="(\.*)"|\s+viruscat=(\.*)\s|\s+viruscat=(\.*)$</regex>
+  <order>viruscat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+virusid="(\.*)"|\s+virusid=(\.*)\s|\s+virusid=(\.*)$</regex>
+  <order>virusid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vlan="(\.*)"|\s+vlan=(\.*)\s|\s+vlan=(\.*)$</regex>
+  <order>vlan</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+voip="(\.*)"|\s+voip=(\.*)\s|\s+voip=(\.*)$</regex>
+  <order>voip</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+voip_proto="(\.*)"|\s+voip_proto=(\.*)\s|\s+voip_proto=(\.*)$</regex>
+  <order>voip_proto</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vpn="(\.*)"|\s+vpn=(\.*)\s|\s+vpn=(\.*)$</regex>
+  <order>vpn</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vpntunnel="(\.*)"|\s+vpntunnel=(\.*)\s|\s+vpntunnel=(\.*)$</regex>
+  <order>vpntunnel</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vpntype="(\.*)"|\s+vpntype=(\.*)\s|\s+vpntype=(\.*)$</regex>
+  <order>vpntype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vrf="(\.*)"|\s+vrf=(\.*)\s|\s+vrf=(\.*)$</regex>
+  <order>vrf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vulncat="(\.*)"|\s+vulncat=(\.*)\s|\s+vulncat=(\.*)$</regex>
+  <order>vulncat</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vulncnt="(\.*)"|\s+vulncnt=(\.*)\s|\s+vulncnt=(\.*)$</regex>
+  <order>vulncnt</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vulnid="(\.*)"|\s+vulnid=(\.*)\s|\s+vulnid=(\.*)$</regex>
+  <order>vulnid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vulnname="(\.*)"|\s+vulnname=(\.*)\s|\s+vulnname=(\.*)$</regex>
+  <order>vulnname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vulnresult="(\.*)"|\s+vulnresult=(\.*)\s|\s+vulnresult=(\.*)$</regex>
+  <order>vulnresult</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vwlid="(\.*)"|\s+vwlid=(\.*)\s|\s+vwlid=(\.*)$</regex>
+  <order>vwlid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vwlname="(\.*)"|\s+vwlname=(\.*)\s|\s+vwlname=(\.*)$</regex>
+  <order>vwlname</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vwlquality="(\.*)"|\s+vwlquality=(\.*)\s|\s+vwlquality=(\.*)$</regex>
+  <order>vwlquality</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vwlservice="(\.*)"|\s+vwlservice=(\.*)\s|\s+vwlservice=(\.*)$</regex>
+  <order>vwlservice</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+vwpvlanid="(\.*)"|\s+vwpvlanid=(\.*)\s|\s+vwpvlanid=(\.*)$</regex>
+  <order>vwpvlanid</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+waf="(\.*)"|\s+waf=(\.*)\s|\s+waf=(\.*)$</regex>
+  <order>waf</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+wanin="(\.*)"|\s+wanin=(\.*)\s|\s+wanin=(\.*)$</regex>
+  <order>wanin</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+waninfo="(\.*)"|\s+waninfo=(\.*)\s|\s+waninfo=(\.*)$</regex>
+  <order>waninfo</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+wanoptapptype="(\.*)"|\s+wanoptapptype=(\.*)\s|\s+wanoptapptype=(\.*)$</regex>
+  <order>wanoptapptype</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+wanout="(\.*)"|\s+wanout=(\.*)\s|\s+wanout=(\.*)$</regex>
+  <order>wanout</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+weakwepiv="(\.*)"|\s+weakwepiv=(\.*)\s|\s+weakwepiv=(\.*)$</regex>
+  <order>weakwepiv</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+webfilter="(\.*)"|\s+webfilter=(\.*)\s|\s+webfilter=(\.*)$</regex>
+  <order>webfilter</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+webmailprovider="(\.*)"|\s+webmailprovider=(\.*)\s|\s+webmailprovider=(\.*)$</regex>
+  <order>webmailprovider</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+wscode="(\.*)"|\s+wscode=(\.*)\s|\s+wscode=(\.*)$</regex>
+  <order>wscode</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+xauthgroup="(\.*)"|\s+xauthgroup=(\.*)\s|\s+xauthgroup=(\.*)$</regex>
+  <order>xauthgroup</order>
+</decoder>
+
+<decoder name="fortinet-fortigate-fields-v7">
+  <parent>fortinet-fortigate-firewall</parent>
+  <regex>\s+xauthuser="(\.*)"|\s+xauthuser=(\.*)\s|\s+xauthuser=(\.*)$</regex>
+  <order>xauthuser</order>
+</decoder>
+

0391-fortigate_rules.xml

@@ -0,0 +1,11103 @@
+
+<!--
+-  Fortigate rules
+-  Author: Alexander Tibor Assenheimer - github: alextibor
+-  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-  Rules create based on the Fortigate Log Reference from version 7.2.7 and 7.4.3
+-->
+
+<group name="fortigate,">
+
+    <rule id="100010" level="4">
+        <decoded_as>fortinet-fortigate-firewall</decoded_as>
+        <description>Fortigate messages grouped</description>
+    </rule>
+
+    <rule id="100011" level="4">
+        <!-- LOGID_ATTCK_ANOMALY_TCP_UDP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">018432$</field>
+        <description>Attack detected by UCP/TCP anomaly</description>
+        <group>fortios.event.anomaly,fortios.category.anomaly,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100012" level="4">
+        <!-- LOGID_ATTCK_ANOMALY_ICMP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">018433$</field>
+        <description>Attack detected by ICMP anomaly</description>
+        <group>fortios.event.anomaly,fortios.category.anomaly,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100013" level="4">
+        <!-- LOGID_ATTCK_ANOMALY_OTHERS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">018434$</field>
+        <description>Attack detected by other anomaly</description>
+        <group>fortios.event.anomaly,fortios.category.anomaly,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100014" level="4">
+        <!-- LOGID_APP_CTRL_IM_BASIC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028672$</field>
+        <description>Application control IM-basic</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100015" level="4">
+        <!-- LOGID_APP_CTRL_IM_BASIC_WITH_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028673$</field>
+        <description>Application control IM</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100016" level="4">
+        <!-- LOGID_APP_CTRL_IM_BASIC_WITH_COUNT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028674$</field>
+        <description>Application control IM (chat message count)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100017" level="4">
+        <!-- LOGID_APP_CTRL_IM_FILE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028675$</field>
+        <description>Application control IM (file)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100018" level="4">
+        <!-- LOGID_APP_CTRL_IM_CHAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028676$</field>
+        <description>Application control IM (chat)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100019" level="4">
+        <!-- LOGID_APP_CTRL_IM_CHAT_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028677$</field>
+        <description>Application control IM (chat blocked)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100020" level="4">
+        <!-- LOGID_APP_CTRL_IM_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028678$</field>
+        <description>Application control IM (blocked)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100021" level="4">
+        <!-- LOGID_APP_CTRL_IPS_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028704$</field>
+        <description>Application control (IPS) (pass)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100022" level="4">
+        <!-- LOGID_APP_CTRL_IPS_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028705$</field>
+        <description>Application control (IPS) (block)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100023" level="4">
+        <!-- LOGID_APP_CTRL_IPS_RESET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028706$</field>
+        <description>Application control (IPS) (reset)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100024" level="4">
+        <!-- LOGID_APP_CTRL_SSH_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028720$</field>
+        <description>Application control IM (SSH) (pass)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100025" level="4">
+        <!-- LOGID_APP_CTRL_SSH_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028721$</field>
+        <description>Application control IM (SSH) (block)</description>
+        <group>fortios.event.app-ctrl,fortios.category.signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100026" level="4">
+        <!-- LOGID_APP_CTRL_PORT_ENF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028736$</field>
+        <description>Application control port enforcement</description>
+        <group>fortios.event.app-ctrl,fortios.category.port-violation,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100027" level="4">
+        <!-- LOGID_APP_CTRL_PROTO_ENF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">028737$</field>
+        <description>Application control protocol enforcement</description>
+        <group>fortios.event.app-ctrl,fortios.category.protocol-violation,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100028" level="4">
+        <!-- LOG_ID_DLP_WARN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">024576$</field>
+        <description>Data leak detected by specified DLP sensor rule</description>
+        <group>fortios.event.dlp,fortios.category.dlp,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100029" level="4">
+        <!-- LOG_ID_DLP_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">024577$</field>
+        <description>Data leak detected by specified DLP sensor rule</description>
+        <group>fortios.event.dlp,fortios.category.dlp,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100030" level="4">
+        <!-- LOG_ID_DLP_DOC_SOURCE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">024578$</field>
+        <description>DLP fingerprint document source notice</description>
+        <group>fortios.event.dlp,fortios.category.dlp-docsource,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100031" level="4">
+        <!-- LOG_ID_DLP_DOC_SOURCE_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">024579$</field>
+        <description>DLP fingerprint document source error</description>
+        <group>fortios.event.dlp,fortios.category.dlp-docsource,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100032" level="4">
+        <!-- LOG_ID_DNS_QUERY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054000$</field>
+        <description>DNS query message</description>
+        <group>fortios.event.dns,fortios.category.dns-query,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100033" level="4">
+        <!-- LOG_ID_DNS_RESOLV_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054200$</field>
+        <description>DNS resolution error message</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100034" level="4">
+        <!-- LOG_ID_DNS_URL_FILTER_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054400$</field>
+        <description>Domain blocked because it is in the domain-filter list</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100035" level="4">
+        <!-- LOG_ID_DNS_URL_FILTER_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054401$</field>
+        <description>Domain allowed because it is in the domain-filter list</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100036" level="4">
+        <!-- LOG_ID_DNS_BOTNET_IP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054600$</field>
+        <description>Domain blocked by DNS botnet C&amp;C (IP)</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100037" level="4">
+        <!-- LOG_ID_DNS_BOTNET_DOMAIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054601$</field>
+        <description>Domain blocked by DNS botnet C&amp;C (Domain)</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100038" level="4">
+        <!-- LOG_ID_DNS_FTGD_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054800$</field>
+        <description>FortiGuard rating error warning</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100039" level="4">
+        <!-- LOG_ID_DNS_FTGD_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054801$</field>
+        <description>FortiGuard rating error occurred</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100040" level="4">
+        <!-- LOG_ID_DNS_FTGD_CAT_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054802$</field>
+        <description>Domain is monitored</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100041" level="4">
+        <!-- LOG_ID_DNS_FTGD_CAT_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054803$</field>
+        <description>Domain belongs to a denied category in policy</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100042" level="4">
+        <!-- LOG_ID_DNS_SAFE_SEARCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054804$</field>
+        <description>DNS Safe Search enforced</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100043" level="4">
+        <!-- LOG_ID_DNS_LOCAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">054805$</field>
+        <description>DNS local query</description>
+        <group>fortios.event.dns,fortios.category.dns-response,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100044" level="4">
+        <!-- LOGID_ANTISPAM_EMAIL_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020480$</field>
+        <description>SPAM notification</description>
+        <group>fortios.event.emailfilter,fortios.category.spam,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100045" level="4">
+        <!-- LOGID_EMAIL_GENERAL_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020481$</field>
+        <description>Email message</description>
+        <group>fortios.event.emailfilter,fortios.category.email,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100046" level="4">
+        <!-- LOGID_ANTISPAM_EMAIL_BWORD_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020482$</field>
+        <description>Banned word notification</description>
+        <group>fortios.event.emailfilter,fortios.category.bannedword,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100047" level="4">
+        <!-- LOGID_ANTISPAM_FTGD_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020509$</field>
+        <description>FortiGuard error message</description>
+        <group>fortios.event.emailfilter,fortios.category.ftgd_err,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100048" level="4">
+        <!-- LOGID_ANTISPAM_EMAIL_WEBMAIL_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020510$</field>
+        <description>Webmail message</description>
+        <group>fortios.event.emailfilter,fortios.category.webmail,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100049" level="4">
+        <!-- LOG_ID_DOMAIN_UNRESOLVABLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020002$</field>
+        <description>Domain name of alert email sender unresolvable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100050" level="4">
+        <!-- LOG_ID_MAIL_SENT_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020003$</field>
+        <description>Alert email send status failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100051" level="4">
+        <!-- LOG_ID_POLICY_TOO_BIG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020004$</field>
+        <description>Policy too big for installation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100052" level="4">
+        <!-- LOG_ID_PPP_LINK_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020005$</field>
+        <description>Modem PPP link up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100053" level="4">
+        <!-- LOG_ID_PPP_LINK_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020006$</field>
+        <description>Modem PPP link down</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100054" level="4">
+        <!-- LOG_ID_SOCKET_EXHAUSTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020007$</field>
+        <description>Socket is exhausted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100055" level="4">
+        <!-- LOG_ID_POLICY6_TOO_BIG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020008$</field>
+        <description>IPv6 policy too big for installation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100056" level="4">
+        <!-- LOG_ID_KERNEL_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020010$</field>
+        <description>Kernel error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100057" level="4">
+        <!-- LOG_ID_MODEM_EXCEED_REDIAL_COUNT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020016$</field>
+        <description>Modem exceeded redial limit</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100058" level="4">
+        <!-- LOG_ID_MODEM_FAIL_TO_OPEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020017$</field>
+        <description>Modem failed to open</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100059" level="4">
+        <!-- LOG_ID_MODEM_USB_DETECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020020$</field>
+        <description>USB modem detected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100060" level="4">
+        <!-- LOG_ID_MAIL_RESENT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020021$</field>
+        <description>Alert email resent</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100061" level="4">
+        <!-- LOG_ID_MODEM_USB_REMOVED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020022$</field>
+        <description>USB modem removed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100062" level="4">
+        <!-- LOG_ID_MODEM_USBLTE_DETECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020023$</field>
+        <description>USB LTE modem detected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100063" level="4">
+        <!-- LOG_ID_MODEM_USBLTE_REMOVED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020024$</field>
+        <description>USB LTE modem removed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100064" level="4">
+        <!-- LOG_ID_REPORTD_REPORT_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020025$</field>
+        <description>Report generated successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100065" level="4">
+        <!-- LOG_ID_REPORTD_REPORT_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020026$</field>
+        <description>Report generation failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100066" level="4">
+        <!-- LOG_ID_REPORT_RECREATE_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020028$</field>
+        <description>Report database recreated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100067" level="4">
+        <!-- LOG_ID_RAD_OUT_OF_MEM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020031$</field>
+        <description>RADVD out of memory</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100068" level="4">
+        <!-- LOG_ID_RAD_NOT_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020032$</field>
+        <description>RADVD interface not found</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100069" level="4">
+        <!-- LOG_ID_RAD_MOBILE_IPV6 -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020033$</field>
+        <description>RADVD mobile IPv6 extensions used</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100070" level="4">
+        <!-- LOG_ID_RAD_IPV6_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020034$</field>
+        <description>RADVD mobile IPv6 MinRtrAdvInterval out of range</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100071" level="4">
+        <!-- LOG_ID_RAD_MIN_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020035$</field>
+        <description>RADVD MinRtrAdvInterval out of range</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100072" level="4">
+        <!-- LOG_ID_RAD_MAX_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020036$</field>
+        <description>RADVD mobile IPv6 MaxRtrAdvInterval out of range</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100073" level="4">
+        <!-- LOG_ID_RAD_MAX_ADV_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020037$</field>
+        <description>RADVD MaxRtrAdvInterval out of range</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100074" level="4">
+        <!-- LOG_ID_RAD_MTU_TOO_SMALL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020039$</field>
+        <description>RADVD AdvLinkMTU too small</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100075" level="4">
+        <!-- LOG_ID_RAD_TIME_TOO_SMALL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020040$</field>
+        <description>RADVD AdvReachableTime too small</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100076" level="4">
+        <!-- LOG_ID_RAD_HOP_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020041$</field>
+        <description>RADVD AdvCurHopLimit too big</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100077" level="4">
+        <!-- LOG_ID_RAD_DFT_HOP_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020042$</field>
+        <description>RADVD AdvCurHopLimit out of range</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100078" level="4">
+        <!-- LOG_ID_RAD_AGENT_OUT_OF_RANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020043$</field>
+        <description>RADVD HomeAgentLifetime out of range</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100079" level="4">
+        <!-- LOG_ID_RAD_AGENT_FLAG_NOT_SET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020044$</field>
+        <description>RADVD AdvHomeAgentFlag not set</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100080" level="4">
+        <!-- LOG_ID_RAD_PREFIX_TOO_LONG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020045$</field>
+        <description>RADVD invalid prefix length</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100081" level="4">
+        <!-- LOG_ID_RAD_PREF_TIME_TOO_SMALL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020046$</field>
+        <description>RADVD AdvValidLifetime less than AdvPreferredLifetime</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100082" level="4">
+        <!-- LOG_ID_RAD_INV_ICMPV6_TYPE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020061$</field>
+        <description>RADVD received unwanted ICMPv6 packet</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100083" level="4">
+        <!-- LOG_ID_RAD_INV_ICMPV6_RA_LEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020062$</field>
+        <description>RADVD received ICMPv6 RA packet with invalid length</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100084" level="4">
+        <!-- LOG_ID_RAD_ICMPV6_NO_SRC_ADDR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020063$</field>
+        <description>RADVD received ICMPv6 RA packet with non-link local source address</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100085" level="4">
+        <!-- LOG_ID_RAD_INV_ICMPV6_RS_LEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020064$</field>
+        <description>RADVD received ICMPv6 RS packet with invalid length</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100086" level="4">
+        <!-- LOG_ID_RAD_INV_ICMPV6_CODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020065$</field>
+        <description>RADVD received ICMPv6 RS/RA packet with invalid code</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100087" level="4">
+        <!-- LOG_ID_RAD_INV_ICMPV6_HOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020066$</field>
+        <description>RADVD received ICMPv6 RS/RA packet with invalid hop limit</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100088" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_HOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020067$</field>
+        <description>RADVD local AdvCurHopLimit disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100089" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_MGR_FLAG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020068$</field>
+        <description>RADVD local AdvManagedFlag disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100090" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_OTH_FLAG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020069$</field>
+        <description>RADVD local AdvOtherConfigFlag disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100091" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_TIME -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020070$</field>
+        <description>RADVD local AdvReachableTime disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100092" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_TIMER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020071$</field>
+        <description>RADVD local AdvRetransTimer disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100093" level="4">
+        <!-- LOG_ID_RAD_EXTRA_DATA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020072$</field>
+        <description>RADVD extra data in RA packet found</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100094" level="4">
+        <!-- LOG_ID_RAD_NO_OPT_DATA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020073$</field>
+        <description>RADVD RA packet option length zero</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100095" level="4">
+        <!-- LOG_ID_RAD_INV_OPT_LEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020074$</field>
+        <description>RADVD RA packet option length greater than total length</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100096" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_MTU -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020075$</field>
+        <description>RADVD local AdvLinkMTU disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100097" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_PREF_TIME -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020077$</field>
+        <description>Interface AdvPreferredLifetime on our interface does not agree with a remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100098" level="4">
+        <!-- LOG_ID_RAD_INV_OPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020078$</field>
+        <description>RADVD found invalid option in RA packet from remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100099" level="4">
+        <!-- LOG_ID_RAD_FAIL_TO_RCV -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020080$</field>
+        <description>RADVD receive message failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100100" level="4">
+        <!-- LOG_ID_RAD_INV_HOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020081$</field>
+        <description>RADVD received invalid IPv6 hop limit</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100101" level="4">
+        <!-- LOG_ID_RAD_INV_PKTINFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020082$</field>
+        <description>RADVD received invalid IPv6 packet info</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100102" level="4">
+        <!-- LOG_ID_RAD_FAIL_TO_CHECK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020083$</field>
+        <description>RADVD all-routers membership check failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100103" level="4">
+        <!-- LOG_ID_RAD_FAIL_TO_SEND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020084$</field>
+        <description>RADVD send message failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100104" level="4">
+        <!-- LOG_ID_SESSION_CLASH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020085$</field>
+        <description>Session clashed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100105" level="4">
+        <!-- LOG_ID_INTF_LINK_STA_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020090$</field>
+        <description>Interface link status changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100106" level="4">
+        <!-- LOG_ID_INTF_STA_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020099$</field>
+        <description>Interface status changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100107" level="4">
+        <!-- LOG_ID_WEB_CAT_UPDATED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020100$</field>
+        <description>FortiGuard web filter category list updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100108" level="4">
+        <!-- LOG_ID_WEB_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020101$</field>
+        <description>FortiGuard web filter license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100109" level="4">
+        <!-- LOG_ID_SPAM_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020102$</field>
+        <description>FortiGuard antispam license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100110" level="4">
+        <!-- LOG_ID_AV_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020103$</field>
+        <description>FortiGuard antivirus license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100111" level="4">
+        <!-- LOG_ID_IPS_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020104$</field>
+        <description>FortiGuard IPS license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100112" level="4">
+        <!-- LOG_ID_LOG_UPLOAD_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020107$</field>
+        <description>Log upload error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100113" level="4">
+        <!-- LOG_ID_LOG_UPLOAD_DONE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020108$</field>
+        <description>Log upload completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100114" level="4">
+        <!-- LOG_ID_WEB_LIC_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020109$</field>
+        <description>FortiGuard web filter license expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100115" level="4">
+        <!-- LOG_ID_IPSA_DOWNLOAD_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020113$</field>
+        <description>IPSA database download failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100116" level="4">
+        <!-- LOG_ID_IPSA_SELFTEST_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020114$</field>
+        <description>IPSA disabled: self test failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100117" level="4">
+        <!-- LOG_ID_IPSA_STATUSUPD_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020115$</field>
+        <description>IPSA driver update failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100118" level="4">
+        <!-- LOG_ID_SPAM_LIC_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020116$</field>
+        <description>FortiGuard antispam license expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100119" level="4">
+        <!-- LOG_ID_AV_LIC_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020117$</field>
+        <description>FortiGuard antivirus license expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100120" level="4">
+        <!-- LOG_ID_WEBF_STATUS_REACH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020118$</field>
+        <description>FortiGuard webfilter reachable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100121" level="4">
+        <!-- LOG_ID_WEBF_STATUS_UNREACH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020119$</field>
+        <description>FortiGuard webfilter unreachable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100122" level="4">
+        <!-- LOG_ID_FMGC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020120$</field>
+        <description>FortiManager Cloud license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100123" level="4">
+        <!-- LOG_ID_FAZC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020121$</field>
+        <description>FortiAnalyzer Cloud license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100124" level="4">
+        <!-- LOG_ID_SWNO_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020122$</field>
+        <description>SD-WAN Overlay Controller license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100125" level="4">
+        <!-- LOG_ID_SWNM_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020123$</field>
+        <description>SD-WAN Monitoring license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100126" level="4">
+        <!-- LOG_ID_VMLS_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020124$</field>
+        <description>VM-S license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100127" level="4">
+        <!-- LOG_ID_SFAS_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020125$</field>
+        <description>Security Rating license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100128" level="4">
+        <!-- LOG_ID_IPMC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020126$</field>
+        <description>IPAM Controller license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100129" level="4">
+        <!-- LOG_ID_IOTH_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020127$</field>
+        <description>IoT device identification license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100130" level="4">
+        <!-- LOG_ID_FSAC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020128$</field>
+        <description>FortiSandbox Cloud license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100131" level="4">
+        <!-- LOG_ID_AFAC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020129$</field>
+        <description>FortiAnalyzer Cloud premium license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100132" level="4">
+        <!-- LOG_ID_EMSC_ACC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020130$</field>
+        <description>FortiClient EMS Cloud license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100133" level="4">
+        <!-- LOG_ID_FMGC_ACC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020131$</field>
+        <description>FortiManager Cloud Account Level license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100134" level="4">
+        <!-- LOG_ID_FSAP_ACC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020132$</field>
+        <description>FortiSandbox Cloud Account Level license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100135" level="4">
+        <!-- LOG_ID_FIREWALL_POLICY_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020133$</field>
+        <description>Firewall policy expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100136" level="4">
+        <!-- LOG_ID_FIREWALL_POLICY_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020134$</field>
+        <description>Firewall policy expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100137" level="4">
+        <!-- LOG_ID_FAIS_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020135$</field>
+        <description>FortiGuard AI-Based Sandbox Service license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100138" level="4">
+        <!-- LOG_ID_FIPS_SELF_TEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020200$</field>
+        <description>FIPS CC self-test initiated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100139" level="4">
+        <!-- LOG_ID_FIPS_SELF_ALL_TEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020201$</field>
+        <description>FIPS ALL CC self-tests initiated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100140" level="4">
+        <!-- LOG_ID_DISK_FORMAT_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020202$</field>
+        <description>Disk partitioning or formatting Error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100141" level="4">
+        <!-- LOG_ID_DAEMON_SHUTDOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020203$</field>
+        <description>Daemon shutdown</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100142" level="4">
+        <!-- LOG_ID_DAEMON_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020204$</field>
+        <description>Daemon started</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100143" level="4">
+        <!-- LOG_ID_DISK_FORMAT_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020205$</field>
+        <description>Format disk requested</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100144" level="4">
+        <!-- LOG_ID_DISK_SCAN_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020206$</field>
+        <description>Scan disk requested</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100145" level="4">
+        <!-- LOG_ID_RAD_MISMATCH_VALID_TIME -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020207$</field>
+        <description>RADVD local AdvValidLifetime disagrees with remote site</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100146" level="4">
+        <!-- LOG_ID_ZOMBIE_DAEMON_CLEANUP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020208$</field>
+        <description>Zombie daemon cleanup</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100147" level="4">
+        <!-- LOG_ID_DISK_UNAVAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020209$</field>
+        <description>Disk unavailable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100148" level="4">
+        <!-- LOG_ID_DISK_TRIM_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020210$</field>
+        <description>SSD TRIM started</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100149" level="4">
+        <!-- LOG_ID_DISK_TRIM_END -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020211$</field>
+        <description>SSD TRIM finished</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100150" level="4">
+        <!-- LOG_ID_DISK_SCAN_NEEDED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020212$</field>
+        <description>Disk scan is needed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100151" level="4">
+        <!-- LOG_ID_DISK_LOG_CORRUPTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020213$</field>
+        <description>Log file on disk is corrupted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100152" level="4">
+        <!-- LOG_ID_LOCAL_OUT_IOC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020214$</field>
+        <description>Locally generated traffic goes to IoC location</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100153" level="4">
+        <!-- LOGID_EVENT_SHAPER_OUTBOUND_MAXED_OUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020220$</field>
+        <description>Outbound bandwidth rate exceeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100154" level="4">
+        <!-- LOGID_EVENT_SHAPER_INBOUND_MAXED_OUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020221$</field>
+        <description>Inbound bandwidth rate exceeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100155" level="4">
+        <!-- LOG_ID_SYS_SECURITY_WRITE_VIOLATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020230$</field>
+        <description>Write Permission Violation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100156" level="4">
+        <!-- LOG_ID_SYS_SECURITY_HARDLINK_VIOLATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020231$</field>
+        <description>Hard Link Creation Violation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100157" level="4">
+        <!-- LOG_ID_SYS_SECURITY_LOAD_MODULE_VIOLATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020232$</field>
+        <description>Load Kernel/Kernel Module/Firmware Violation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100158" level="4">
+        <!-- LOG_ID_SYS_SECURITY_FILE_HASH_MISSING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020233$</field>
+        <description>Integrity check of Run/loading Excutable File failed without Integrity measure</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100159" level="4">
+        <!-- LOG_ID_SYS_SECURITY_FILE_HASH_MISMATCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020234$</field>
+        <description>Integrity check of Run/loading Excutable File failed with mismatched measure</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100160" level="4">
+        <!-- LOG_ID_SYS_SECURITY_MOUNT_VIOLATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020235$</field>
+        <description>Filesystem Mount Violation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100161" level="4">
+        <!-- LOG_ID_BGP_NB_STAT_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020300$</field>
+        <description>BGP neighbor status changed</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100162" level="4">
+        <!-- LOG_ID_VZ_LOG_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020301$</field>
+        <description>Routing log information</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100163" level="4">
+        <!-- LOG_ID_OSPF_NB_STAT_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020302$</field>
+        <description>OSPF neighbor status changed</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100164" level="4">
+        <!-- LOG_ID_OSPF6_NB_STAT_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020303$</field>
+        <description>OSPF6 neighbor status changed</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100165" level="4">
+        <!-- LOG_ID_VZ_LOG_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020304$</field>
+        <description>Routing log warning</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100166" level="4">
+        <!-- LOG_ID_VZ_LOG_CRITICAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020305$</field>
+        <description>Routing log critical event</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100167" level="4">
+        <!-- LOG_ID_VZ_LOG_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020306$</field>
+        <description>Routing log error</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100168" level="4">
+        <!-- LOG_ID_ROUTER_CLEAR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020401$</field>
+        <description>Router cleared</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100169" level="4">
+        <!-- LOG_ID_INV_PKT_LEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022000$</field>
+        <description>Packet length mismatch</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100170" level="4">
+        <!-- LOG_ID_UNSUPPORTED_PROT_VER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022001$</field>
+        <description>Protocol version unsupported</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100171" level="4">
+        <!-- LOG_ID_INV_REQ_TYPE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022002$</field>
+        <description>Request type not supported</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100172" level="4">
+        <!-- LOG_ID_FAIL_SET_SIG_HANDLER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022003$</field>
+        <description>Signal handler setup failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100173" level="4">
+        <!-- LOG_ID_FAIL_CREATE_SOCKET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022004$</field>
+        <description>Socket creation failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100174" level="4">
+        <!-- LOG_ID_FAIL_CREATE_SOCKET_RETRY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022005$</field>
+        <description>Socket creation retry failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100175" level="4">
+        <!-- LOG_ID_FAIL_REG_CMDB_EVENT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022006$</field>
+        <description>Registration for CMDB events failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100176" level="4">
+        <!-- LOG_ID_FAIL_FIND_AV_PROFILE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022009$</field>
+        <description>AntiVirus profile not found</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100177" level="4">
+        <!-- LOG_ID_SENDTO_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022010$</field>
+        <description>URL filter packet send failure</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100178" level="4">
+        <!-- LOG_ID_ENTER_MEM_CONSERVE_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022011$</field>
+        <description>Memory conserve mode entered</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100179" level="4">
+        <!-- LOG_ID_LEAVE_MEM_CONSERVE_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022012$</field>
+        <description>Memory conserve mode exited</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100180" level="4">
+        <!-- LOG_ID_IPPOOLPBA_BLOCK_EXHAUSTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022013$</field>
+        <description>IP pool PBA block exhausted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100181" level="4">
+        <!-- LOG_ID_IPPOOLPBA_NATIP_EXHAUSTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022014$</field>
+        <description>IP pool PBA NAT IP exhausted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100182" level="4">
+        <!-- LOG_ID_IPPOOLPBA_CREATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022015$</field>
+        <description>IP pool PBA created</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100183" level="4">
+        <!-- LOG_ID_IPPOOLPBA_DEALLOCATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022016$</field>
+        <description>Deallocate IP pool PBA</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100184" level="4">
+        <!-- LOG_ID_EXCEED_GLOB_RES_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022017$</field>
+        <description>Global resource limit exceeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100185" level="4">
+        <!-- LOG_ID_EXCEED_VD_RES_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022018$</field>
+        <description>VDOM resource limit exceeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100186" level="4">
+        <!-- LOG_ID_LOGRATE_OVER_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022019$</field>
+        <description>Log rate limit exceeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100187" level="4">
+        <!-- LOG_ID_FAIL_CREATE_HA_SOCKET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022020$</field>
+        <description>HA socket creation failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100188" level="4">
+        <!-- LOG_ID_FAIL_CREATE_HA_SOCKET_RETRY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022021$</field>
+        <description>UDP socket creation to relay URL request failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100189" level="4">
+        <!-- LOG_ID_SUCCESS_CSF_LOG_SYNC_CONFIG_CHANGED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022031$</field>
+        <description>Settings modified by Security Fabric service</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100190" level="4">
+        <!-- LOG_ID_CSF_LOOP_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022032$</field>
+        <description>Looped configuration in Security Fabric service</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100191" level="4">
+        <!-- LOG_ID_CSF_UPSTREAM_SN_CHANGED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022035$</field>
+        <description>Serial number of upstream is changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100192" level="4">
+        <!-- LOG_ID_CSF_FGT_CONNECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022036$</field>
+        <description>Connection with Security Fabric member established and authorized.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100193" level="4">
+        <!-- LOG_ID_CSF_FGT_DISCONNECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022037$</field>
+        <description>Connection with authorized Security Fabric member terminated.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100194" level="4">
+        <!-- LOG_ID_CSF_GLOBAL_SYNC_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022038$</field>
+        <description>Synchronization of global object failed.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100195" level="4">
+        <!-- LOG_ID_CSF_GLOBAL_SYNC_REPORT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022039$</field>
+        <description>Synchronization of global object report.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100196" level="4">
+        <!-- LOG_ID_CSF_DEVICE_JOIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022040$</field>
+        <description>Device joined the Security Fabric.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100197" level="4">
+        <!-- LOG_ID_CSF_DEVICE_LEAVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022041$</field>
+        <description>Device left the Security Fabric.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100198" level="4">
+        <!-- LOG_ID_CSF_DEVICE_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022042$</field>
+        <description>Device in the Security Fabric was updated.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100199" level="4">
+        <!-- LOG_ID_CSF_NEW_AUTH_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022043$</field>
+        <description>An authorization request was added.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100200" level="4">
+        <!-- LOG_ID_CSF_UPDATE_AUTH_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022044$</field>
+        <description>An authorization request was updated.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100201" level="4">
+        <!-- LOG_ID_CSF_REMOVE_AUTH_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022045$</field>
+        <description>An authorization request was removed.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100202" level="4">
+        <!-- LOG_ID_CSF_ROLE_CHANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022046$</field>
+        <description>Device's authorization privilege changed.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100203" level="4">
+        <!-- LOG_ID_CSF_FILE_MEM_USAGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022047$</field>
+        <description>CSF daemon files memory usage warning.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100204" level="4">
+        <!-- LOG_ID_CSF_ADVPN_SYNC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022048$</field>
+        <description>Fabric ADVPN configuration synchronized from root.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100205" level="4">
+        <!-- LOG_ID_CSF_DAEMON_CLOSE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022049$</field>
+        <description>Daemon csfd has closed.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100206" level="4">
+        <!-- LOG_ID_IPAMD_ADDRESS_ALLOCATED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022050$</field>
+        <description>Address allocated by FortiIPAM and applied to an interface</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100207" level="4">
+        <!-- LOG_ID_IPAMD_ADDRESS_SET_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022051$</field>
+        <description>Address received from FortiIPAM could not be applied to the interface</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100208" level="4">
+        <!-- LOG_ID_IPAMD_ADDRESS_INVALIDATED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022052$</field>
+        <description>FortiIPAM indicated that the address was no longer allocated to the interface</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100209" level="4">
+        <!-- LOG_ID_IPAMD_VALIDATION_COMPLETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022053$</field>
+        <description>Startup validation of IPAM addresses was completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100210" level="4">
+        <!-- LOG_ID_IPAMSD_ADDRESS_ALLOCATED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022060$</field>
+        <description>Address allocated to IPAM interface</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100211" level="4">
+        <!-- LOG_ID_IPAMSD_ADDRESS_FREED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022061$</field>
+        <description>Address freed by IPAM interface</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100212" level="4">
+        <!-- LOG_ID_IPAMSD_FLAG_CONFLICT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022062$</field>
+        <description>Flag IPAM entry as conflict</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100213" level="4">
+        <!-- LOG_ID_IPAMSD_UNFLAG_CONFLICT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022063$</field>
+        <description>Unflag IPAM entry as conflict</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100214" level="4">
+        <!-- LOG_ID_PROVISION_LATEST_SUCCEEDED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022080$</field>
+        <description>Provisioning of latest firmware was completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100215" level="4">
+        <!-- LOG_ID_PROVISION_LATEST_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022081$</field>
+        <description>Provisioning of latest firmware failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100216" level="4">
+        <!-- LOG_ID_DEVICE_UPGRADE_SUCCEEDED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022085$</field>
+        <description>A device upgrade was completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100217" level="4">
+        <!-- LOG_ID_DEVICE_UPGRADE_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022086$</field>
+        <description>A device upgrade failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100218" level="4">
+        <!-- LOG_ID_FEDERATED_UPGRADE_CANCELLED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022090$</field>
+        <description>A federated upgrade was cancelled due to the CSF tree not being ready</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100219" level="4">
+        <!-- LOG_ID_FEDERATED_UPGRADE_SUCCEEDED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022091$</field>
+        <description>A federated upgrade was completed successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100220" level="4">
+        <!-- LOG_ID_FEDERATED_UPGRADE_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022092$</field>
+        <description>A federated upgrade failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100221" level="4">
+        <!-- LOG_ID_FEDERATED_UPGRADE_STEP_COMPLETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022093$</field>
+        <description>A step in a multi-step federated upgrade was completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100222" level="4">
+        <!-- LOG_ID_FEDERATED_UPGRADE_ROOT_COMPLETED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022094$</field>
+        <description>A federated upgrade was completed by the root FortiGate</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100223" level="4">
+        <!-- LOG_ID_FEDERATED_UPGRADE_ROOT_NOT_COMPLETED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022095$</field>
+        <description>A federated upgrade could not be completed by the root FortiGate</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100224" level="4">
+        <!-- LOG_ID_QUAR_DROP_TRAN_JOB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022100$</field>
+        <description>Files dropped by quarantine daemon</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100225" level="4">
+        <!-- LOG_ID_QUAR_DROP_TLL_JOB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022101$</field>
+        <description>Files dropped due to poor network connection</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100226" level="4">
+        <!-- LOG_ID_LOG_DISK_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022102$</field>
+        <description>Log disk failure imminent</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100227" level="4">
+        <!-- LOG_ID_QUAR_LIMIT_REACHED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022103$</field>
+        <description>Sandbox limit reached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100228" level="4">
+        <!-- LOG_ID_POWER_RESTORE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022104$</field>
+        <description>Power supply restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100229" level="4">
+        <!-- LOG_ID_POWER_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022105$</field>
+        <description>Power supply failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100230" level="4">
+        <!-- LOG_ID_POWER_OPTIONAL_NOT_DETECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022106$</field>
+        <description>Optional power supply not detected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100231" level="4">
+        <!-- LOG_ID_VOLT_ANOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022107$</field>
+        <description>Voltage anomaly</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100232" level="4">
+        <!-- LOG_ID_FAN_ANOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022108$</field>
+        <description>Fan anomaly</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100233" level="4">
+        <!-- LOG_ID_TEMP_TOO_HIGH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022109$</field>
+        <description>Temperature too high</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100234" level="4">
+        <!-- LOG_ID_SPARE_BLOCK_LOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022110$</field>
+        <description>Spare blocks availability low</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100235" level="4">
+        <!-- LOG_ID_PSU_ACTION_FPC_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022111$</field>
+        <description>FPC down due to PSU action</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100236" level="4">
+        <!-- LOG_ID_PSU_ACTION_FPC_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022112$</field>
+        <description>FPC up due to PSU action</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100237" level="4">
+        <!-- LOG_ID_FNBAM_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022113$</field>
+        <description>Authentication error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100238" level="4">
+        <!-- LOG_ID_POWER_FAILURE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022114$</field>
+        <description>Power supply failed warning</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100239" level="4">
+        <!-- LOG_ID_POWER_RESTORE_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022115$</field>
+        <description>Power supply restored notification</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100240" level="4">
+        <!-- LOG_ID_POWER_REDUNDANCY_DEGRADE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022116$</field>
+        <description>Power Supply Redundancy Degrade</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100241" level="4">
+        <!-- LOG_ID_POWER_REDUNDANCY_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022117$</field>
+        <description>Power Supply Redundancy Lost</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100242" level="4">
+        <!-- LOG_ID_VOLT_NOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022150$</field>
+        <description>Voltage normal</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100243" level="4">
+        <!-- LOG_ID_FAN_NOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022151$</field>
+        <description>Fan normal</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100244" level="4">
+        <!-- LOG_ID_TEMP_TOO_LOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022152$</field>
+        <description>Temperature too low</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100245" level="4">
+        <!-- LOG_ID_TEMP_NORM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022153$</field>
+        <description>Temperature normal</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100246" level="4">
+        <!-- LOG_ID_AUTO_UPT_CERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022200$</field>
+        <description>Certificate will be auto-updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100247" level="4">
+        <!-- LOG_ID_AUTO_GEN_CERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022201$</field>
+        <description>Certificate will be auto-regenerated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100248" level="4">
+        <!-- LOG_ID_AUTO_GEN_CERT_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022203$</field>
+        <description>Certificate failed to auto-generate</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100249" level="4">
+        <!-- LOG_ID_AUTO_GEN_CERT_PENDING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022204$</field>
+        <description>Certificate pending to auto-generate</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100250" level="4">
+        <!-- LOG_ID_AUTO_GEN_CERT_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022205$</field>
+        <description>Certificate succeed to auto-generate</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100251" level="4">
+        <!-- LOG_ID_CRL_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022206$</field>
+        <description>CRL is expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100252" level="4">
+        <!-- LOG_ID_CERT_EXPIRE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022207$</field>
+        <description>Certificate will expire soon</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100253" level="4">
+        <!-- LOG_ID_EXT_RESOURCE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022220$</field>
+        <description>Threat feed updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100254" level="4">
+        <!-- LOG_ID_EXT_RESOURCE_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022221$</field>
+        <description>Threat feed update failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100255" level="4">
+        <!-- LOG_ID_EXT_RESOURCE_LOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022222$</field>
+        <description>Threat feed loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100256" level="4">
+        <!-- LOG_ID_EXT_RESOURCE_DEBUG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022223$</field>
+        <description>Threat feed debug</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100257" level="4">
+        <!-- LOG_ID_IPS_FAIL_OPEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022700$</field>
+        <description>IPS session scan paused</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100258" level="4">
+        <!-- LOG_ID_IPS_FAIL_OPEN_END -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022701$</field>
+        <description>IPS session scan resumed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100259" level="4">
+        <!-- LOG_ID_SCAN_SERV_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022800$</field>
+        <description>Scan services session failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100260" level="4">
+        <!-- LOG_ID_ENTER_FD_CONSERVE_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022802$</field>
+        <description>File descriptor conserve mode entered</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100261" level="4">
+        <!-- LOG_ID_LEAVE_FD_CONSERVE_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022803$</field>
+        <description>File descriptor conserve mode exited</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100262" level="4">
+        <!-- LOG_ID_LIC_STATUS_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022804$</field>
+        <description>License status changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100263" level="4">
+        <!-- LOG_ID_FAIL_TO_VALIDATE_LIC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022805$</field>
+        <description>License validation failure</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100264" level="4">
+        <!-- LOG_ID_DUP_LIC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022806$</field>
+        <description>Duplicate license detected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100265" level="4">
+        <!-- LOG_ID_VDOM_LIC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022807$</field>
+        <description>VDOM license status changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100266" level="4">
+        <!-- LOG_ID_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022808$</field>
+        <description>VM license expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100267" level="4">
+        <!-- LOG_ID_LIC_WILL_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022809$</field>
+        <description>VM license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100268" level="4">
+        <!-- LOG_ID_SCANUNIT_ERROR_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022810$</field>
+        <description>Scan error - traffic blocked</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100269" level="4">
+        <!-- LOG_ID_SCANUNIT_ERROR_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022811$</field>
+        <description>Scan error - traffic passed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100270" level="4">
+        <!-- LOG_ID_SCANUNIT_AVENG_RELOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022812$</field>
+        <description>Scanunit is reloading AV engine</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100271" level="4">
+        <!-- LOG_ID_SCANUNIT_AVDB_RELOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022813$</field>
+        <description>Scanunit reloaded AV Database</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100272" level="4">
+        <!-- LOG_ID_SCANUNIT_AVDB_RELOAD_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022814$</field>
+        <description>Scanunit AV Database reload error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100273" level="4">
+        <!-- LOG_ID_SCANUNIT_AVDB_LOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022815$</field>
+        <description>Scanunit loaded AV Database</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100274" level="4">
+        <!-- LOG_ID_SCANUNIT_AVDB_LOAD_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022816$</field>
+        <description>Scanunit AV Database load error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100275" level="4">
+        <!-- LOG_ID_USER_QUARANTINE_MAC_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022850$</field>
+        <description>User quarantine MAC added</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100276" level="4">
+        <!-- LOG_ID_USER_QUARANTINE_MAC_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022851$</field>
+        <description>User quarantine MAC deleted</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100277" level="4">
+        <!-- LOG_ID_USER_QUARANTINE_MAC_BOUNCE_PORT_HIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022852$</field>
+        <description>User quarantine MAC bounce port hit</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100278" level="4">
+        <!-- LOG_ID_USER_QUARANTINE_MAC_BOUNCE_PORT_MISS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022853$</field>
+        <description>User quarantine MAC bounce port miss</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100279" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022861$</field>
+        <description>NAC device addition</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100280" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022862$</field>
+        <description>NAC device deletion</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100281" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_MODIFY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022863$</field>
+        <description>NAC device modify</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100282" level="4">
+        <!-- LOG_ID_FLPOLD_DPP_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022864$</field>
+        <description>DPP device addition</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100283" level="4">
+        <!-- LOG_ID_FLPOLD_DPP_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022865$</field>
+        <description>DPP device deletion</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100284" level="4">
+        <!-- LOG_ID_FLPOLD_DPP_MODIFY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022866$</field>
+        <description>DPP device modify</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100285" level="4">
+        <!-- LOG_ID_FLPOLD_DPP_INTF_TAGS_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022867$</field>
+        <description>DPP interface tags add</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100286" level="4">
+        <!-- LOG_ID_FLPOLD_DPP_INTF_TAGS_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022868$</field>
+        <description>DPP interface tags delete</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100287" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_DYNAMIC_ADDRESS_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022869$</field>
+        <description>NAC device dynamic address addition</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100288" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_DYNAMIC_ADDRESS_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022870$</field>
+        <description>NAC device dynamic address deletion</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100289" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_MAC_CACHE_SYNC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022871$</field>
+        <description>NAC MAC cache sync</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100290" level="4">
+        <!-- LOG_ID_FLPOLD_NAC_MAX_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022872$</field>
+        <description>NAC device Max Limit Error</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100291" level="4">
+        <!-- LOG_ID_FLPOLD_DPP_MAX_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022873$</field>
+        <description>DPP device Max Limit Error</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100292" level="4">
+        <!-- LOG_ID_FORTILINKD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022890$</field>
+        <description>Switch-Controller Daemon Log (Notification)</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100293" level="4">
+        <!-- LOG_ID_FLCFGD_SYNC_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022891$</field>
+        <description>Switch-Controller Switch Sync Error</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100294" level="4">
+        <!-- LOG_ID_FLCFGD_SYNC_COMPLETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022892$</field>
+        <description>Switch-Controller Switch Sync Complete</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100295" level="4">
+        <!-- LOG_ID_FLCFGD_SYNC_STATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022893$</field>
+        <description>Switch-Controller Switch Sync State</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100296" level="4">
+        <!-- LOG_ID_FLCFGD_UPGRADE_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022894$</field>
+        <description>Switch-Controller Switch Upgrade Error</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100297" level="4">
+        <!-- LOG_ID_FLCFGD_UPGRADE_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022895$</field>
+        <description>Switch-Controller Switch Upgrade Status</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100298" level="4">
+        <!-- LOG_ID_FORTILINKD_CRITICAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022896$</field>
+        <description>Switch-Controller Daemon Log (Critical)</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100299" level="4">
+        <!-- LOG_ID_FORTILINKD_SPLIT_PORT_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022897$</field>
+        <description>Switch-controller split-port related configuration change detected</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100300" level="4">
+        <!-- LOG_ID_CAPUTP_SESSION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022900$</field>
+        <description>CAPUTP session status</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100301" level="4">
+        <!-- LOG_ID_FAZ_CON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022901$</field>
+        <description>FortiAnalyzer connection up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100302" level="4">
+        <!-- LOG_ID_FAZ_DISCON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022902$</field>
+        <description>FortiAnalyzer connection down</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100303" level="4">
+        <!-- LOG_ID_FAZ_CON_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022903$</field>
+        <description>FortiAnalyzer connection failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100304" level="4">
+        <!-- LOG_ID_CAPUTP_SESSION_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022904$</field>
+        <description>CAPUTP session status notification</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100305" level="4">
+        <!-- LOG_ID_FDS_SRV_ERRCON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022912$</field>
+        <description>FortiGate Cloud server connection failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100306" level="4">
+        <!-- LOG_ID_FDS_SRV_DISCON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022913$</field>
+        <description>FortiGate Cloud server disconnected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100307" level="4">
+        <!-- LOG_ID_FDS_SRV_CON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022915$</field>
+        <description>FortiGate Cloud server connected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100308" level="4">
+        <!-- LOG_ID_FDS_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022916$</field>
+        <description>FortiGuard Message Service status</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100309" level="4">
+        <!-- LOG_ID_FDS_SMS_QUOTA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022917$</field>
+        <description>SMS quota reached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100310" level="4">
+        <!-- LOG_ID_FDS_CTRL_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022918$</field>
+        <description>FortiGuard Message Service controller status</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100311" level="4">
+        <!-- LOG_ID_SVR_LOG_STATUS_CHANGED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022919$</field>
+        <description>Server logging status changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100312" level="4">
+        <!-- LOG_ID_EVENT_ROUTE_INFO_CHANGED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022921$</field>
+        <description>Routing information changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100313" level="4">
+        <!-- LOG_ID_EVENT_LINK_MONITOR_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022922$</field>
+        <description>Link monitor status</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100314" level="4">
+        <!-- LOG_ID_EVENT_VWL_LQTY_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022923$</field>
+        <description>SDWAN status</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100315" level="4">
+        <!-- LOG_ID_EVENT_VWL_VOLUME_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022924$</field>
+        <description>SDWAN volume status</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100316" level="4">
+        <!-- LOG_ID_EVENT_VWL_SLA_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022925$</field>
+        <description>SDWAN SLA information</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100317" level="4">
+        <!-- LOG_ID_EVENT_VWL_NEIGHBOR_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022926$</field>
+        <description>SDWAN Neighbor status</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100318" level="4">
+        <!-- LOG_ID_EVENT_VWL_NEIGHBOR_STANDALONE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022927$</field>
+        <description>SDWAN Neighbor standalone</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100319" level="4">
+        <!-- LOG_ID_EVENT_VWL_NEIGHBOR_PRIMARY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022928$</field>
+        <description>SDWAN Neighbor primary</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100320" level="4">
+        <!-- LOG_ID_EVENT_VWL_NEIGHBOR_SECONDARY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022929$</field>
+        <description>SDWAN Neighbor secondary</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100321" level="4">
+        <!-- LOG_ID_EVENT_VWL_LQTY_STATUS_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022930$</field>
+        <description>SDWAN status warning</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100322" level="4">
+        <!-- LOG_ID_EVENT_VWL_SLA_INFO_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022931$</field>
+        <description>SDWAN SLA information warning</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100323" level="4">
+        <!-- LOG_ID_EVENT_LINK_MONITOR_STATUS_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022932$</field>
+        <description>Link monitor status warning</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100324" level="4">
+        <!-- LOG_ID_EVENT_VWL_SLA_INFO_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022933$</field>
+        <description>SDWAN SLA notification</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100325" level="4">
+        <!-- LOG_ID_EVENT_VWL_LQTY_STATUS_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022934$</field>
+        <description>SDWAN status information</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100326" level="4">
+        <!-- LOG_ID_EVENT_VWL_LQTY_STATUS_DEBUG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022935$</field>
+        <description>SDWAN status debug</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100327" level="4">
+        <!-- LOG_ID_EVENT_VWL_INET_SVC_PQTY_STATUS_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022936$</field>
+        <description>Virtual WAN Link internet service passive quality information</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100328" level="4">
+        <!-- LOG_ID_FDS_JOIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022949$</field>
+        <description>FortiGate Cloud auto-join attempted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100329" level="4">
+        <!-- LOG_ID_FDS_LOGIN_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022950$</field>
+        <description>FortiGate Cloud activation successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100330" level="4">
+        <!-- LOG_ID_FDS_LOGOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022951$</field>
+        <description>FortiGate Cloud logout</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100331" level="4">
+        <!-- LOG_ID_FDS_LOGIN_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022952$</field>
+        <description>FortiGate Cloud activation failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100332" level="4">
+        <!-- LOG_ID_INET_SVC_OBSOLETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022954$</field>
+        <description>Internet Service obsolete</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100333" level="4">
+        <!-- LOG_ID_INET_SVC_NAME_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022955$</field>
+        <description>Internet Service name update failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100334" level="4">
+        <!-- LOG_ID_INET_SVC_NAME_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022956$</field>
+        <description>Internet Service name update</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100335" level="4">
+        <!-- LOG_ID_IPSEC_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">023101$</field>
+        <description>IPsec VPN tunnel up</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100336" level="4">
+        <!-- LOG_ID_IPSEC_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">023102$</field>
+        <description>IPsec VPN tunnel down</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100337" level="4">
+        <!-- LOG_ID_IPSEC_TUNNEL_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">023103$</field>
+        <description>IPsec VPN tunnel statistics</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100338" level="4">
+        <!-- LOG_ID_DHCP_ACK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026001$</field>
+        <description>DHCP Ack log</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100339" level="4">
+        <!-- LOG_ID_DHCP_RELEASE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026002$</field>
+        <description>DHCP Release log</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100340" level="4">
+        <!-- LOG_ID_DHCP_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026003$</field>
+        <description>DHCP statistics</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100341" level="4">
+        <!-- LOG_ID_DHCP_CLIENT_LEASE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026004$</field>
+        <description>DHCP client lease granted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100342" level="4">
+        <!-- LOG_ID_DHCP_LEASE_USAGE_HIGH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026005$</field>
+        <description>DHCP lease usage high</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100343" level="4">
+        <!-- LOG_ID_DHCP_LEASE_USAGE_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026006$</field>
+        <description>DHCP lease usage full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100344" level="4">
+        <!-- LOG_ID_DHCP_BLOCKED_MAC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026007$</field>
+        <description>DHCP client blocked log</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100345" level="4">
+        <!-- LOG_ID_DHCP_DDNS_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026008$</field>
+        <description>DHCP DDNS add query</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100346" level="4">
+        <!-- LOG_ID_DHCP_DDNS_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026009$</field>
+        <description>DHCP DDNS delete query</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100347" level="4">
+        <!-- LOG_ID_DHCP_DDNS_COMPLETED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026010$</field>
+        <description>DHCP DDNS query completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100348" level="4">
+        <!-- LOG_ID_DHCPV6_REPLY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026011$</field>
+        <description>DHCPv6 Ack log</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100349" level="4">
+        <!-- LOG_ID_DHCPV6_RELEASE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">026012$</field>
+        <description>DHCPv6 Release log</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100350" level="4">
+        <!-- LOG_ID_VRRP_STATE_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">027001$</field>
+        <description>VRRP state changed</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100351" level="4">
+        <!-- LOG_ID_PPPD_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029001$</field>
+        <description>PPP status</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100352" level="4">
+        <!-- LOG_ID_PPPD_AUTH_SUC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029002$</field>
+        <description>PPP authentication successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100353" level="4">
+        <!-- LOG_ID_PPPD_AUTH_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029003$</field>
+        <description>PPP authentication failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100354" level="4">
+        <!-- LOG_ID_PPPD_MSG_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029004$</field>
+        <description>PPP status error message</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100355" level="4">
+        <!-- LOG_ID_PPPD_MSG_DEBUG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029005$</field>
+        <description>PPP status debug message</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100356" level="4">
+        <!-- LOG_ID_PPPOE_STATUS_REPORT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029010$</field>
+        <description>PPPoE status report</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100357" level="4">
+        <!-- LOG_ID_PPPD_FAIL_TO_EXEC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029011$</field>
+        <description>PPP execution failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100358" level="4">
+        <!-- LOG_ID_PPPD_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029013$</field>
+        <description>PPP daemon started</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100359" level="4">
+        <!-- LOG_ID_PPPD_EXIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029014$</field>
+        <description>PPP daemon exited</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100360" level="4">
+        <!-- LOG_ID_PPP_RCV_BAD_PEER_IP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029015$</field>
+        <description>PPP received invalid peer IP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100361" level="4">
+        <!-- LOG_ID_PPP_RCV_BAD_LOCAL_IP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029016$</field>
+        <description>PPP received invalid local IP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100362" level="4">
+        <!-- LOG_ID_EVENT_AUTH_SNMP_QUERY_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029021$</field>
+        <description>SNMP query failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100363" level="4">
+        <!-- LOG_ID_DDNS_UPDATE_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">029022$</field>
+        <description>DDNS update failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100364" level="4">
+        <!-- LOG_ID_ADMIN_LOGIN_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032001$</field>
+        <description>Admin login successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100365" level="4">
+        <!-- LOG_ID_ADMIN_LOGIN_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032002$</field>
+        <description>Admin login failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100366" level="4">
+        <!-- LOG_ID_ADMIN_LOGOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032003$</field>
+        <description>Admin logout successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100367" level="4">
+        <!-- LOG_ID_ADMIN_OVERIDE_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032005$</field>
+        <description>Admin overrode VDOM</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100368" level="4">
+        <!-- LOG_ID_ADMIN_ENTER_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032006$</field>
+        <description>Super admin entered VDOM</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100369" level="4">
+        <!-- LOG_ID_ADMIN_LEFT_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032007$</field>
+        <description>Super admin left VDOM</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100370" level="4">
+        <!-- LOG_ID_VIEW_DISK_LOG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032008$</field>
+        <description>Disk log access failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100371" level="4">
+        <!-- LOG_ID_SYSTEM_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032009$</field>
+        <description>FortiGate started</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100372" level="4">
+        <!-- LOG_ID_DISK_LOG_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032010$</field>
+        <description>Disk full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100373" level="4">
+        <!-- LOG_ID_LOG_ROLL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032011$</field>
+        <description>Disk log rolled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100374" level="4">
+        <!-- LOG_ID_CS_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032014$</field>
+        <description>Support license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100375" level="4">
+        <!-- LOG_ID_DISK_LOG_USAGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032015$</field>
+        <description>Log disk full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100376" level="4">
+        <!-- LOG_ID_FDS_DAILY_QUOTA_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032017$</field>
+        <description>FortiGate Cloud daily quota full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100377" level="4">
+        <!-- LOG_ID_FIPS_ENTER_ERR_MOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032018$</field>
+        <description>FIPS CC entered error mode</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100378" level="4">
+        <!-- LOG_ID_CC_ENTER_ERR_MOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032019$</field>
+        <description>CC entered error mode</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100379" level="4">
+        <!-- LOG_ID_SSH_CORRPUT_MAC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032020$</field>
+        <description>Message Authentication Code corrupted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100380" level="4">
+        <!-- LOG_ID_ADMIN_LOGIN_DISABLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032021$</field>
+        <description>Admin login disabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100381" level="4">
+        <!-- LOG_ID_VDOM_ENABLED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032022$</field>
+        <description>VDOM enabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100382" level="4">
+        <!-- LOG_ID_MEM_LOG_FIRST_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032023$</field>
+        <description>Memory log full over first warning level</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100383" level="4">
+        <!-- LOG_ID_ADMIN_PASSWD_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032024$</field>
+        <description>Admin password expired</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100384" level="4">
+        <!-- LOG_ID_SSH_REKEY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032025$</field>
+        <description>SSH server re-key</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100385" level="4">
+        <!-- LOG_ID_SSH_BAD_PACKET_LENGTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032026$</field>
+        <description>SSH server received bad length packet</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100386" level="4">
+        <!-- LOG_ID_VIEW_DISK_LOG_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032027$</field>
+        <description>Disk logs viewed successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100387" level="4">
+        <!-- LOG_ID_LOG_DEL_DIR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032028$</field>
+        <description>Disk log directory deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100388" level="4">
+        <!-- LOG_ID_LOG_DEL_FILE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032029$</field>
+        <description>Disk log file deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100389" level="4">
+        <!-- LOG_ID_SEND_FDS_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032030$</field>
+        <description>FDS statistics sent</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100390" level="4">
+        <!-- LOG_ID_VIEW_MEM_LOG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032031$</field>
+        <description>Memory log access failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100391" level="4">
+        <!-- LOG_ID_DISK_DLP_ARCH_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032032$</field>
+        <description>DLP archive full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100392" level="4">
+        <!-- LOG_ID_DISK_QUAR_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032033$</field>
+        <description>Quarantine full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100393" level="4">
+        <!-- LOG_ID_DISK_REPORT_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032034$</field>
+        <description>Report db data full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100394" level="4">
+        <!-- LOG_ID_VDOM_DISABLED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032035$</field>
+        <description>VDOM disabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100395" level="4">
+        <!-- LOG_ID_DISK_IPS_ARCH_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032036$</field>
+        <description>IPS archive full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100396" level="4">
+        <!-- LOG_ID_DISK_LOG_FIRST_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032037$</field>
+        <description>Disk log full over first warning</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100397" level="4">
+        <!-- LOG_ID_LOG_ROLL_FORTICRON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032038$</field>
+        <description>Log rotation requested by FortiCron</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100398" level="4">
+        <!-- LOG_ID_VIEW_MEM_LOG_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032039$</field>
+        <description>Memory logs viewed successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100399" level="4">
+        <!-- LOG_ID_REPORT_DELETED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032040$</field>
+        <description>Report deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100400" level="4">
+        <!-- LOG_ID_REPORT_DELETED_GUI -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032041$</field>
+        <description>Report deleted from GUI</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100401" level="4">
+        <!-- LOG_ID_MEM_LOG_SECOND_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032042$</field>
+        <description>Memory log full over second warning level</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100402" level="4">
+        <!-- LOG_ID_MEM_LOG_FINAL_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032043$</field>
+        <description>Memory log full over final warning level</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100403" level="4">
+        <!-- LOG_ID_LOG_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032044$</field>
+        <description>Log deleted by user</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100404" level="4">
+        <!-- LOG_ID_MGR_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032045$</field>
+        <description>FortiGuard management service license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100405" level="4">
+        <!-- LOG_ID_SCHEDULE_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032048$</field>
+        <description>One time schedule expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100406" level="4">
+        <!-- LOG_ID_FC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032049$</field>
+        <description>FortiGate Cloud license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100407" level="4">
+        <!-- LOG_ID_POL_PKT_CAPTURE_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032050$</field>
+        <description>Policy packet capture full</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100408" level="4">
+        <!-- LOG_ID_LOG_UPLOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032051$</field>
+        <description>Disk logs upload started</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100409" level="4">
+        <!-- LOG_ID_UPLOAD_RUN_SCRIPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032052$</field>
+        <description>Upload and run a script</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100410" level="4">
+        <!-- LOG_ID_VIEW_FAZ_LOG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032057$</field>
+        <description>FortiAnalyzer log access failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100411" level="4">
+        <!-- LOG_ID_VIEW_FAZ_LOG_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032058$</field>
+        <description>FortiAnalyzer logs viewed successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100412" level="4">
+        <!-- LOG_ID_GUI_CHG_SUB_MODULE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032095$</field>
+        <description>Admin performed an action from GUI</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100413" level="4">
+        <!-- LOG_ID_GUI_DOWNLOAD_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032096$</field>
+        <description>Log file downloaded from GUI</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100414" level="4">
+        <!-- LOG_ID_DELETE_CAPTURE_PKT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032097$</field>
+        <description>Policy packet capture file deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100415" level="4">
+        <!-- LOG_ID_CHG_CONFIG_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032099$</field>
+        <description>Configuration changed information</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100416" level="4">
+        <!-- LOG_ID_FORTI_TOKEN_SYNC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032100$</field>
+        <description>FortiToken synchronized</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100417" level="4">
+        <!-- LOG_ID_CHG_CONFIG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032102$</field>
+        <description>Configuration changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100418" level="4">
+        <!-- LOG_ID_NEW_FIRMWARE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032103$</field>
+        <description>New firmware available on FortiGuard</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100419" level="4">
+        <!-- LOG_ID_CHG_CONFIG_GUI -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032104$</field>
+        <description>Configuration changed via GUI</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100420" level="4">
+        <!-- LOG_ID_NTP_SVR_STAUS_CHG_REACHABLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032105$</field>
+        <description>NTP server status changes to reachable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100421" level="4">
+        <!-- LOG_ID_NTP_SVR_STAUS_CHG_RESOLVABLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032106$</field>
+        <description>NTP server status changes to resolvable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100422" level="4">
+        <!-- LOG_ID_NTP_SVR_STAUS_CHG_UNRESOLVABLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032107$</field>
+        <description>NTP server status changes to unresolvable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100423" level="4">
+        <!-- LOG_ID_NTP_SVR_STAUS_CHG_UNREACHABLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032108$</field>
+        <description>NTP server status changes to unreachable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100424" level="4">
+        <!-- LOG_ID_UPD_SIGN_AV_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032109$</field>
+        <description>Updating virus database</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100425" level="4">
+        <!-- LOG_ID_UPD_SIGN_IPS_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032110$</field>
+        <description>IPS database updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100426" level="4">
+        <!-- LOG_ID_UPD_SIGN_AVIPS_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032111$</field>
+        <description>AV, IPS, GeoIP, SRC-VIS, FortiFlow, URL White-list, Certificate databases updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100427" level="4">
+        <!-- LOG_ID_UPD_SIGN_SRCVIS_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032113$</field>
+        <description>SRC-VIS object updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100428" level="4">
+        <!-- LOG_ID_UPD_SIGN_GEOIP_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032114$</field>
+        <description>GeoIP object updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100429" level="4">
+        <!-- LOG_ID_UPD_SIGN_AVPKG_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032116$</field>
+        <description>AV package update by SCP failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100430" level="4">
+        <!-- LOG_ID_UPD_SIGN_AVPKG_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032117$</field>
+        <description>AV package update by SCP successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100431" level="4">
+        <!-- LOG_ID_UPD_ADMIN_AV_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032118$</field>
+        <description>AV updated by admin</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100432" level="4">
+        <!-- LOG_ID_UPD_SCANUNIT_AV_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032119$</field>
+        <description>AV database updated by scanunit</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100433" level="4">
+        <!-- LOG_ID_ADD_GUEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032129$</field>
+        <description>Guest user added</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100434" level="4">
+        <!-- LOG_ID_CHG_USER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032130$</field>
+        <description>User changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100435" level="4">
+        <!-- LOG_ID_DEL_GUEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032131$</field>
+        <description>Guest user deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100436" level="4">
+        <!-- LOG_ID_ADD_USER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032132$</field>
+        <description>Local user added</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100437" level="4">
+        <!-- LOG_ID_REBOOT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032138$</field>
+        <description>Device rebooted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100438" level="4">
+        <!-- LOG_ID_WAKE_ON_LAN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032139$</field>
+        <description>Wake on LAN device</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100439" level="4">
+        <!-- LOG_ID_TIME_USER_SETTING_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032140$</field>
+        <description>Global time setting changed by user</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100440" level="4">
+        <!-- LOG_ID_TIME_NTP_SETTING_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032141$</field>
+        <description>Global time setting changed by NTP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100441" level="4">
+        <!-- LOG_ID_BACKUP_CONF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032142$</field>
+        <description>System configuration backed up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100442" level="4">
+        <!-- LOG_ID_BACKUP_CONF_BY_SCP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032143$</field>
+        <description>System configuration backed up by SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100443" level="4">
+        <!-- LOG_ID_BACKUP_CONF_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032144$</field>
+        <description>System configuration backed up error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100444" level="4">
+        <!-- LOG_ID_BACKUP_CONF_ALERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032145$</field>
+        <description>System configuration backed up alert</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100445" level="4">
+        <!-- LOG_ID_TIME_PTP_SETTING_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032146$</field>
+        <description>Global time setting changed by PTP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100446" level="4">
+        <!-- LOG_ID_GET_CRL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032148$</field>
+        <description>CRL update requested</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100447" level="4">
+        <!-- LOG_ID_COMMAND_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032149$</field>
+        <description>Command failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100448" level="4">
+        <!-- LOG_ID_ADD_IP6_LOCAL_POL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032151$</field>
+        <description>IPv6 firewall local in policy added</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100449" level="4">
+        <!-- LOG_ID_CHG_IP6_LOCAL_POL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032152$</field>
+        <description>IPv6 firewall local in policy setting changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100450" level="4">
+        <!-- LOG_ID_DEL_IP6_LOCAL_POL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032153$</field>
+        <description>IPv6 firewall local in policy deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100451" level="4">
+        <!-- LOG_ID_ACT_FTOKEN_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032155$</field>
+        <description>FortiToken activation requested</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100452" level="4">
+        <!-- LOG_ID_ACT_FTOKEN_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032156$</field>
+        <description>FortiToken activation successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100453" level="4">
+        <!-- LOG_ID_SYNC_FTOKEN_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032157$</field>
+        <description>FortiToken re-synchronized</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100454" level="4">
+        <!-- LOG_ID_SYNC_FTOKEN_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032158$</field>
+        <description>FortiToken re-synchronization failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100455" level="4">
+        <!-- LOG_ID_ACT_FTOKEN_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032159$</field>
+        <description>FortiToken activation failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100456" level="4">
+        <!-- LOG_ID_FTM_PUSH_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032160$</field>
+        <description>FortiToken mobile push message succeeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100457" level="4">
+        <!-- LOG_ID_FTM_PUSH_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032161$</field>
+        <description>FortiToken mobile push message failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100458" level="4">
+        <!-- LOG_ID_REACH_VDOM_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032168$</field>
+        <description>VDOM limit reached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100459" level="4">
+        <!-- LOG_ID_ALARM_DLP_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032169$</field>
+        <description>DLP database space alarm</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100460" level="4">
+        <!-- LOG_ID_ALARM_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032170$</field>
+        <description>Alarm created</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100461" level="4">
+        <!-- LOG_ID_ALARM_ACK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032171$</field>
+        <description>Alarm acknowledged</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100462" level="4">
+        <!-- LOG_ID_ADD_IP4_LOCAL_POL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032172$</field>
+        <description>IPv4 firewall local in policy added</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100463" level="4">
+        <!-- LOG_ID_CHG_IP4_LOCAL_POL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032173$</field>
+        <description>IPv4 firewall local in policy's setting changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100464" level="4">
+        <!-- LOG_ID_DEL_IP4_LOCAL_POL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032174$</field>
+        <description>IPv4 firewall local in policy deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100465" level="4">
+        <!-- LOG_ID_GEOIP_DB_INIT_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032180$</field>
+        <description>IP Geography DB initialization failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100466" level="4">
+        <!-- LOG_ID_UPT_INVALID_IMG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032190$</field>
+        <description>Invalid image loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100467" level="4">
+        <!-- LOG_ID_UPT_INVALID_IMG_CC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032191$</field>
+        <description>Image with invalid CC signature loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100468" level="4">
+        <!-- LOG_ID_UPT_INVALID_IMG_RSA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032192$</field>
+        <description>Image with invalid RSA signature loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100469" level="4">
+        <!-- LOG_ID_UPT_IMG_RSA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032193$</field>
+        <description>Image with valid RSA signature loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100470" level="4">
+        <!-- LOG_ID_UPT_IMG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032194$</field>
+        <description>System upgrade failed due to file operation failure</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100471" level="4">
+        <!-- LOG_ID_SHUTDOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032200$</field>
+        <description>Device shutdown</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100472" level="4">
+        <!-- LOG_ID_LOAD_IMG_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032201$</field>
+        <description>Image loaded successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100473" level="4">
+        <!-- LOG_ID_RESTORE_IMG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032202$</field>
+        <description>Image restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100474" level="4">
+        <!-- LOG_ID_RESTORE_CONF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032203$</field>
+        <description>Configuration restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100475" level="4">
+        <!-- LOG_ID_RESTORE_FGD_SVR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032204$</field>
+        <description>FortiGuard service restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100476" level="4">
+        <!-- LOG_ID_RESTORE_VDOM_LIC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032205$</field>
+        <description>VM license restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100477" level="4">
+        <!-- LOG_ID_RESTORE_SCRIPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032206$</field>
+        <description>Script restored from management station</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100478" level="4">
+        <!-- LOG_ID_RETRIEVE_CONF_LIST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032207$</field>
+        <description>Configuration list retrieval failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100479" level="4">
+        <!-- LOG_ID_IMP_PKCS12_CERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032208$</field>
+        <description>PKCS12 certificate imported</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100480" level="4">
+        <!-- LOG_ID_RESTORE_USR_DEF_IPS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032209$</field>
+        <description>IPS custom signatures restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100481" level="4">
+        <!-- LOG_ID_BACKUP_IMG_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032210$</field>
+        <description>Firmware image backed up successfully</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100482" level="4">
+        <!-- LOG_ID_UPLOAD_REVISION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032211$</field>
+        <description>Revision uploaded to flash disk</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100483" level="4">
+        <!-- LOG_ID_DEL_REVISION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032212$</field>
+        <description>Revision deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100484" level="4">
+        <!-- LOG_ID_RESTORE_TEMPLATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032213$</field>
+        <description>Template restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100485" level="4">
+        <!-- LOG_ID_RESTORE_FILE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032214$</field>
+        <description>File restore failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100486" level="4">
+        <!-- LOG_ID_UPT_IMG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032215$</field>
+        <description>Image updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100487" level="4">
+        <!-- LOG_ID_UPD_IPS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032217$</field>
+        <description>IPS package - Admin update successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100488" level="4">
+        <!-- LOG_ID_UPD_DLP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032218$</field>
+        <description>DLP fingerprint database update via SCP failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100489" level="4">
+        <!-- LOG_ID_BACKUP_OUTPUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032219$</field>
+        <description>Error output backup via SCP successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100490" level="4">
+        <!-- LOG_ID_BACKUP_COMMAND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032220$</field>
+        <description>Batch mode command output backup via SCP successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100491" level="4">
+        <!-- LOG_ID_UPD_VDOM_LIC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032221$</field>
+        <description>VM license installed via SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100492" level="4">
+        <!-- LOG_ID_GLB_SETTING_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032222$</field>
+        <description>Global setting changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100493" level="4">
+        <!-- LOG_ID_BACKUP_USER_DEF_IPS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032223$</field>
+        <description>IPS custom signatures backup success</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100494" level="4">
+        <!-- LOG_ID_BACKUP_DISK_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032224$</field>
+        <description>Disk logs backed up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100495" level="4">
+        <!-- LOG_ID_DEL_ALL_REVISION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032225$</field>
+        <description>Revision database reset due to data corruption</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100496" level="4">
+        <!-- LOG_ID_LOAD_IMG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032226$</field>
+        <description>Image failed to load</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100497" level="4">
+        <!-- LOG_ID_UPD_DLP_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032227$</field>
+        <description>DLP fingerprint database failed to update by SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100498" level="4">
+        <!-- LOG_ID_LOAD_IMG_FAIL_WRONG_IMG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032228$</field>
+        <description>Firmware image loaded incorrect</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100499" level="4">
+        <!-- LOG_ID_LOAD_IMG_FAIL_NO_RSA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032229$</field>
+        <description>Firmware image without valid RSA signature loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100500" level="4">
+        <!-- LOG_ID_LOAD_IMG_FAIL_INVALID_RSA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032230$</field>
+        <description>Firmware image with invalid RSA signature loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100501" level="4">
+        <!-- LOG_ID_RESTORE_FGD_SVR_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032231$</field>
+        <description>FortiGuard service failed to restore</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100502" level="4">
+        <!-- LOG_ID_RESTORE_VDOM_LIC_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032232$</field>
+        <description>VM license failed to restore</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100503" level="4">
+        <!-- LOG_ID_BACKUP_IMG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032233$</field>
+        <description>Firmware image backup failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100504" level="4">
+        <!-- LOG_ID_RESTORE_IMG_INVALID_CC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032234$</field>
+        <description>Image with invalid CC signature restored</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100505" level="4">
+        <!-- LOG_ID_RESTORE_IMG_FORTIGUARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032235$</field>
+        <description>Image restored from FortiGuard Management</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100506" level="4">
+        <!-- LOG_ID_BACKUP_MEM_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032236$</field>
+        <description>Memory logs backed up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100507" level="4">
+        <!-- LOG_ID_BACKUP_MEM_LOG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032237$</field>
+        <description>Memory logs failed to back up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100508" level="4">
+        <!-- LOG_ID_BACKUP_DISK_LOG_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032238$</field>
+        <description>Disk logs failed to back up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100509" level="4">
+        <!-- LOG_ID_BACKUP_DISK_LOG_USB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032239$</field>
+        <description>Disk logs backed up to USB</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100510" level="4">
+        <!-- LOG_ID_SYS_USB_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032240$</field>
+        <description>System operating in USB mode</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100511" level="4">
+        <!-- LOG_ID_BACKUP_DISK_LOG_USB_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032241$</field>
+        <description>Disk logs failed to back up to USB</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100512" level="4">
+        <!-- LOG_ID_UPD_VDOM_LIC_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032242$</field>
+        <description>VM license failed to install via SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100513" level="4">
+        <!-- LOG_ID_UPD_IPS_SCP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032243$</field>
+        <description>IPS package updated via SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100514" level="4">
+        <!-- LOG_ID_UPD_IPS_SCP_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032244$</field>
+        <description>IPS package failed to update via SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100515" level="4">
+        <!-- LOG_ID_BACKUP_USER_DEF_IPS_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032245$</field>
+        <description>IPS custom signatures backup failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100516" level="4">
+        <!-- LOG_ID_RESTORE_USR_DEF_IPS_CRITICAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032246$</field>
+        <description>IPS custom signatures restored critical</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100517" level="4">
+        <!-- LOG_ID_SSH_NEGOTIATION_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032247$</field>
+        <description>SSH protocol cannot be negotiated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100518" level="4">
+        <!-- LOG_ID_FACTORY_RESET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032252$</field>
+        <description>Factory settings reset</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100519" level="4">
+        <!-- LOG_ID_FORMAT_RAID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032253$</field>
+        <description>RAID disk formatted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100520" level="4">
+        <!-- LOG_ID_ENABLE_RAID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032254$</field>
+        <description>RAID enabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100521" level="4">
+        <!-- LOG_ID_DISABLE_RAID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032255$</field>
+        <description>RAID disabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100522" level="4">
+        <!-- LOG_ID_RESTORE_IMG_FORTIGUARD_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032260$</field>
+        <description>Image restored from FortiGuard Management notification</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100523" level="4">
+        <!-- LOG_ID_RESTORE_SCRIPT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032261$</field>
+        <description>Script restored by user</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100524" level="4">
+        <!-- LOG_ID_RESTORE_IMG_CONFIRM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032262$</field>
+        <description>Image restore confirmed by user</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100525" level="4">
+        <!-- LOG_ID_BLE_FIRMWARE_CHECK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032263$</field>
+        <description>Bluetooth firmware check</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100526" level="4">
+        <!-- LOG_ID_BLE_FIRMWARE_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032264$</field>
+        <description>Bluetooth firmware update</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100527" level="4">
+        <!-- LOG_ID_BLE_FIRMWARE_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032265$</field>
+        <description>Bluetooth firmware update</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100528" level="4">
+        <!-- LOG_ID_SSH_HOST_KEY_REGEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032270$</field>
+        <description>SSH host keys regenerated.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100529" level="4">
+        <!-- LOG_ID_UPLOAD_RPT_IMG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032300$</field>
+        <description>Report image file uploaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100530" level="4">
+        <!-- LOG_ID_ADD_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032301$</field>
+        <description>VDOM added</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100531" level="4">
+        <!-- LOG_ID_DEL_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032302$</field>
+        <description>VDOM deleted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100532" level="4">
+        <!-- LOG_ID_SYS_RESTART -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032545$</field>
+        <description>Scheduled daily reboot started</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100533" level="4">
+        <!-- LOG_ID_APPLICATION_CRASH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032546$</field>
+        <description>Application crashed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100534" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032547$</field>
+        <description>Autoscript start</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100535" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_STOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032548$</field>
+        <description>Autoscript stop</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100536" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_STOP_AUTO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032549$</field>
+        <description>Autoscript stop automatically</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100537" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_DELETE_RSLT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032550$</field>
+        <description>Autoscript delete result</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100538" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_BACKUP_RSLT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032551$</field>
+        <description>Autoscript backup result</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100539" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_CHECK_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032552$</field>
+        <description>Autoscript check status</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100540" level="4">
+        <!-- LOG_ID_AUTOSCRIPT_STOP_REACH_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032553$</field>
+        <description>Autoscript stop due to limit reached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100541" level="4">
+        <!-- LOG_ID_UPD_ADMIN_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032554$</field>
+        <description>Database updated by admin</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100542" level="4">
+        <!-- LOG_ID_ADMIN_LOGOUT_DISCONNECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032561$</field>
+        <description>Admin disconnected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100543" level="4">
+        <!-- LOG_ID_STORE_CONF_FAIL_SPACE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032562$</field>
+        <description>Store config failed - not enough flash space</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100544" level="4">
+        <!-- LOG_ID_RESTORE_CONF_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032564$</field>
+        <description>Configuration failed to restore</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100545" level="4">
+        <!-- LOG_ID_RESTORE_CONF_BY_MGMT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032565$</field>
+        <description>Configuration restored from management station</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100546" level="4">
+        <!-- LOG_ID_RESTORE_CONF_BY_SCP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032566$</field>
+        <description>Configuration restored by SCP</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100547" level="4">
+        <!-- LOG_ID_DEL_REVISION_DB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032568$</field>
+        <description>Revision Database deletion</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100548" level="4">
+        <!-- LOG_ID_FSW_SWITCH_LOG_EVENT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032569$</field>
+        <description>Switch-Controller</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100549" level="4">
+        <!-- LOG_ID_RESTORE_CONF_FAIL_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032571$</field>
+        <description>Configuration failed to restore warning</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100550" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_DISCOVER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032601$</field>
+        <description>Switch-Controller discovered</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100551" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_AUTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032602$</field>
+        <description>Switch-Controller authorized</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100552" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_DEAUTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032603$</field>
+        <description>Switch-Controller deauthorized</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100553" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032604$</field>
+        <description>Switch-Controller deleted</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100554" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032605$</field>
+        <description>Switch-Controller Tunnel Up</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100555" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032606$</field>
+        <description>Switch-Controller Tunnel Down</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100556" level="4">
+        <!-- LOG_ID_FGT_SWITCH_PUSH_IMAGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032607$</field>
+        <description>Image push to FortiSwitch</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100557" level="4">
+        <!-- LOG_ID_FGT_SWITCH_STAGE_IMAGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032608$</field>
+        <description>Image stage to FortiSwitch</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100558" level="4">
+        <!-- LOG_ID_FGT_SWITCH_DISABLE_DISCOVERY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032609$</field>
+        <description>Disable FortiSwitch Discovery</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100559" level="4">
+        <!-- LOG_ID_FGT_SWITCH_LOG_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032610$</field>
+        <description>Switch-Controller warning</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100560" level="4">
+        <!-- LOG_ID_FGT_SWITCH_EXPORT_POOL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032611$</field>
+        <description>Export port to pool</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100561" level="4">
+        <!-- LOG_ID_FGT_SWITCH_EXPORT_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032612$</field>
+        <description>Export port to vdom</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100562" level="4">
+        <!-- LOG_ID_FGT_SWITCH_REQUEST_PORT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032613$</field>
+        <description>Request port from pool</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100563" level="4">
+        <!-- LOG_ID_FGT_SWITCH_RETURN_PORT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032614$</field>
+        <description>Return port to pool</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100564" level="4">
+        <!-- LOG_ID_FGT_SWITCH_MAC_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032615$</field>
+        <description>FortiSwitch MAC add</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100565" level="4">
+        <!-- LOG_ID_FGT_SWITCH_MAC_DEL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032616$</field>
+        <description>FortiSwitch MAC delete</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100566" level="4">
+        <!-- LOG_ID_FGT_SWITCH_MAC_MOVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032617$</field>
+        <description>FortiSwitch MAC move</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100567" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_SWC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032693$</field>
+        <description>FortiSwitch switch controller</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100568" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_POE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032694$</field>
+        <description>FortiSwitch PoE</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100569" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_LINK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032695$</field>
+        <description>FortiSwitch link</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100570" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_STP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032696$</field>
+        <description>FortiSwitch spanning Tree</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100571" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_SWITCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032697$</field>
+        <description>FortiSwitch switch</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100572" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_ROUTER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032698$</field>
+        <description>FortiSwitch router</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100573" level="4">
+        <!-- LOG_ID_FGT_SWITCH_GROUP_SYSTEM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032699$</field>
+        <description>FortiSwitch system</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100574" level="4">
+        <!-- LOG_ID_NP6_IPSEC_ENGINE_BUSY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034415$</field>
+        <description>NP6 IPsec engine is busy</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100575" level="4">
+        <!-- LOG_ID_NP6_IPSEC_ENGINE_POSSIBLY_LOCKUP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034416$</field>
+        <description>NP6 IPsec engine is possibly locked up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100576" level="4">
+        <!-- LOG_ID_NP6_IPSEC_ENGINE_LOCKUP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034417$</field>
+        <description>NP6 IPsec engine is locked up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100577" level="4">
+        <!-- LOG_ID_NP6_HPE_PACKET_DROP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034418$</field>
+        <description>NPU HPE is dropping packets</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100578" level="4">
+        <!-- LOG_ID_NP6_HPE_PACKET_FLOOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034419$</field>
+        <description>NP6 HPE under a packets flood</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100579" level="4">
+        <!-- LOG_ID_NP7_HPE_PACKET_DROP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034428$</field>
+        <description>NPU HPE is dropping packets</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100580" level="4">
+        <!-- LOG_ID_NP7_HPE_PACKET_FLOOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034430$</field>
+        <description>NPU HPE under packet flood</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100581" level="4">
+        <!-- LOG_ID_HA_SYNC_VIRDB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035001$</field>
+        <description>HA secondary synchronized Virus database</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100582" level="4">
+        <!-- LOG_ID_HA_SYNC_ETDB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035002$</field>
+        <description>HA secondary synchronized Extended database</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100583" level="4">
+        <!-- LOG_ID_HA_SYNC_EXDB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035003$</field>
+        <description>HA secondary synchronized Extreme database</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100584" level="4">
+        <!-- LOG_ID_HA_SYNC_FLDB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035004$</field>
+        <description>HA secondary synchronized FLDB</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100585" level="4">
+        <!-- LOG_ID_HA_SYNC_IPS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035005$</field>
+        <description>HA secondary synchronized IDS package</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100586" level="4">
+        <!-- LOG_ID_HA_SYNC_AV -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035007$</field>
+        <description>HA secondary synchronized AntiVirus package</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100587" level="4">
+        <!-- LOG_ID_HA_SYNC_CID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035009$</field>
+        <description>HA secondary synchronized CID package</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100588" level="4">
+        <!-- LOG_ID_HA_SYNC_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035011$</field>
+        <description>HA secondary synchronization failed</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100589" level="4">
+        <!-- LOG_ID_CONF_SYNC_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035012$</field>
+        <description>Secondary sync failed</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100590" level="4">
+        <!-- LOG_ID_HA_FAILOVER_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035013$</field>
+        <description>HA failover failed</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100591" level="4">
+        <!-- LOG_ID_HA_RESET_UPTIME -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035014$</field>
+        <description>HA reset uptime</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100592" level="4">
+        <!-- LOG_ID_HA_CLEAR_HISTORY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035015$</field>
+        <description>HA clear history</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100593" level="4">
+        <!-- LOG_ID_HA_FAILOVER_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035016$</field>
+        <description>HA failover success</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100594" level="4">
+        <!-- LOG_ID_EVENT_SYSTEM_CFG_REVERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">036881$</field>
+        <description>Configuration reverted due to timeout</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100595" level="4">
+        <!-- LOG_ID_EVENT_SYSTEM_CFG_MANUALLY_SAVED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">036882$</field>
+        <description>Configuration manually saved</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100596" level="4">
+        <!-- LOG_ID_EVENT_SYSTEM_CLEAR_ACTIVE_SESSION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">036883$</field>
+        <description>Clear active sessions</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100597" level="4">
+        <!-- MESGID_NEG_GENERIC_P1_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037120$</field>
+        <description>Negotiate IPsec phase 1</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100598" level="4">
+        <!-- MESGID_NEG_GENERIC_P1_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037121$</field>
+        <description>Negotiate IPsec phase 1</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100599" level="4">
+        <!-- MESGID_NEG_GENERIC_P2_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037122$</field>
+        <description>Negotiate IPsec phase 2</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100600" level="4">
+        <!-- MESGID_NEG_GENERIC_P2_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037123$</field>
+        <description>Negotiate IPsec phase 2</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100601" level="4">
+        <!-- MESGID_NEG_I_P1_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037124$</field>
+        <description>IPsec phase 1 error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100602" level="4">
+        <!-- MESGID_NEG_I_P2_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037125$</field>
+        <description>IPsec phase 2 error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100603" level="4">
+        <!-- MESGID_NEG_NO_STATE_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037126$</field>
+        <description>IPsec no state error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100604" level="4">
+        <!-- MESGID_NEG_PROGRESS_P1_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037127$</field>
+        <description>Progress IPsec phase 1</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100605" level="4">
+        <!-- MESGID_NEG_PROGRESS_P1_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037128$</field>
+        <description>Progress IPsec phase 1</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100606" level="4">
+        <!-- MESGID_NEG_PROGRESS_P2_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037129$</field>
+        <description>Progress IPsec phase 2</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100607" level="4">
+        <!-- MESGID_NEG_PROGRESS_P2_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037130$</field>
+        <description>Progress IPsec phase 2</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100608" level="4">
+        <!-- MESGID_ESP_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037131$</field>
+        <description>IPsec ESP</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100609" level="4">
+        <!-- MESGID_ESP_CRITICAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037132$</field>
+        <description>IPsec ESP</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100610" level="4">
+        <!-- MESGID_INSTALL_SA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037133$</field>
+        <description>IPsec SA installed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100611" level="4">
+        <!-- MESGID_DELETE_P1_SA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037134$</field>
+        <description>IPsec phase 1 SA deleted</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100612" level="4">
+        <!-- MESGID_DELETE_P2_SA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037135$</field>
+        <description>IPsec phase 2 SA deleted</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100613" level="4">
+        <!-- MESGID_DPD_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037136$</field>
+        <description>IPsec DPD failed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100614" level="4">
+        <!-- MESGID_CONN_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037137$</field>
+        <description>IPsec connection failed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100615" level="4">
+        <!-- MESGID_CONN_UPDOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037138$</field>
+        <description>IPsec connection status changed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100616" level="4">
+        <!-- MESGID_P2_UPDOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037139$</field>
+        <description>IPsec phase 2 status changed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100617" level="4">
+        <!-- MESGID_CONN_STATS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037141$</field>
+        <description>IPsec tunnel statistics</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100618" level="4">
+        <!-- MESGID_VC_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037889$</field>
+        <description>Virtual cluster deleted</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100619" level="4">
+        <!-- MESGID_VC_MOVE_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037890$</field>
+        <description>Virtual cluster VDOM moved</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100620" level="4">
+        <!-- MESGID_VC_ADD_VDOM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037891$</field>
+        <description>Virtual cluster VDOM added</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100621" level="4">
+        <!-- MESGID_VC_MOVE_MEMB_STATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037892$</field>
+        <description>Virtual cluster member state moved</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100622" level="4">
+        <!-- MESGID_VC_DETECT_MEMB_DEAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037893$</field>
+        <description>Virtual cluster member dead</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100623" level="4">
+        <!-- MESGID_VC_DETECT_MEMB_JOIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037894$</field>
+        <description>Virtual cluster member joined</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100624" level="4">
+        <!-- MESGID_VC_ADD_HADEV -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037895$</field>
+        <description>Virtual cluster added HA device interface</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100625" level="4">
+        <!-- MESGID_VC_DEL_HADEV -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037896$</field>
+        <description>Virtual cluster deleted HA device interface</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100626" level="4">
+        <!-- MESGID_HADEV_READY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037897$</field>
+        <description>HA device interface ready</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100627" level="4">
+        <!-- MESGID_HADEV_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037898$</field>
+        <description>HA device interface failed</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100628" level="4">
+        <!-- MESGID_HADEV_PEERINFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037899$</field>
+        <description>HA device interface peer information</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100629" level="4">
+        <!-- MESGID_HBDEV_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037900$</field>
+        <description>Heartbeat device interface deleted</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100630" level="4">
+        <!-- MESGID_HBDEV_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037901$</field>
+        <description>Heartbeat device interface down</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100631" level="4">
+        <!-- MESGID_HBDEV_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037902$</field>
+        <description>Heartbeat device interface up</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100632" level="4">
+        <!-- MESGID_SYNC_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037903$</field>
+        <description>Synchronization status with primary</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100633" level="4">
+        <!-- MESGID_HA_ACTIVITY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037904$</field>
+        <description>Device set as HA primary</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100634" level="4">
+        <!-- MESGID_VLAN_HB_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037907$</field>
+        <description>VLAN heartbeat started</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100635" level="4">
+        <!-- MESGID_VLAN_HB_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037908$</field>
+        <description>VLAN heartbeat lost</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100636" level="4">
+        <!-- MESGID_VLAN_HB_DOWN_SUM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037909$</field>
+        <description>VLAN heartbeat lost summary</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100637" level="4">
+        <!-- MESGID_HB_PACKET_LOST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037910$</field>
+        <description>Heartbeat packet lost</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100638" level="4">
+        <!-- MESGID_HA_ACTIVITY_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037911$</field>
+        <description>Device set as HA master information</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100639" level="4">
+        <!-- MESGID_FGSP_MEMBER_JOIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037912$</field>
+        <description>FGSP member joined</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100640" level="4">
+        <!-- MESGID_FGSP_MEMBER_LEAVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">037913$</field>
+        <description>FGSP member left</description>
+        <group>fortios.event.event,fortios.category.ha,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100641" level="4">
+        <!-- LOG_ID_FIPS_ENCRY_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038010$</field>
+        <description>FIPS CC encryption failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100642" level="4">
+        <!-- LOG_ID_FIPS_DECRY_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038011$</field>
+        <description>FIPS CC decryption failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100643" level="4">
+        <!-- LOG_ID_ENTROPY_TOKEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038012$</field>
+        <description>Seeding from entropy source</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100644" level="4">
+        <!-- LOG_ID_FSSO_LOGON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038031$</field>
+        <description>FSSO logon successful</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100645" level="4">
+        <!-- LOG_ID_FSSO_LOGOFF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038032$</field>
+        <description>FSSO logout successful</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100646" level="4">
+        <!-- LOG_ID_FSSO_SVR_STATUS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038033$</field>
+        <description>FSSO Active Directory server authentication status</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100647" level="4">
+        <!-- LOGID_EVENT_NOTIF_INSUFFICIENT_RESOURCE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038403$</field>
+        <description>Insufficient system resource notification</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100648" level="4">
+        <!-- LOGID_EVENT_NOTIF_HOSTNAME_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038404$</field>
+        <description>FortiGuard hostname unresolvable</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100649" level="4">
+        <!-- LOGID_NOTIF_CODE_SENDTO_SMS_PHONE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038405$</field>
+        <description>Guest user account login information sent to phone</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100650" level="4">
+        <!-- LOGID_NOTIF_CODE_SENDTO_SMS_TO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038406$</field>
+        <description>Guest user account login information sent as SMS</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100651" level="4">
+        <!-- LOGID_NOTIF_CODE_SENDTO_EMAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038407$</field>
+        <description>Guest user account login information sent to email</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100652" level="4">
+        <!-- LOGID_EVENT_OFTP_SSL_CONNECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038408$</field>
+        <description>SSL connection established</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100653" level="4">
+        <!-- LOGID_EVENT_OFTP_SSL_DISCONNECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038409$</field>
+        <description>SSL connection closed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100654" level="4">
+        <!-- LOGID_EVENT_OFTP_SSL_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038410$</field>
+        <description>SSL connection failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100655" level="4">
+        <!-- LOGID_EVENT_TWO_F_AUTH_CODE_SENDTO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038411$</field>
+        <description>Two-factor authentication code sent</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100656" level="4">
+        <!-- LOGID_EVENT_TOKEN_CODE_SENDTO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038412$</field>
+        <description>Token activation code sent</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100657" level="4">
+        <!-- LOGID_EVENT_RAD_RPT_PROTO_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038656$</field>
+        <description>RADIUS protocol error summary</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100658" level="4">
+        <!-- LOGID_EVENT_RAD_RPT_PROF_NOT_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038657$</field>
+        <description>RADIUS profile not found summary</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100659" level="4">
+        <!-- LOGID_EVENT_RAD_RPT_CTX_NOT_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038658$</field>
+        <description>RADIUS profile CTX not found summary</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100660" level="4">
+        <!-- LOGID_EVENT_RAD_RPT_ACCT_STOP_MISSED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038659$</field>
+        <description>RADIUS accounting stop message missing summary</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100661" level="4">
+        <!-- LOGID_EVENT_RAD_RPT_ACCT_EVENT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038660$</field>
+        <description>RADIUS accounting event summary</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100662" level="4">
+        <!-- LOGID_EVENT_RAD_RPT_OTHER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038661$</field>
+        <description>RADIUS endpoint block event or other event summary</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100663" level="4">
+        <!-- LOGID_EVENT_RAD_STAT_PROTO_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038662$</field>
+        <description>RADIUS accounting protocol error</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100664" level="4">
+        <!-- LOGID_EVENT_RAD_STAT_PROF_NOT_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038663$</field>
+        <description>RADIUS accounting profile not found</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100665" level="4">
+        <!-- LOGID_EVENT_RAD_STAT_ACCT_STOP_MISSED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038665$</field>
+        <description>RADIUS accounting stop message missing</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100666" level="4">
+        <!-- LOGID_EVENT_RAD_STAT_ACCT_EVENT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038666$</field>
+        <description>RADIUS accounting event</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100667" level="4">
+        <!-- LOGID_EVENT_RAD_STAT_OTHER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038667$</field>
+        <description>RADIUS other accounting event</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100668" level="4">
+        <!-- LOGID_EVENT_RAD_STAT_EP_BLK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">038668$</field>
+        <description>RADIUS endpoint block event</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100669" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_USER_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039424$</field>
+        <description>SSL VPN tunnel up</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100670" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_USER_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039425$</field>
+        <description>SSL VPN tunnel down</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100671" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_USER_SSL_LOGIN_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039426$</field>
+        <description>SSL VPN login fail</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100672" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_WEB_TUNNEL_STATS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039936$</field>
+        <description>SSL VPN statistics</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100673" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_WEBAPP_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039937$</field>
+        <description>SSL VPN deny</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100674" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_WEBAPP_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039938$</field>
+        <description>SSL VPN pass</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100675" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_WEBAPP_TIMEOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039939$</field>
+        <description>SSL VPN timeout</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100676" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_WEBAPP_CLOSE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039940$</field>
+        <description>SSL VPN close</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100677" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_SYS_BUSY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039941$</field>
+        <description>SSL VPN system busy</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100678" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_CERT_OK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039942$</field>
+        <description>SSL VPN certificate OK</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100679" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_NEW_CON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039943$</field>
+        <description>SSL VPN new connection</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100680" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_ALERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039944$</field>
+        <description>SSL VPN alert</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100681" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_EXIT_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039945$</field>
+        <description>SSL VPN exit fail</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100682" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_EXIT_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039946$</field>
+        <description>SSL VPN exit error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100683" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039947$</field>
+        <description>SSL VPN tunnel up</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100684" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039948$</field>
+        <description>SSL VPN tunnel down</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100685" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_STATS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039949$</field>
+        <description>SSL VPN statistics</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100686" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_UNKNOWNTAG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039950$</field>
+        <description>SSL VPN unknown tag</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100687" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039951$</field>
+        <description>SSL VPN tunnel error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100688" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_ENTER_CONSERVE_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039952$</field>
+        <description>SSL VPN enter conserve mode</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100689" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SESSION_LEAVE_CONSERVE_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">039953$</field>
+        <description>SSL VPN leave conserve mode</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100690" level="4">
+        <!-- LOG_ID_PPTP_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040001$</field>
+        <description>PPTP tunnel up</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100691" level="4">
+        <!-- LOG_ID_PPTP_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040002$</field>
+        <description>PPTP tunnel down</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100692" level="4">
+        <!-- LOG_ID_PPTP_TUNNEL_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040003$</field>
+        <description>PPTP tunnel status</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100693" level="4">
+        <!-- LOG_ID_PPTP_REACH_MAX_CON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040014$</field>
+        <description>PPTP client connection limit reached</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100694" level="4">
+        <!-- LOG_ID_L2TPD_CLIENT_CON_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040017$</field>
+        <description>L2TP client connection failed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100695" level="4">
+        <!-- LOG_ID_L2TPD_CLIENT_DISCON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040019$</field>
+        <description>L2TP client disconnected</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100696" level="4">
+        <!-- LOG_ID_PPTP_NOT_CONIG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040021$</field>
+        <description>PPTP not configured in VDOM</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100697" level="4">
+        <!-- LOG_ID_PPTP_NO_IP_AVAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040022$</field>
+        <description>PPTP IP addresses unavailable</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100698" level="4">
+        <!-- LOG_ID_PPTP_OUT_MEM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040024$</field>
+        <description>PPTP config list insufficient memory</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100699" level="4">
+        <!-- LOG_ID_PPTP_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040034$</field>
+        <description>PPTP daemon started</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100700" level="4">
+        <!-- LOG_ID_PPTP_START_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040035$</field>
+        <description>PPTP daemon failed to start</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100701" level="4">
+        <!-- LOG_ID_PPTP_EXIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040036$</field>
+        <description>PPTP daemon exited</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100702" level="4">
+        <!-- LOG_ID_PPTPD_SVR_DISCON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040037$</field>
+        <description>PPTP daemon disconnected</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100703" level="4">
+        <!-- LOG_ID_PPTPD_CLIENT_CON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040038$</field>
+        <description>PPTP client connected</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100704" level="4">
+        <!-- LOG_ID_PPTPD_CLIENT_DISCON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040039$</field>
+        <description>PPTP client disconnected</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100705" level="4">
+        <!-- LOG_ID_L2TP_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040101$</field>
+        <description>L2TP tunnel up</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100706" level="4">
+        <!-- LOG_ID_L2TP_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040102$</field>
+        <description>L2TP tunnel down</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100707" level="4">
+        <!-- LOG_ID_L2TP_TUNNEL_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040103$</field>
+        <description>L2TP tunnel status</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100708" level="4">
+        <!-- LOG_ID_L2TPD_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040114$</field>
+        <description>L2TP daemon started</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100709" level="4">
+        <!-- LOG_ID_L2TPD_EXIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040115$</field>
+        <description>L2TP daemon exited</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100710" level="4">
+        <!-- LOG_ID_L2TPD_CLIENT_CON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040118$</field>
+        <description>L2TP client connected</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100711" level="4">
+        <!-- LOG_ID_EVENT_SYS_PERF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040704$</field>
+        <description>System performance statistics</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100712" level="4">
+        <!-- LOG_ID_EVENT_SYS_CPU_USAGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040705$</field>
+        <description>CPU usage statistics</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100713" level="4">
+        <!-- LOG_ID_EVENT_SYS_BROKEN_SYMBOLIC_LINK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040706$</field>
+        <description>Delete broken symbolic link</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100714" level="4">
+        <!-- LOG_ID_EVENT_SYS_CPU_USAGE_SINGLE_CORE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040707$</field>
+        <description>CPU single core usage statistics</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100715" level="4">
+        <!-- LOGID_EVENT_WAD_WEBPROXY_FWD_SRV_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040960$</field>
+        <description>Web proxy forward server error</description>
+        <group>fortios.event.event,fortios.category.wad,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100716" level="4">
+        <!-- LOG_ID_UPD_FGT_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041000$</field>
+        <description>FortiGate update succeeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100717" level="4">
+        <!-- LOG_ID_UPD_FGT_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041001$</field>
+        <description>FortiGate update failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100718" level="4">
+        <!-- LOG_ID_UPD_SRC_VIS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041002$</field>
+        <description>Source visibility signature package updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100719" level="4">
+        <!-- LOG_ID_UPD_FSA_VIRDB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041006$</field>
+        <description>FortiSandbox AV database updated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100720" level="4">
+        <!-- LOG_ID_UPD_MANUAL_LICENSE_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041007$</field>
+        <description>FortiGate Manual License update</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100721" level="4">
+        <!-- LOG_ID_UPD_MANUAL_LICENSE_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041008$</field>
+        <description>FortiGate Manual License is invalid</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100722" level="4">
+        <!-- LOG_ID_UPD_DB_SIGN_INVALID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041009$</field>
+        <description>FortiGate database signature invalid</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100723" level="4">
+        <!-- LOG_ID_UPD_DB_UNSIGNED_INSTALLED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041011$</field>
+        <description>FortiGate database without signature installed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100724" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_LOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041984$</field>
+        <description>Certificate loaded</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100725" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_REMOVAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041985$</field>
+        <description>Certificate removed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100726" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_REGEN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041986$</field>
+        <description>Certificate regenerated</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100727" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041987$</field>
+        <description>Certificate updated</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100728" level="4">
+        <!-- LOG_ID_EVENT_SSL_VPN_SETTING_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041988$</field>
+        <description>SSL setting changed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100729" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041989$</field>
+        <description>Certificate error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100730" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_UPDATE_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041990$</field>
+        <description>Certificate update failed</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100731" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_EXPORT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041991$</field>
+        <description>Certificate exported</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100732" level="4">
+        <!-- LOG_ID_EVENT_VPN_CERT_CRL_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041992$</field>
+        <description>CRL certificate file is expired</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100733" level="4">
+        <!-- LOG_ID_NETX_VMX_ATTACH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">042201$</field>
+        <description>VMX instance successfully attached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100734" level="4">
+        <!-- LOG_ID_NETX_VMX_DETACH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">042202$</field>
+        <description>VMX instance successfully detached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100735" level="4">
+        <!-- LOG_ID_NETX_VMX_DENIED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">042203$</field>
+        <description>VMX instance successfully denied</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100736" level="4">
+        <!-- LOG_ID_EVENT_AUTH_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043008$</field>
+        <description>Authentication success</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100737" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043009$</field>
+        <description>Authentication failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100738" level="4">
+        <!-- LOG_ID_EVENT_AUTH_LOCKOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043010$</field>
+        <description>Authentication lockout</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100739" level="4">
+        <!-- LOG_ID_EVENT_AUTH_TIME_OUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043011$</field>
+        <description>Authentication timed out</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100740" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FSAE_LOGON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043014$</field>
+        <description>FSSO logon authentication status</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100741" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FSAE_LOGOFF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043015$</field>
+        <description>FSSO log off authentication status</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100742" level="4">
+        <!-- LOG_ID_EVENT_AUTH_NTLM_AUTH_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043016$</field>
+        <description>NTLM authentication successful</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100743" level="4">
+        <!-- LOG_ID_EVENT_AUTH_NTLM_AUTH_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043017$</field>
+        <description>NTLM authentication failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100744" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FGOVRD_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043018$</field>
+        <description>FortiGuard override failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100745" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FGOVRD_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043020$</field>
+        <description>FortiGuard override successful</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100746" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043025$</field>
+        <description>Explicit proxy authentication successful</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100747" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043026$</field>
+        <description>Explicit proxy authentication failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100748" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_TIME_OUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043027$</field>
+        <description>Explicit proxy authentication timed out</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100749" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_GROUP_INFO_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043028$</field>
+        <description>Explicit proxy user group query failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100750" level="4">
+        <!-- LOG_ID_EVENT_AUTH_WARNING_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043029$</field>
+        <description>FortiGuard authentication override successful</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100751" level="4">
+        <!-- LOG_ID_EVENT_AUTH_WARNING_TBL_FULL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043030$</field>
+        <description>FortiGuard authentication override failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100752" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_USER_LIMIT_REACHED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043032$</field>
+        <description>Explicit proxy authentication user limit reached</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100753" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_MULTIPLE_LOGIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043033$</field>
+        <description>Explicit proxy authentication user concurrent check failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100754" level="4">
+        <!-- LOG_ID_EVENT_AUTH_PROXY_NO_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043034$</field>
+        <description>Explicit proxy authentication no response</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100755" level="4">
+        <!-- LOG_ID_EVENT_AUTH_IPV4_FLUSH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043037$</field>
+        <description>Authentication IPv4 logon flush</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100756" level="4">
+        <!-- LOG_ID_EVENT_AUTH_IPV6_FLUSH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043038$</field>
+        <description>Authentication IPv6 logon flush</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100757" level="4">
+        <!-- LOG_ID_EVENT_AUTH_LOGON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043039$</field>
+        <description>Authentication logon</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100758" level="4">
+        <!-- LOG_ID_EVENT_AUTH_LOGOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043040$</field>
+        <description>Authentication logout</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100759" level="4">
+        <!-- LOG_ID_EVENT_AUTH_DISCLAIMER_ACCEPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043041$</field>
+        <description>Disclaimer accepted</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100760" level="4">
+        <!-- LOG_ID_EVENT_AUTH_DISCLAIMER_DECLINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043042$</field>
+        <description>Disclaimer declined</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100761" level="4">
+        <!-- LOG_ID_EVENT_AUTH_EMAIL_COLLECTING_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043043$</field>
+        <description>Email collecting succeeded</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100762" level="4">
+        <!-- LOG_ID_EVENT_AUTH_EMAIL_COLLECTING_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043044$</field>
+        <description>Email collecting failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100763" level="4">
+        <!-- LOG_ID_EVENT_AUTH_8021X_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043045$</field>
+        <description>802.1x authentication succeeded</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100764" level="4">
+        <!-- LOG_ID_EVENT_AUTH_8021X_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043046$</field>
+        <description>802.1x authentication failed</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100765" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FSAE_CONNECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043050$</field>
+        <description>FSSO server connected</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100766" level="4">
+        <!-- LOG_ID_EVENT_AUTH_FSAE_DISCONNECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043051$</field>
+        <description>FSSO server disconnected</description>
+        <group>fortios.event.event,fortios.category.user,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100767" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043520$</field>
+        <description>Wireless system activity</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100768" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043521$</field>
+        <description>Rogue AP activity</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100769" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043522$</field>
+        <description>Physical AP activity</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100770" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043524$</field>
+        <description>Wireless client activity</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100771" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ONWIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043525$</field>
+        <description>Rogue AP on wire</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100772" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043526$</field>
+        <description>Physical AP radio activity</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100773" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_CFG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043527$</field>
+        <description>Rogue AP status configured</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100774" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043528$</field>
+        <description>Physical AP radio error activity</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100775" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_CLB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043529$</field>
+        <description>Wireless client load balancing</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100776" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_WL_BRIDGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043530$</field>
+        <description>Wireless bridge intrusion detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100777" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_BR_DEAUTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043531$</field>
+        <description>Wireless broadcasting deauthentication detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100778" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_NL_PBRESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043532$</field>
+        <description>Wireless null SSID probe response detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100779" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_MAC_OUI -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043533$</field>
+        <description>Wireless invalid MAC OUI detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100780" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_LONG_DUR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043534$</field>
+        <description>Wireless long duration attack detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100781" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_WEP_IV -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043535$</field>
+        <description>Wireless Weak WEP IV detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100782" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_EAPOL_FLOOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043542$</field>
+        <description>Wireless EAPOL packet flooding detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100783" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_MGMT_FLOOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043544$</field>
+        <description>Wireless management flooding detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100784" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_SPOOF_DEAUTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043546$</field>
+        <description>Wireless spoofed deauthentication detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100785" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WIDS_ASLEAP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043548$</field>
+        <description>Wireless Asleap attack detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100786" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_LOCATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043550$</field>
+        <description>Wireless station presence detection</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100787" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_JOIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043551$</field>
+        <description>Physical AP join</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100788" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_LEAVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043552$</field>
+        <description>Physical AP leave</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100789" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043553$</field>
+        <description>Physical AP fail</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100790" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043554$</field>
+        <description>Physical AP update</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100791" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_RESET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043555$</field>
+        <description>Physical AP reset</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100792" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_KICK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043556$</field>
+        <description>Physical AP kick</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100793" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_ADD_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043557$</field>
+        <description>Physical AP add failure</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100794" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_CFG_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043558$</field>
+        <description>Physical AP config error</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100795" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_SN_MISMATCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043559$</field>
+        <description>Physical AP SN mismatch</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100796" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS_AC_RESTARTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043560$</field>
+        <description>Wireless system restarted</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100797" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS_AC_HOSTAPD_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043561$</field>
+        <description>Wireless system hostapd up</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100798" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS_AC_HOSTAPD_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043562$</field>
+        <description>Wireless system hostapd down</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100799" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_DETECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043563$</field>
+        <description>Rogue AP detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100800" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_OFFAIR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043564$</field>
+        <description>Rogue AP off air</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100801" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_ONAIR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043565$</field>
+        <description>Rogue AP on air</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100802" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_OFFWIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043566$</field>
+        <description>Rogue AP off wire</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100803" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_FAKEAP_DETECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043567$</field>
+        <description>Fake AP detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100804" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_FAKEAP_ONAIR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043568$</field>
+        <description>Fake AP on air</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100805" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_SUPPRESSED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043569$</field>
+        <description>Rogue AP suppressed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100806" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_UNSUPPRESSED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043570$</field>
+        <description>Rogue AP unsuppressed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100807" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_DETECT_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043571$</field>
+        <description>Rogue AP change detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100808" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_ASSO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043572$</field>
+        <description>Wireless client associated</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100809" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_AUTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043573$</field>
+        <description>Wireless client authenticated</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100810" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043574$</field>
+        <description>Wireless client disassociated</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100811" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DAUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043575$</field>
+        <description>Wireless client deauthenticated</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100812" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_IDLE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043576$</field>
+        <description>Wireless client idle</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100813" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043577$</field>
+        <description>Wireless client denied</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100814" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_KICK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043578$</field>
+        <description>Wireless client kicked</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100815" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_IP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043579$</field>
+        <description>Wireless client IP assigned</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100816" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_LEAVE_WTP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043580$</field>
+        <description>Wireless client left WTP</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100817" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WTP_DISCONN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043581$</field>
+        <description>Wireless client WTP disconnected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100818" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_CFG_UNCLASSIFIED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043582$</field>
+        <description>Rogue AP status configured as unclassified</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100819" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_CFG_ACCEPTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043583$</field>
+        <description>Rogue AP status configured as accepted</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100820" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_CFG_ROGUE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043584$</field>
+        <description>Rogue AP status configured as rogue</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100821" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ROGUE_CFG_SUPPRESSED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043585$</field>
+        <description>Rogue AP status configured as suppressed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100822" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DARRP_CHAN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043586$</field>
+        <description>Physical AP radio DARRP channel change</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100823" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DARRP_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043587$</field>
+        <description>Physical AP radio DARRP start</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100824" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_OPER_CHAN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043588$</field>
+        <description>Physical AP radio operation channel change</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100825" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_RADAR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043589$</field>
+        <description>Physical AP radio radar detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100826" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_NOL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043590$</field>
+        <description>Physical AP radio channel removed from NOL</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100827" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_COUNTRY_CFG_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043591$</field>
+        <description>Physical AP radio country config success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100828" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_OPER_COUNTRY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043592$</field>
+        <description>Physical AP radio operation country</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100829" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_CFG_TXPOWER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043593$</field>
+        <description>Physical AP radio config TX power</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100830" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_OPER_TXPOWER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043594$</field>
+        <description>Physical AP radio operation TX power</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100831" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_CLB_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043595$</field>
+        <description>Wireless client load balancing denied</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100832" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_CLB_RETRY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043596$</field>
+        <description>Wireless client load balancing retry</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100833" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043597$</field>
+        <description>Physical AP add</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100834" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_ADD_XSS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043598$</field>
+        <description>Physical AP add XSS</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100835" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_DEL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043599$</field>
+        <description>Physical AP delete</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100836" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DARRP_STOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043600$</field>
+        <description>Physical AP radio DARRP stop</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100837" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_SIGNON -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043601$</field>
+        <description>Wireless station sign on</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100838" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_SIGNON_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043602$</field>
+        <description>Wireless station sign on success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100839" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_SIGNON_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043603$</field>
+        <description>Wireless station sign on failed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100840" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_EMAIL_REQUEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043604$</field>
+        <description>Captive-portal VAP e-mail collect request sent</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100841" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_EMAIL_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043605$</field>
+        <description>Captive-portal VAP e-mail collect success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100842" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_EMAIL_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043606$</field>
+        <description>Captive-portal VAP e-mail collect failed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100843" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_DISCLAIMER_CHECK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043607$</field>
+        <description>Captive-portal VAP disclaimer agreed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100844" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_DISCLAIMER_DECLINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043608$</field>
+        <description>Captive-portal VAP disclaimer declined</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100845" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DARRP_OPTIMIZATION_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043609$</field>
+        <description>DARRP optimization start</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100846" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DARRP_OPTIMIZATION_STOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043610$</field>
+        <description>DARRP optimization stop</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100847" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS_AC_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043611$</field>
+        <description>Wireless controller start</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100848" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS_AC_CFG_LOADED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043612$</field>
+        <description>Wireless controller configuration loaded</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100849" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043613$</field>
+        <description>Physical AP error</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100850" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_DHCP_STAVATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043614$</field>
+        <description>DHCP Starvation detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100851" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SYS_AC_IPSEC_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043615$</field>
+        <description>Wireless controller IPsec setup failed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100852" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_NOL_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043616$</field>
+        <description>Physical AP radio NOL added</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100853" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_IMAGE_RC_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043618$</field>
+        <description>Physical AP image receive success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100854" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_OFFENDINGAP_DETECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043619$</field>
+        <description>Offending AP detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100855" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_OFFENDINGAP_ONAIR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043620$</field>
+        <description>Offending AP on air</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100856" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_DATA_CHAN_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043621$</field>
+        <description>Wireless wtp data channel changed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100857" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_VLAN_PROBE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043622$</field>
+        <description>WTP is probing vlan</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100858" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_VLAN_MISSING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043623$</field>
+        <description>VLAN not detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100859" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_VLAN_DETECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043624$</field>
+        <description>VLAN detected</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100860" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_CMCC_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043625$</field>
+        <description>Wireless station CMCC sign on success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100861" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_CMCC_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043626$</field>
+        <description>Wireless station CMCC sign on failed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100862" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_CMCC_TIMEOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043627$</field>
+        <description>Wireless station CMCC sign on timeout</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100863" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_CAP_CMCC_MAC_AUTH_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043628$</field>
+        <description>Wireless station CMCC MAC auth success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100864" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_RADIUS_AUTH_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043629$</field>
+        <description>Wireless client RADIUS authentication failure</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100865" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_RADIUS_AUTH_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043630$</field>
+        <description>Wireless client RADIUS authentication success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100866" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_RADIUS_AUTH_NO_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043631$</field>
+        <description>Wireless client RADIUS authentication server not responding</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100867" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_RADIUS_MAC_AUTH_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043632$</field>
+        <description>Wireless client RADIUS MAC authentication failure</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100868" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_RADIUS_MAC_AUTH_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043633$</field>
+        <description>Wireless client RADIUS MAC authentication success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100869" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_RADIUS_MAC_AUTH_NO_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043634$</field>
+        <description>Wireless client RADIUS MAC authentication server not responding</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100870" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_OKC_NO_MATCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043635$</field>
+        <description>Wireless client authenticates through OKC failed with no match</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100871" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_OKC_LOCAL_MATCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043636$</field>
+        <description>Wireless client authenticates through local OKC success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100872" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_OKC_INTER_AC_MATCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043637$</field>
+        <description>Wireless client authenticates through inter AC OKC success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100873" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_OKC_INTER_AP_MATCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043638$</field>
+        <description>Wireless client authenticates through inter AP OKC success</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100874" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_INVALID_ACTION_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043639$</field>
+        <description>Wireless client sent invalid FT action request</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100875" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_INVALID_AUTH_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043640$</field>
+        <description>Wireless client sent invalid FT auth request</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100876" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_INVALID_REASSOC_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043641$</field>
+        <description>Wireless client sent invalid FT reassociation request</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100877" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_ACTION_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043642$</field>
+        <description>Wireless client sent FT action reqeust</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100878" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_ACTION_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043643$</field>
+        <description>FT action response was sent to wireless client</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100879" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_AUTH_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043644$</field>
+        <description>Wireless client sent FT auth request</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100880" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_AUTH_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043645$</field>
+        <description>FT auth response was sent to wireless client</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100881" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_REASSOC_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043646$</field>
+        <description>Wireless client sent FT reassociation request</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100882" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_FT_REASSOC_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043647$</field>
+        <description>FT reassociation response was sent to wireless client</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100883" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_INVALID_SECOND_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043648$</field>
+        <description>Wireless client 4 way handshake failed with invalid 2/4 message</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100884" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_INVALID_FOURTH_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043649$</field>
+        <description>Wireless client 4 way handshake failed with invalid 4/4 message</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100885" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_FIRST_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043650$</field>
+        <description>AP sent 1/4 message of 4 way handshake to wireless client</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100886" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_SECOND_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043651$</field>
+        <description>Wireless client sent 2/4 message of 4 way handshake</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100887" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_THIRD_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043652$</field>
+        <description>AP sent 3/4 message of 4 way handshake to wireless client</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100888" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_FOURTH_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043653$</field>
+        <description>Wireless client sent 4/4 message of 4 way handshake</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100889" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_FIRST_GROUP_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043654$</field>
+        <description>AP sent 1/2 message of group key handshake to wireless client</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100890" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_SECOND_GROUP_MSG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043655$</field>
+        <description>Wireless client sent 2/2 message of group key handshake</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100891" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_MAX_STA_CNT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043656$</field>
+        <description>Max sta count limit for the PSK was reached</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100892" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_ASSOC_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043657$</field>
+        <description>Wireless station association failed</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100893" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_NO_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043658$</field>
+        <description>Wireless station DHCP process failed with no server response</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100894" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_DIFF_OFFER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043659$</field>
+        <description>Another DHCP server sent DHCP offer to wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100895" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_NO_ACK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043660$</field>
+        <description>No DHCP ACK from server</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100896" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_NAK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043661$</field>
+        <description>DHCP server sent DHCP NAK</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100897" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_DUP_IP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043662$</field>
+        <description>IP offered has been used by another wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100898" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_DISCOVER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043663$</field>
+        <description>Wireless station sent DHCP DISCOVER</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100899" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_OFFER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043664$</field>
+        <description>DHCP server sent DHCP OFFER</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100900" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_DECLINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043665$</field>
+        <description>Wireless station sent DHCP DECLINE</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100901" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_REQUEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043666$</field>
+        <description>Wireless station sent DHCP REQUEST</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100902" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_ACK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043667$</field>
+        <description>DHCP server sent DHCP ACK</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100903" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_RELEASE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043668$</field>
+        <description>Wireless station sent DHCP RELEASE</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100904" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_INFORM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043669$</field>
+        <description>Wireless station sent DHCP INFORM</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100905" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_SELF_ASSIGNED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043670$</field>
+        <description>Wireless station is using self-assigned IP</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100906" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DNS_NO_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043671$</field>
+        <description>Wireless station DNS process failed with no server response</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100907" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DNS_SERVER_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043672$</field>
+        <description>Wireless station DNS process failed due to server failure</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100908" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DNS_NO_DOMAIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043673$</field>
+        <description>Wireless station DNS process failed due to non-existing domain</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100909" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_KRACK_FT_REASSOC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043674$</field>
+        <description>Wireless station WPA key reinstallation attack on FT reassociation</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100910" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_AUTH_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043675$</field>
+        <description>Authentication request from wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100911" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_AUTH_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043676$</field>
+        <description>Authentication response to wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100912" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_ASSOC_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043677$</field>
+        <description>Association request from wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100913" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_REASSOC_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043678$</field>
+        <description>Reassociation request from wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100914" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_ASSOC_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043679$</field>
+        <description>Association response to wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100915" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_REASSOC_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043680$</field>
+        <description>Reassociation response to wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100916" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_PROBE_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043681$</field>
+        <description>Probe request from wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100917" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_PROBE_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043682$</field>
+        <description>Probe response to wireless station</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100918" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_BLE_DEV_LOCATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043683$</field>
+        <description>Wireless ble dev detection</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100919" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ADDRGRP_DUPLICATE_MAC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043684$</field>
+        <description>Wireless addrgrp duplicate mac</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100920" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ADDRGRP_ADDR_APPLY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043685$</field>
+        <description>Wireless addrgrp address apply</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100921" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WPA_MSG_INVALID_SCHEDULE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043686$</field>
+        <description>PSK is out of any valid schedules</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100922" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WL_BRIDGE_TRAFFIC_STATS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043687$</field>
+        <description>Traffic stats for station with bridge wlan</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100923" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_APCFG_RECEIVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043688$</field>
+        <description>FortiAP receives the apcfg</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100924" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_APCFG_VALIDATING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043689$</field>
+        <description>FortiAP is validating the apcfg</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100925" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_APCFG_APPLY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043690$</field>
+        <description>FortiAP applies the apcfg</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100926" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_APCFG_REJECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043691$</field>
+        <description>FortiAP rejects the apcfg</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100927" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_ANTENNA_DEFECT_DETECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043692$</field>
+        <description>Defect antenna detection</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100928" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WNM_ACTION_BSTM_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043693$</field>
+        <description>AP sent WNM action BSTM request</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100929" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WNM_ACTION_BSTM_RESP_ACCEPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043694$</field>
+        <description>Wireless client sent WNM action BSTM response accept</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100930" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_WNM_ACTION_BSTM_RESP_REJECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043695$</field>
+        <description>Wireless client sent WNM action BSTM response reject</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100931" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DRMA_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043696$</field>
+        <description>Physical AP radio DRMA start</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100932" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DRMA_STOP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043697$</field>
+        <description>Physical AP radio DRMA stop</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100933" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_DRMA_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043698$</field>
+        <description>Physical AP radio DRMA mode</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100934" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_SOLICIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043699$</field>
+        <description>Wireless station sent DHCP6 SOLICIT</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100935" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_ADVERTISE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043700$</field>
+        <description>DHCP6 server sent DHCP6 ADVERTISE</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100936" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_REQUEST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043701$</field>
+        <description>Wireless station sent DHCP6 REQUEST</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100937" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_CONFIRM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043702$</field>
+        <description>Wireless station sent DHCP6 CONFIRM</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100938" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_RENEW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043703$</field>
+        <description>Wireless station sent DHCP6 RENEW</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100939" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_REPLY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043704$</field>
+        <description>DHCP6 server sent DHCP6 REPLY</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100940" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_RELEASE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043705$</field>
+        <description>Wireless station sent DHCP6 RELEASE</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100941" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP6_RECONFIGURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043706$</field>
+        <description>DHCP6 server sent DHCP6 RECONFIGURE</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100942" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_SSID_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043707$</field>
+        <description>Physical AP radio ssid up</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100943" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_SSID_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043708$</field>
+        <description>Physical AP radio ssid down</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100944" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_DHCP_ENFORCEMENT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043709$</field>
+        <description>Wireless client denied by DHCP enforcement for using static IP address</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100945" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SAM_IPERF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043710$</field>
+        <description>SAM iperf test result</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100946" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SAM_PING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043711$</field>
+        <description>SAM ping test result</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100947" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SAM_AUTH_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043712$</field>
+        <description>AP as station failed in SAM authentication</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100948" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_SAM_CWP_AUTH_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043713$</field>
+        <description>AP as station failed in SAM CWP authentication</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100949" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTP_PARTIAL_PASSWD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043714$</field>
+        <description>AP received partial login password</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100950" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_WTPR_BSS_COLOR_COLLISION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043715$</field>
+        <description>AP radio BSS color collision detected.</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100951" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_ADDRGRP_MAX_FW_ADDR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043716$</field>
+        <description>Wireless addrgrp reached firewal address maximum number</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100952" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_L3R_REHOME -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043717$</field>
+        <description>Wireless client layer3 roaming rehome</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100953" level="4">
+        <!-- LOG_ID_EVENT_WIRELESS_STA_PROBE_LOW_RSSI -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043719$</field>
+        <description>Probe request from wireless station failed due to low rssi</description>
+        <group>fortios.event.event,fortios.category.wireless,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100954" level="4">
+        <!-- LOG_ID_EVENT_NAC_QUARANTINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043776$</field>
+        <description>NAC quarantine</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100955" level="4">
+        <!-- LOG_ID_EVENT_NAC_ANOMALY_QUARANTINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043777$</field>
+        <description>NAC anomaly quarantine</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100956" level="4">
+        <!-- LOG_ID_EVENT_ELBC_BLADE_JOIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043800$</field>
+        <description>Blade ready to process traffic</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100957" level="4">
+        <!-- LOG_ID_EVENT_ELBC_BLADE_LEAVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043801$</field>
+        <description>Blade not ready to process traffic</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100958" level="4">
+        <!-- LOG_ID_EVENT_ELBC_MASTER_BLADE_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043802$</field>
+        <description>Primary blade found</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100959" level="4">
+        <!-- LOG_ID_EVENT_ELBC_MASTER_BLADE_LOST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043803$</field>
+        <description>Primary blade lost</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100960" level="4">
+        <!-- LOG_ID_EVENT_ELBC_MASTER_BLADE_CHANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043804$</field>
+        <description>Primary blade changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100961" level="4">
+        <!-- LOG_ID_EVENT_ELBC_ACTIVE_CHANNEL_FOUND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043805$</field>
+        <description>ELBC channel active</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100962" level="4">
+        <!-- LOG_ID_EVENT_ELBC_ACTIVE_CHANNEL_LOST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043806$</field>
+        <description>ELBC channel inactive</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100963" level="4">
+        <!-- LOG_ID_EVENT_ELBC_ACTIVE_CHANNEL_CHANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043807$</field>
+        <description>ELBC channel failover</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100964" level="4">
+        <!-- LOG_ID_EVENT_ELBC_CHASSIS_ACTIVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043808$</field>
+        <description>ELBC chassis active</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100965" level="4">
+        <!-- LOG_ID_EVENT_ELBC_CHASSIS_INACTIVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">043809$</field>
+        <description>ELBC chassis inactive</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100966" level="4">
+        <!-- LOGID_EVENT_CONFIG_PATH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044544$</field>
+        <description>Path configured</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100967" level="4">
+        <!-- LOGID_EVENT_CONFIG_OBJ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044545$</field>
+        <description>Object configured</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100968" level="4">
+        <!-- LOGID_EVENT_CONFIG_ATTR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044546$</field>
+        <description>Attribute configured</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100969" level="4">
+        <!-- LOGID_EVENT_CONFIG_OBJATTR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044547$</field>
+        <description>Object attribute configured</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100970" level="4">
+        <!-- LOGID_EVENT_CONFIG_EXEC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044548$</field>
+        <description>Action performed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100971" level="4">
+        <!-- LOGID_EVENT_CMDB_DEADLOCK_DETECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044555$</field>
+        <description>CMDB lock deadlock is detected.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="100972" level="4">
+        <!-- LOG_ID_FCC_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045057$</field>
+        <description>FortiClient connection added</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100973" level="4">
+        <!-- LOG_ID_FCC_CLOSE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045058$</field>
+        <description>FortiClient connection closed</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100974" level="4">
+        <!-- LOG_ID_FCC_CLOSE_BY_TYPE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045061$</field>
+        <description>FortiClient connection closed by type</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100975" level="4">
+        <!-- LOG_ID_FCC_VULN_SCAN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045071$</field>
+        <description>FortiClient Vulnerability Scan</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100976" level="4">
+        <!-- LOG_ID_EC_REG_QUARANTINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045114$</field>
+        <description>FortiClient endpoint quarantined</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100977" level="4">
+        <!-- LOG_ID_EC_REG_UNQUARANTINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045115$</field>
+        <description>FortiClient endpoint quarantine removed</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100978" level="4">
+        <!-- LOG_ID_EC_EMS_WS_NOTIFICATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045121$</field>
+        <description>EMS WebSocket notification</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100979" level="4">
+        <!-- LOG_ID_EC_EMS_REST_API_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045122$</field>
+        <description>EMS REST API error</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100980" level="4">
+        <!-- LOG_ID_EC_EMS_WS_CONN_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045123$</field>
+        <description>EMS WebSocket connection error</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100981" level="4">
+        <!-- LOG_ID_EC_VPND_CONNECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045124$</field>
+        <description>FortiClient VPN connected</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100982" level="4">
+        <!-- LOG_ID_EC_VPND_DISCONNECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045125$</field>
+        <description>FortiClient VPN disconnected</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100983" level="4">
+        <!-- LOG_ID_EC_CLOUD_ENTITLEMENT_LOST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045126$</field>
+        <description>EMS Cloud entitlement lost and connection dropped</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100984" level="4">
+        <!-- LOG_ID_EC_EMS_REST_API_NEW_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045128$</field>
+        <description>EMS REST API recovered from an error</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100985" level="4">
+        <!-- LOG_ID_EC_EMS_EMS_VERIFY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045129$</field>
+        <description>FCEMS entry has been verified</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100986" level="4">
+        <!-- LOG_ID_EC_EMS_EMS_VERIFY_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045130$</field>
+        <description>FCEMS entry has failed to be verified</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="100987" level="4">
+        <!-- LOG_ID_EC_EMS_EMS_UNVERIFY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045131$</field>
+        <description>FCEMS entry has been unverified</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.information</group>
+    </rule>
+
+    <rule id="100988" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_ENA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046000$</field>
+        <description>VIP real server enabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100989" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_DISA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046001$</field>
+        <description>VIP real server disabled</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100990" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046002$</field>
+        <description>VIP real server up</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100991" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046003$</field>
+        <description>VIP real server down</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100992" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_ENT_HOLDDOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046004$</field>
+        <description>VIP real server entered hold-down</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100993" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_FAIL_HOLDDOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046005$</field>
+        <description>VIP real server health check failed during hold-down</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="100994" level="4">
+        <!-- LOG_ID_VIP_REAL_SVR_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046006$</field>
+        <description>VIP real server health check failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="100995" level="4">
+        <!-- LOG_ID_EVENT_EXT_SYS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046400$</field>
+        <description>FortiExtender system activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100996" level="4">
+        <!-- LOG_ID_EVENT_EXT_LOCAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046401$</field>
+        <description>FortiExtender controller activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="100997" level="4">
+        <!-- LOG_ID_EVENT_EXT_LOCAL_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046402$</field>
+        <description>FortiExtender controller activity error</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.error</group>
+    </rule>
+
+    <rule id="100998" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_EMERG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046403$</field>
+        <description>Remote FortiExtender emergency activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.emergency</group>
+    </rule>
+
+    <rule id="100999" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_ALERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046404$</field>
+        <description>Remote FortiExtender alert activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101000" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_CRITICAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046405$</field>
+        <description>Remote FortiExtender critical activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101001" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046406$</field>
+        <description>Remote FortiExtender error activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101002" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046407$</field>
+        <description>Remote FortiExtender warning activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101003" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046408$</field>
+        <description>Remote FortiExtender notify activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101004" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046409$</field>
+        <description>Remote FortiExtender info activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101005" level="4">
+        <!-- LOG_ID_EVENT_EXT_REMOTE_DEBUG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046410$</field>
+        <description>Remote FortiExtender debug activity</description>
+        <group>fortios.event.event,fortios.category.fortiextender,fortios.severity.debug</group>
+    </rule>
+
+    <rule id="101006" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_DETECTION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046501$</field>
+        <description>LTE modem detection</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101007" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_GPSD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046502$</field>
+        <description>LTE modem GPS daemon started or stopped</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101008" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_GPS_LOC_ACQUISITION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046503$</field>
+        <description>LTE modem GPS location acquisition</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101009" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046504$</field>
+        <description>LTE modem billing daemon started or stopped</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101010" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLING_PURGED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046505$</field>
+        <description>LTE billing data purged</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101011" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLING_DAILY_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046506$</field>
+        <description>LTE billing daily usage information</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101012" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_FW_UPGRADE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046507$</field>
+        <description>LTE modem firmware upgrade event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101013" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_QDL_DETECTION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046508$</field>
+        <description>LTE modem QDL device detection event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101014" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_REBOOT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046509$</field>
+        <description>LTE modem reboot event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101015" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_OP_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046510$</field>
+        <description>LTE modem operation mode</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101016" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_POWER_ON_OFF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046511$</field>
+        <description>LTE modem powered on or powered off</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101017" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_SIM_STATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046512$</field>
+        <description>LTE modem sim card state event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101018" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_LINK_CONNECTION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046513$</field>
+        <description>LTE modem data link connection event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101019" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_MANUAL_HANDOVER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046514$</field>
+        <description>LTE modem manual handover event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101020" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_IP_ADDR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046515$</field>
+        <description>LTE modem ip address event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101021" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BEARER_TECH_CHANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046516$</field>
+        <description>LTE modem bearer event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101022" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_WRONG_PIN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046517$</field>
+        <description>LTE unlock SIM PIM failed.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101023" level="4">
+        <!-- LOG_ID_EVENT_AUTOMATION_TRIGGERED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046600$</field>
+        <description>Automation stitch triggered</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101024" level="4">
+        <!-- LOG_ID_POE_STATUS_REPORT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046900$</field>
+        <description>PoE device status reported</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101025" level="4">
+        <!-- LOG_ID_MALWARE_LIST_TRUNCATED_ENTER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047000$</field>
+        <description>External blocklist list is truncated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101026" level="4">
+        <!-- LOG_ID_MALWARE_LIST_TRUNCATED_EXIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047001$</field>
+        <description>External blocklist list is no longer truncated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101027" level="4">
+        <!-- LOG_ID_FILE_HASH_EMS_LIST_TRUNCATED_ENTER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047002$</field>
+        <description>EMS file-hash list is truncated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101028" level="4">
+        <!-- LOG_ID_FILE_HASH_EMS_LIST_TRUNCATED_EXIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047003$</field>
+        <description>EMS file-hash list is no longer truncated</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101029" level="4">
+        <!-- LOG_ID_FILE_HASH_EMS_LIST_LOAD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047004$</field>
+        <description>EMS file-hash list loaded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101030" level="4">
+        <!-- LOG_ID_ENTER_BYPASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047203$</field>
+        <description>Bypass ports pair entered bypass mode</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101031" level="4">
+        <!-- LOG_ID_EXIT_BYPASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047204$</field>
+        <description>Bypass ports pair exited bypass mode</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101032" level="4">
+        <!-- LOG_ID_EVENT_REST_API_OK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047301$</field>
+        <description>REST API request success</description>
+        <group>fortios.event.event,fortios.category.rest-api,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101033" level="4">
+        <!-- LOG_ID_EVENT_REST_API_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">047302$</field>
+        <description>REST API request failed</description>
+        <group>fortios.event.event,fortios.category.rest-api,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101034" level="4">
+        <!-- LOG_ID_WAD_WANOPT_TUNNEL_CREATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">048040$</field>
+        <description>WANOPT Tunnel successfully created</description>
+        <group>fortios.event.event,fortios.category.wad,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101035" level="4">
+        <!-- LOG_ID_WAD_WANOPT_TUNNEL_CLOSED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">048041$</field>
+        <description>WANOPT Tunnel closed</description>
+        <group>fortios.event.event,fortios.category.wad,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101036" level="4">
+        <!-- LOG_ID_WAD_AUTH_FAIL_PSK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">048101$</field>
+        <description>WAN Optimization peer PSK authentication failed</description>
+        <group>fortios.event.event,fortios.category.wad,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101037" level="4">
+        <!-- LOG_ID_WAD_AUTH_FAIL_OTH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">048102$</field>
+        <description>WAN Optimization peer authentication failed</description>
+        <group>fortios.event.event,fortios.category.wad,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101038" level="4">
+        <!-- LOG_ID_UNEXP_APP_TYPE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">048301$</field>
+        <description>Unexpected application type for WAN Optimization</description>
+        <group>fortios.event.event,fortios.category.wad,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101039" level="4">
+        <!-- LOG_ID_VNP_DPDK_PRIMARY_RESTART -->
+        <if_sid>100010</if_sid>
+        <field name="logid">049002$</field>
+        <description>VNP Primary restarted</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101040" level="4">
+        <!-- LOGID_EVENT_HYPERV_SRIOV_SHOW_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">049004$</field>
+        <description>Hyper-V SR-IOV VF secondary is hot plugged</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101041" level="4">
+        <!-- LOGID_EVENT_HYPERV_SRIOV_DISAPPEAR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">049005$</field>
+        <description>Hyper-V SR-IOV VF secondary is hot unplugged</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101042" level="4">
+        <!-- LOG_ID_NB_TBL_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">051000$</field>
+        <description>Neighbor table changed</description>
+        <group>fortios.event.event,fortios.category.router,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101043" level="4">
+        <!-- LOG_ID_EVENT_SECURITY_AUDIT_FABRIC_SUMMARY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">052000$</field>
+        <description>Security Rating summary</description>
+        <group>fortios.event.event,fortios.category.security-rating,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101044" level="4">
+        <!-- LOG_ID_EVENT_SECURITY_AUDIT_FABRIC_CHANGE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">052001$</field>
+        <description>Security Rating result change</description>
+        <group>fortios.event.event,fortios.category.security-rating,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101045" level="4">
+        <!-- LOG_ID_SDNC_CONNECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053000$</field>
+        <description>Connected to SDN server</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101046" level="4">
+        <!-- LOG_ID_SDNC_DISCONNECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053001$</field>
+        <description>Disconnected from SDN server</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101047" level="4">
+        <!-- LOG_ID_SDNC_SUBSCRIBE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053002$</field>
+        <description>Dynamic SDN address channel opened</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101048" level="4">
+        <!-- LOG_ID_SDNC_UNSUBSCRIBE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053003$</field>
+        <description>Dynamic SDN address channel closed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101049" level="4">
+        <!-- LOG_ID_VPN_OCVPN_REGISTERED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053100$</field>
+        <description>Overlay Controller VPN registered</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101050" level="4">
+        <!-- LOG_ID_VPN_OCVPN_UNREGISTERED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053101$</field>
+        <description>Overlay Controller VPN unregistered</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101051" level="4">
+        <!-- LOG_ID_VPN_OCVPN_COMM_ESTABLISHED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053102$</field>
+        <description>Overlay Controller VPN server communication established</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101052" level="4">
+        <!-- LOG_ID_VPN_OCVPN_COMM_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053103$</field>
+        <description>Overlay Controller VPN server communication error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101053" level="4">
+        <!-- LOG_ID_VPN_OCVPN_DNS_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053104$</field>
+        <description>Overlay Controller VPN DNS error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101054" level="4">
+        <!-- LOG_ID_VPN_OCVPN_ROUTE_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053105$</field>
+        <description>Overlay Controller VPN routing error</description>
+        <group>fortios.event.event,fortios.category.vpn,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101055" level="4">
+        <!-- LOG_ID_CONNECTOR_OBJECT_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053200$</field>
+        <description>Dynamic address added</description>
+        <group>fortios.event.event,fortios.category.connector,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101056" level="4">
+        <!-- LOG_ID_CONNECTOR_OBJECT_REMOVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053201$</field>
+        <description>Dynamic address removed</description>
+        <group>fortios.event.event,fortios.category.connector,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101057" level="4">
+        <!-- LOG_ID_CONNECTOR_API_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053202$</field>
+        <description>SDN Connector API failed</description>
+        <group>fortios.event.event,fortios.category.connector,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101058" level="4">
+        <!-- LOG_ID_CONNECTOR_OBJECT_UPDATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053203$</field>
+        <description>Dynamic address updated.</description>
+        <group>fortios.event.event,fortios.category.connector,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101059" level="4">
+        <!-- LOG_ID_CONNECTOR_OBJECT_CANT_ADD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053204$</field>
+        <description>Dynamic address can't be added</description>
+        <group>fortios.event.event,fortios.category.connector,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101060" level="4">
+        <!-- LOG_ID_CONNECTOR_OBJECT_CANT_REMOVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053205$</field>
+        <description>Dynamic address can't be removed</description>
+        <group>fortios.event.event,fortios.category.connector,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101061" level="4">
+        <!-- LOG_ID_VNE_PRO_UPDATE_COMPLETED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053300$</field>
+        <description>VNE provision server update completed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101062" level="4">
+        <!-- LOG_ID_VNE_PRO_UPDATE_FAILED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053301$</field>
+        <description>VNE provision server update failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101063" level="4">
+        <!-- LOG_ID_NPU_PER_MAPPING_ALLOCATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053311$</field>
+        <description>Resource per mapping allocation</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101064" level="4">
+        <!-- LOG_ID_NPD_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053312$</field>
+        <description>NPD INFO</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101065" level="4">
+        <!-- LOG_ID_NPD_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053313$</field>
+        <description>NPD WARNING MSG</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101066" level="4">
+        <!-- LOG_ID_NPD_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053314$</field>
+        <description>NPD ERROR MSG</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101067" level="4">
+        <!-- LOG_ID_LPM_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053315$</field>
+        <description>LPM ERROR MSG</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101068" level="4">
+        <!-- LOG_ID_LPM_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053316$</field>
+        <description>LPM INFO MSG</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101069" level="4">
+        <!-- LOG_ID_FMG_TUNNEL_UP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053400$</field>
+        <description>Central Management connectivity is active</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101070" level="4">
+        <!-- LOG_ID_FMG_TUNNEL_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053401$</field>
+        <description>Central Management connectivity is inactive</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101071" level="4">
+        <!-- LOG_ID_DP_RX_DROP_DETECTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053405$</field>
+        <description>DP channel RX drop detected.</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101072" level="4">
+        <!-- LOG_ID_2GB_CSF_UPGRADE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053406$</field>
+        <description>Security Fabric settings changed during upgrade</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101073" level="4">
+        <!-- LOG_ID_CIFS_CONN_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">063002$</field>
+        <description>Unable to connect to the CIFS Domain Controller</description>
+        <group>fortios.event.event,fortios.category.cifs-auth-fail,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101074" level="4">
+        <!-- LOG_ID_CIFS_AUTH_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">063003$</field>
+        <description>Unable to authenticate with the CIFS Domain Controller</description>
+        <group>fortios.event.event,fortios.category.cifs-auth-fail,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101075" level="4">
+        <!-- LOG_ID_CIFS_AUTH_INTERNAL_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">063004$</field>
+        <description>An error occurred in processing CIFS authentication</description>
+        <group>fortios.event.event,fortios.category.cifs-auth-fail,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101076" level="4">
+        <!-- LOG_ID_CIFS_AUTH_KRB_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">063005$</field>
+        <description>An error occurred in processing CIFS authentication.</description>
+        <group>fortios.event.event,fortios.category.cifs-auth-fail,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101077" level="4">
+        <!-- LOG_ID_FILE_FILTER_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">064000$</field>
+        <description>File was blocked by file filter</description>
+        <group>fortios.event.file-filter,fortios.category.file-filter,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101078" level="4">
+        <!-- LOG_ID_FILE_FILTER_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">064001$</field>
+        <description>File was detected by file filter</description>
+        <group>fortios.event.file-filter,fortios.category.file-filter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101079" level="4">
+        <!-- LOG_ID_FSW_FLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">056001$</field>
+        <description>LOG_ID_FSW_FLOW</description>
+        <group>fortios.event.forti-switch,fortios.category.fsw-flow,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101080" level="4">
+        <!-- LOGID_GTP_FORWARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041216$</field>
+        <description>GTP forward</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101081" level="4">
+        <!-- LOGID_GTP_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041217$</field>
+        <description>GTP deny</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101082" level="4">
+        <!-- LOGID_GTP_RATE_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041218$</field>
+        <description>GTP rate limit</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101083" level="4">
+        <!-- LOGID_GTP_STATE_INVALID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041219$</field>
+        <description>GTP state invalid</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101084" level="4">
+        <!-- LOGID_GTP_TUNNEL_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041220$</field>
+        <description>Tunnel limit GTP message. These messages occur only when the maximum number of GTP</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101085" level="4">
+        <!-- LOGID_GTP_TRAFFIC_COUNT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041221$</field>
+        <description>Statistic summary information when the GTP tunnel is being torn down</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101086" level="4">
+        <!-- LOGID_GTP_USER_DATA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041222$</field>
+        <description>GTP user data</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101087" level="4">
+        <!-- LOGID_GTPV2_FORWARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041223$</field>
+        <description>GTPv2 forward message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101088" level="4">
+        <!-- LOGID_GTPV2_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041224$</field>
+        <description>GTPv2 deny message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101089" level="4">
+        <!-- LOGID_GTPV2_RATE_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041225$</field>
+        <description>GTPv2 rate limit message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101090" level="4">
+        <!-- LOGID_GTPV2_STATE_INVALID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041226$</field>
+        <description>GTPv2 state invalid message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101091" level="4">
+        <!-- LOGID_GTPV2_TUNNEL_LIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041227$</field>
+        <description>Tunnel limit GTP (version 2) message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101092" level="4">
+        <!-- LOGID_GTPV2_TRAFFIC_COUNT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041228$</field>
+        <description>Statistic summary information when the GTPv2 tunnel is being torn down</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101093" level="4">
+        <!-- LOGID_GTPU_FORWARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041229$</field>
+        <description>GTPU forward message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101094" level="4">
+        <!-- LOGID_GTPU_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041230$</field>
+        <description>GTPU deny message</description>
+        <group>fortios.event.gtp,fortios.category.gtp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101095" level="4">
+        <!-- LOGID_PFCP_FORWARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041231$</field>
+        <description>PFCP forward message</description>
+        <group>fortios.event.gtp,fortios.category.pfcp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101096" level="4">
+        <!-- LOGID_PFCP_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041232$</field>
+        <description>PFCP deny message</description>
+        <group>fortios.event.gtp,fortios.category.pfcp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101097" level="4">
+        <!-- LOGID_PFCP_TRAFFIC_COUNT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">041233$</field>
+        <description>Statistic summary information when the PFCP session is being torn down</description>
+        <group>fortios.event.gtp,fortios.category.pfcp-all,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101098" level="4">
+        <!-- LOG_ID_ICAP_SERVER_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">060000$</field>
+        <description>Traffic blocked as it cannot be forwarded to ICAP Server.</description>
+        <group>fortios.event.icap,fortios.category.icap,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101099" level="4">
+        <!-- LOG_ID_ICAP_INFECTION_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">060001$</field>
+        <description>Traffic blocked as ICAP server found infection.</description>
+        <group>fortios.event.icap,fortios.category.icap,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101100" level="4">
+        <!-- LOG_ID_ICAP_SERVER_CLOSE_CONN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">060002$</field>
+        <description>Traffic dropped as ICAP server connection is closed.</description>
+        <group>fortios.event.icap,fortios.category.icap,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101101" level="4">
+        <!-- LOGID_ATTCK_SIGNATURE_TCP_UDP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">016384$</field>
+        <description>Attack detected by UDP/TCP signature</description>
+        <group>fortios.event.ips,fortios.category.signature,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101102" level="4">
+        <!-- LOGID_ATTCK_SIGNATURE_ICMP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">016385$</field>
+        <description>Attack detected by ICMP signature</description>
+        <group>fortios.event.ips,fortios.category.signature,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101103" level="4">
+        <!-- LOGID_ATTCK_SIGNATURE_OTHERS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">016386$</field>
+        <description>Attack detected by other signature</description>
+        <group>fortios.event.ips,fortios.category.signature,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101104" level="4">
+        <!-- LOGID_ATTACK_MALICIOUS_URL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">016399$</field>
+        <description>Attack detected by a malicious URL</description>
+        <group>fortios.event.ips,fortios.category.malicious-url,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101105" level="4">
+        <!-- LOGID_ATTACK_BOTNET_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">016400$</field>
+        <description>Botnet C&amp;C Communication (warning)</description>
+        <group>fortios.event.ips,fortios.category.botnet,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101106" level="4">
+        <!-- LOGID_ATTACK_BOTNET_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">016401$</field>
+        <description>Botnet C&amp;C Communication (notice)</description>
+        <group>fortios.event.ips,fortios.category.botnet,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101107" level="4">
+        <!-- LOG_ID_SSH_COMMAND_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061000$</field>
+        <description>SSH shell command is blocked</description>
+        <group>fortios.event.ssh,fortios.category.ssh-command,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101108" level="4">
+        <!-- LOG_ID_SSH_COMMAND_BLOCK_ALERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061001$</field>
+        <description>SSH shell command is blocked</description>
+        <group>fortios.event.ssh,fortios.category.ssh-command,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101109" level="4">
+        <!-- LOG_ID_SSH_COMMAND_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061002$</field>
+        <description>SSH shell command is detected</description>
+        <group>fortios.event.ssh,fortios.category.ssh-command,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101110" level="4">
+        <!-- LOG_ID_SSH_COMMAND_PASS_ALERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061003$</field>
+        <description>SSH shell command is detected</description>
+        <group>fortios.event.ssh,fortios.category.ssh-command,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101111" level="4">
+        <!-- LOG_ID_SSH_CHANNEL_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061010$</field>
+        <description>SSH channel is blocked</description>
+        <group>fortios.event.ssh,fortios.category.ssh-channel,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101112" level="4">
+        <!-- LOG_ID_SSH_CHANNEL_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061011$</field>
+        <description>SSH channel is detected</description>
+        <group>fortios.event.ssh,fortios.category.ssh-channel,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101113" level="4">
+        <!-- LOG_ID_SSH_HOST_KEY_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061012$</field>
+        <description>SSH connection is blocked, because host-key is not trust</description>
+        <group>fortios.event.ssh,fortios.category.ssh-hostkey,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101114" level="4">
+        <!-- LOG_ID_SSH_HOST_KEY_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">061013$</field>
+        <description>SSH host-key is not trust</description>
+        <group>fortios.event.ssh,fortios.category.ssh-hostkey,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101115" level="4">
+        <!-- LOG_ID_SSL_EXEMPT_ADDR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062004$</field>
+        <description>SSL connection is exempted based on address</description>
+        <group>fortios.event.ssl,fortios.category.ssl-exempt,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101116" level="4">
+        <!-- LOG_ID_SSL_EXEMPT_ALLOWLIST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062006$</field>
+        <description>SSL connection is exempted based on allowlist</description>
+        <group>fortios.event.ssl,fortios.category.ssl-exempt,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101117" level="4">
+        <!-- LOG_ID_SSL_EXEMPT_FTGD_CATEGORY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062007$</field>
+        <description>SSL connection is exempted based on FortiGuard category rating</description>
+        <group>fortios.event.ssl,fortios.category.ssl-exempt,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101118" level="4">
+        <!-- LOG_ID_SSL_EXEMPT_LOCAL_CATEGORY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062008$</field>
+        <description>SSL connection is exempted based on local category rating</description>
+        <group>fortios.event.ssl,fortios.category.ssl-exempt,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101119" level="4">
+        <!-- LOG_ID_SSL_EXEMPT_USER_CATEGORY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062009$</field>
+        <description>SSL connection is exempted based on user category rating</description>
+        <group>fortios.event.ssl,fortios.category.ssl-exempt,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101120" level="4">
+        <!-- LOG_ID_SSL_NEGOTIATION_INSPECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062100$</field>
+        <description>Continue inspect the SSL connection</description>
+        <group>fortios.event.ssl,fortios.category.ssl-negotiation,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101121" level="4">
+        <!-- LOG_ID_SSL_NEGOTIATION_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062101$</field>
+        <description>SSL connection is blocked due to its SSL negotiation</description>
+        <group>fortios.event.ssl,fortios.category.ssl-negotiation,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101122" level="4">
+        <!-- LOG_ID_SSL_NEGOTIATION_BYPASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062102$</field>
+        <description>SSL connection is bypassed due to its SSL negotiation</description>
+        <group>fortios.event.ssl,fortios.category.ssl-negotiation,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101123" level="4">
+        <!-- LOG_ID_SSL_NEGOTIATION_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062103$</field>
+        <description>SSL connection information</description>
+        <group>fortios.event.ssl,fortios.category.ssl-negotiation,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101124" level="4">
+        <!-- LOG_ID_SSL_SERVER_CERT_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062200$</field>
+        <description>SSL server certificate information</description>
+        <group>fortios.event.ssl,fortios.category.ssl-server-cert-info,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101125" level="4">
+        <!-- LOG_ID_SSL_HANDSHAKE_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062220$</field>
+        <description>SSL handshake information</description>
+        <group>fortios.event.ssl,fortios.category.ssl-handshake,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101126" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_BLOCKLISTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062300$</field>
+        <description>SSL connection is blocked due to the server certificate is blocklisted</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101127" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_RESIGN_TRUSTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062301$</field>
+        <description>Server certificate has security problem</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101128" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_RESIGN_UNTRUSTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062302$</field>
+        <description>Re-signed server certificate as untrusted due to security problem</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101129" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_BLOCKED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062303$</field>
+        <description>SSL connection is blocked due to server certificate security problem</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101130" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_SNI_MISMATCHED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062304$</field>
+        <description>SSL connection is blocked due to server certificate and SNI mismatched</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101131" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_PROBE_FAILURE_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062305$</field>
+        <description>SSL connection is blocked due to unable to retrieve server's certificate</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101132" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_PROBE_FAILURE_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062306$</field>
+        <description>SSL connection is bypassed due to unable to retrieve server's certificate</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101133" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_SNI_MISMATCHED_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062307$</field>
+        <description>Server certificate and SNI mismatched</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101134" level="4">
+        <!-- LOG_ID_TRAFFIC_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000002$</field>
+        <description>Allowed traffic</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101135" level="4">
+        <!-- LOG_ID_TRAFFIC_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000003$</field>
+        <description>Traffic violation</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101136" level="4">
+        <!-- LOG_ID_TRAFFIC_OTHER_START -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000004$</field>
+        <description>Traffic other session start</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101137" level="4">
+        <!-- LOG_ID_TRAFFIC_OTHER_ICMP_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000005$</field>
+        <description>Traffic allowed ICMP</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101138" level="4">
+        <!-- LOG_ID_TRAFFIC_OTHER_ICMP_DENY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000006$</field>
+        <description>Traffic denied ICMP</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101139" level="4">
+        <!-- LOG_ID_TRAFFIC_OTHER_INVALID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000007$</field>
+        <description>Traffic other invalid</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101140" level="4">
+        <!-- LOG_ID_TRAFFIC_WANOPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000008$</field>
+        <description>WAN optimization traffic</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101141" level="4">
+        <!-- LOG_ID_TRAFFIC_WEBCACHE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000009$</field>
+        <description>Web cache traffic</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101142" level="4">
+        <!-- LOG_ID_TRAFFIC_EXPLICIT_PROXY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000010$</field>
+        <description>Explicit proxy traffic</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101143" level="4">
+        <!-- LOG_ID_TRAFFIC_FAIL_CONN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000011$</field>
+        <description>Failed connection attempts</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101144" level="4">
+        <!-- LOG_ID_TRAFFIC_MULTICAST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000012$</field>
+        <description>Multicast traffic</description>
+        <group>fortios.event.traffic,fortios.category.multicast,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101145" level="4">
+        <!-- LOG_ID_TRAFFIC_END_FORWARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000013$</field>
+        <description>Forward traffic</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101146" level="4">
+        <!-- LOG_ID_TRAFFIC_END_LOCAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000014$</field>
+        <description>Local traffic</description>
+        <group>fortios.event.traffic,fortios.category.local,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101147" level="4">
+        <!-- LOG_ID_TRAFFIC_START_FORWARD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000015$</field>
+        <description>Forward traffic session start</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101148" level="4">
+        <!-- LOG_ID_TRAFFIC_START_LOCAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000016$</field>
+        <description>Local traffic session start</description>
+        <group>fortios.event.traffic,fortios.category.local,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101149" level="4">
+        <!-- LOG_ID_TRAFFIC_SNIFFER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000017$</field>
+        <description>Sniffer traffic</description>
+        <group>fortios.event.traffic,fortios.category.sniffer,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101150" level="4">
+        <!-- LOG_ID_TRAFFIC_BROADCAST -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000019$</field>
+        <description>Broadcast traffic</description>
+        <group>fortios.event.traffic,fortios.category.multicast,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101151" level="4">
+        <!-- LOG_ID_TRAFFIC_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000020$</field>
+        <description>Forward traffic statistics</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101152" level="4">
+        <!-- LOG_ID_TRAFFIC_SNIFFER_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000021$</field>
+        <description>Sniffer traffic statistics</description>
+        <group>fortios.event.traffic,fortios.category.sniffer,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101153" level="4">
+        <!-- LOG_ID_TRAFFIC_UTM_CORRELATION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000022$</field>
+        <description>Forward traffic for UTM correlation</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101154" level="4">
+        <!-- LOG_ID_TRAFFIC_ZTNA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000024$</field>
+        <description>ZTNA traffic</description>
+        <group>fortios.event.traffic,fortios.category.ztna,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101155" level="4">
+        <!-- LOG_ID_TRAFFIC_SFLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">000025$</field>
+        <description>Sflow sample</description>
+        <group>fortios.event.traffic,fortios.category.forward,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101156" level="4">
+        <!-- MESGID_INFECT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08192$</field>
+        <description>Infected file detected by the FortiGate unit and blocked</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101157" level="4">
+        <!-- MESGID_INFECT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08193$</field>
+        <description>Infected file detected by the FortiGate unit and it passed</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101158" level="4">
+        <!-- MESGID_INFECT_MIME_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08194$</field>
+        <description>MIME header detected to have a virus and blocked</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101159" level="4">
+        <!-- MESGID_INFECT_MIME_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08195$</field>
+        <description>MIME header infected and passed</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101160" level="4">
+        <!-- MESGID_MIME_FILETYPE_EXE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08200$</field>
+        <description>File is an executable (warning)</description>
+        <group>fortios.event.virus,fortios.category.filetype-executable,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101161" level="4">
+        <!-- MESGID_MIME_FILETYPE_EXE_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08201$</field>
+        <description>File is an executable (notice)</description>
+        <group>fortios.event.virus,fortios.category.filetype-executable,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101162" level="4">
+        <!-- MESGID_AVQUERY_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08202$</field>
+        <description>File reported infected by Outbreak Prevention (warning)</description>
+        <group>fortios.event.virus,fortios.category.outbreak-prevention,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101163" level="4">
+        <!-- MESGID_AVQUERY_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08203$</field>
+        <description>File reported infected by Outbreak Prevention (notice)</description>
+        <group>fortios.event.virus,fortios.category.outbreak-prevention,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101164" level="4">
+        <!-- MESGID_MIME_AVQUERY_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08204$</field>
+        <description>MIME data reported infected by Outbreak Prevention (warning)</description>
+        <group>fortios.event.virus,fortios.category.outbreak-prevention,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101165" level="4">
+        <!-- MESGID_MIME_AVQUERY_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08205$</field>
+        <description>MIME data reported infected by Outbreak Prevention (notice)</description>
+        <group>fortios.event.virus,fortios.category.outbreak-prevention,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101166" level="4">
+        <!-- MESGID_AV_EXEMPT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08206$</field>
+        <description>File reported matched AV exempt list (notice)</description>
+        <group>fortios.event.virus,fortios.category.exempt-hash,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101167" level="4">
+        <!-- MESGID_MIME_AV_EXEMPT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08207$</field>
+        <description>MIME data reported matched AV exempt list (notice)</description>
+        <group>fortios.event.virus,fortios.category.exempt-hash,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101168" level="4">
+        <!-- MESGID_MALWARE_LIST_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08212$</field>
+        <description>File reported infected by external malware list (warning)</description>
+        <group>fortios.event.virus,fortios.category.malware-list,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101169" level="4">
+        <!-- MESGID_MALWARE_LIST_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08213$</field>
+        <description>File reported infected by external malware list (notice)</description>
+        <group>fortios.event.virus,fortios.category.malware-list,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101170" level="4">
+        <!-- MESGID_MIME_MALWARE_LIST_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08214$</field>
+        <description>MIME data reported infected by external malware list (warning)</description>
+        <group>fortios.event.virus,fortios.category.malware-list,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101171" level="4">
+        <!-- MESGID_MIME_MALWARE_LIST_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08215$</field>
+        <description>MIME data reported infected by external malware list (notice)</description>
+        <group>fortios.event.virus,fortios.category.malware-list,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101172" level="4">
+        <!-- MESGID_FILE_HASH_EMS_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08216$</field>
+        <description>File reported infected by EMS threat feed (warning)</description>
+        <group>fortios.event.virus,fortios.category.ems-threat-feed,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101173" level="4">
+        <!-- MESGID_FILE_HASH_EMS_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08217$</field>
+        <description>File reported infected by EMS threat feed (notice)</description>
+        <group>fortios.event.virus,fortios.category.ems-threat-feed,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101174" level="4">
+        <!-- MESGID_MIME_FILE_HASH_EMS_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08218$</field>
+        <description>MIME data reported infected by EMS threat feed (warning)</description>
+        <group>fortios.event.virus,fortios.category.ems-threat-feed,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101175" level="4">
+        <!-- MESGID_MIME_FILE_HASH_EMS_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08219$</field>
+        <description>MIME data reported infected by EMS threat feed (notice)</description>
+        <group>fortios.event.virus,fortios.category.ems-threat-feed,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101176" level="4">
+        <!-- MESGID_FAI_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08220$</field>
+        <description>File reported infected by FortiNDR (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortindr,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101177" level="4">
+        <!-- MESGID_FAI_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08221$</field>
+        <description>File reported infected by FortiNDR (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortindr,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101178" level="4">
+        <!-- MESGID_MIME_FAI_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08222$</field>
+        <description>MIME data reported infected by FortiNDR (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortindr,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101179" level="4">
+        <!-- MESGID_MIME_FAI_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08223$</field>
+        <description>MIME data reported infected by FortiNDR (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortindr,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101180" level="4">
+        <!-- MESGID_ICB_TIMEOUT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08224$</field>
+        <description>Inline Block scan timeout (warning)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101181" level="4">
+        <!-- MESGID_ICB_TIMEOUT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08225$</field>
+        <description>Inline Block scan timeout (notice)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101182" level="4">
+        <!-- MESGID_MIME_ICB_TIMEOUT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08226$</field>
+        <description>MIME data reported Inline Block scan timeout (warning)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101183" level="4">
+        <!-- MESGID_MIME_ICB_TIMEOUT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08227$</field>
+        <description>MIME data reported Inline Block scan timeout (notice)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101184" level="4">
+        <!-- MESGID_ICB_ERROR_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08228$</field>
+        <description>Inline Block scan error (warning)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101185" level="4">
+        <!-- MESGID_ICB_ERROR_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08229$</field>
+        <description>Inline Block scan error (notice)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101186" level="4">
+        <!-- MESGID_MIME_ICB_ERROR_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08230$</field>
+        <description>MIME data reported Inline Block scan error (warning)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101187" level="4">
+        <!-- MESGID_MIME_ICB_ERROR_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08231$</field>
+        <description>MIME data reported Inline Block scan error (notice)</description>
+        <group>fortios.event.virus,fortios.category.inline-block,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101188" level="4">
+        <!-- MESGID_ICB_FSA_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08232$</field>
+        <description>File reported infected by FortiSandbox (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101189" level="4">
+        <!-- MESGID_ICB_FSA_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08233$</field>
+        <description>File reported infected by FortiSandbox (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101190" level="4">
+        <!-- MESGID_MIME_ICB_FSA_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08234$</field>
+        <description>MIME data reported infected by FortiSandbox (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101191" level="4">
+        <!-- MESGID_MIME_ICB_FSA_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08235$</field>
+        <description>MIME data reported infected by FortiSandbox (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101192" level="4">
+        <!-- MESGID_ICB_FSA_TIMEOUT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08236$</field>
+        <description>FortiSandbox scan timeout (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101193" level="4">
+        <!-- MESGID_ICB_FSA_TIMEOUT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08237$</field>
+        <description>FortiSandbox scan timeout (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101194" level="4">
+        <!-- MESGID_MIME_ICB_FSA_TIMEOUT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08238$</field>
+        <description>MIME data reported FortiSandbox scan timeout (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101195" level="4">
+        <!-- MESGID_MIME_ICB_FSA_TIMEOUT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08239$</field>
+        <description>MIME data reported FortiSandbox scan timeout (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101196" level="4">
+        <!-- MESGID_ICB_FSA_ERROR_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08240$</field>
+        <description>FortiSandbox scan error (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101197" level="4">
+        <!-- MESGID_ICB_FSA_ERROR_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08241$</field>
+        <description>FortiSandbox scan error (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101198" level="4">
+        <!-- MESGID_MIME_ICB_FSA_ERROR_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08242$</field>
+        <description>MIME data reported FortiSandbox scan error (warning)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101199" level="4">
+        <!-- MESGID_MIME_ICB_FSA_ERROR_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08243$</field>
+        <description>MIME data reported FortiSandbox scan error (notice)</description>
+        <group>fortios.event.virus,fortios.category.fortisandbox,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101200" level="4">
+        <!-- MESGID_BLOCK_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08448$</field>
+        <description>FortiGate unit blocked a file because it contains a virus</description>
+        <group>fortios.event.virus,fortios.category.filename,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101201" level="4">
+        <!-- MESGID_BLOCK_MIME_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08450$</field>
+        <description>FortiGate unit blocked a file because it contains a virus (MIME)</description>
+        <group>fortios.event.virus,fortios.category.mimefragmented,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101202" level="4">
+        <!-- MESGID_BLOCK_MIME_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08451$</field>
+        <description>FortiGate unit blocked a file because it contains a virus (MIME)</description>
+        <group>fortios.event.virus,fortios.category.mimefragmented,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101203" level="4">
+        <!-- MESGID_BLOCK_COMMAND -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08452$</field>
+        <description>FortiGate unit blocked a virus command</description>
+        <group>fortios.event.virus,fortios.category.command-blocked,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101204" level="4">
+        <!-- MESGID_OVERSIZE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08704$</field>
+        <description>Defined file size limit was exceeded</description>
+        <group>fortios.event.virus,fortios.category.oversize,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101205" level="4">
+        <!-- MESGID_OVERSIZE_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08705$</field>
+        <description>File size limit was exceeded</description>
+        <group>fortios.event.virus,fortios.category.oversize,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101206" level="4">
+        <!-- MESGID_OVERSIZE_STREAM_UNCOMP_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08708$</field>
+        <description>Stream-based uncompression reached size limit.</description>
+        <group>fortios.event.virus,fortios.category.oversize,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101207" level="4">
+        <!-- MESGID_OVERSIZE_STREAM_UNCOMP_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08709$</field>
+        <description>Stream-based uncompression reached size limit.</description>
+        <group>fortios.event.virus,fortios.category.oversize,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101208" level="4">
+        <!-- MESGID_SWITCH_PROTO_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08720$</field>
+        <description>Switching protocols request (warning)</description>
+        <group>fortios.event.virus,fortios.category.switchproto,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101209" level="4">
+        <!-- MESGID_SWITCH_PROTO_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08721$</field>
+        <description>Switching protocols request (notice)</description>
+        <group>fortios.event.virus,fortios.category.switchproto,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101210" level="4">
+        <!-- MESGID_SCAN_UNCOMPSIZELIMIT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08960$</field>
+        <description>File reached the uncompressed nested limit</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101211" level="4">
+        <!-- MESGID_SCAN_UNCOMPSIZELIMIT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08961$</field>
+        <description>File reached the uncompressed size limit</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101212" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_ENCRYPTED_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08962$</field>
+        <description>Archived file is corrupted</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101213" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_ENCRYPTED_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08963$</field>
+        <description>Archived file is encrypted</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101214" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_CORRUPTED_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08964$</field>
+        <description>Corrupted archive (warning)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101215" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_CORRUPTED_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08965$</field>
+        <description>Corrupted archive (notice)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101216" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_MULTIPART_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08966$</field>
+        <description>File is a multipart archive or contains multiple files within the archive</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101217" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_MULTIPART_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08967$</field>
+        <description>File is a multipart archive or contains multiple files within the archive</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101218" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_NESTED_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08968$</field>
+        <description>File is a nested archived file</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101219" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_NESTED_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08969$</field>
+        <description>File is an archived type unhandled</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101220" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_OVERSIZE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08970$</field>
+        <description>Archived file is oversized</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101221" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_OVERSIZE_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08971$</field>
+        <description>Archived file is oversized</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101222" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_UNHANDLED_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08972$</field>
+        <description>Unhandled archive (warning)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101223" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_UNHANDLED_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08973$</field>
+        <description>Unhandled archive (notice)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101224" level="4">
+        <!-- MESGID_SCAN_AV_ENGINE_LOAD_FAILED_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08974$</field>
+        <description>AV Engine load failed</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101225" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_PARTIALLYCORRUPTED_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08975$</field>
+        <description>Partially corrupted archive (warning)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101226" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_PARTIALLYCORRUPTED_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08976$</field>
+        <description>Partially corrupted archive (notice)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101227" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_TIMEOUT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08979$</field>
+        <description>Archive scan timeout (warning)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101228" level="4">
+        <!-- MESGID_SCAN_ARCHIVE_TIMEOUT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08980$</field>
+        <description>Archive scan timeout (notice)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101229" level="4">
+        <!-- MESGID_SCAN_AV_CDR_INTERNAL_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08981$</field>
+        <description>AV CDR engine internal error</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101230" level="4">
+        <!-- MESGID_ANALYTICS_SUBMITTED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09233$</field>
+        <description>File submitted to Sandbox</description>
+        <group>fortios.event.virus,fortios.category.analytics,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101231" level="4">
+        <!-- MESGID_ANALYTICS_INFECT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09234$</field>
+        <description>File reported infected by FortiSandbox (warning)</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101232" level="4">
+        <!-- MESGID_ANALYTICS_INFECT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09235$</field>
+        <description>File reported infected by FortiSandbox (notice)</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101233" level="4">
+        <!-- MESGID_ANALYTICS_INFECT_MIME_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09236$</field>
+        <description>File reported infected by FortiSandbox (warning)</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101234" level="4">
+        <!-- MESGID_ANALYTICS_INFECT_MIME_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09237$</field>
+        <description>File reported infected by FortiSandbox (notice)</description>
+        <group>fortios.event.virus,fortios.category.infected,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101235" level="4">
+        <!-- MESGID_ANALYTICS_FSA_RESULT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09238$</field>
+        <description>File verdict returned from FortiSandbox</description>
+        <group>fortios.event.virus,fortios.category.analytics,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101236" level="4">
+        <!-- MESGID_CONTENT_DISARM_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09239$</field>
+        <description>Active content detected by Content Disarm engine</description>
+        <group>fortios.event.virus,fortios.category.content-disarm,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101237" level="4">
+        <!-- MESGID_CONTENT_DISARM_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">09240$</field>
+        <description>File was disarmed by Content Disarm engine</description>
+        <group>fortios.event.virus,fortios.category.content-disarm,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101238" level="4">
+        <!-- LOGID_EVENT_VOIP_SIP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044032$</field>
+        <description>VoIP SIP</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101239" level="4">
+        <!-- LOGID_EVENT_VOIP_SIP_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044033$</field>
+        <description>VoIP SIP blocked</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101240" level="4">
+        <!-- LOGID_EVENT_VOIP_SIP_FUZZING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044034$</field>
+        <description>VoIP SIP fuzzing</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101241" level="4">
+        <!-- LOGID_EVENT_VOIP_SCCP_REGISTER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044035$</field>
+        <description>VoIP SCCP registered</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101242" level="4">
+        <!-- LOGID_EVENT_VOIP_SCCP_UNREGISTER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044036$</field>
+        <description>VoIP SCCP unregistered</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101243" level="4">
+        <!-- LOGID_EVENT_VOIP_SCCP_CALL_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044037$</field>
+        <description>VoIP SCCP call blocked</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101244" level="4">
+        <!-- LOGID_EVENT_VOIP_SCCP_CALL_INFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044038$</field>
+        <description>VoIP SCCP call information</description>
+        <group>fortios.event.voip,fortios.category.voip,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101245" level="4">
+        <!-- LOGID_WAF_SIGNATURE_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030248$</field>
+        <description>Web application firewall blocked application by signature</description>
+        <group>fortios.event.waf,fortios.category.waf-signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101246" level="4">
+        <!-- LOGID_WAF_SIGNATURE_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030249$</field>
+        <description>Web application firewall passed application by signature</description>
+        <group>fortios.event.waf,fortios.category.waf-signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101247" level="4">
+        <!-- LOGID_WAF_SIGNATURE_ERASE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030250$</field>
+        <description>Web application firewall erased application by signature</description>
+        <group>fortios.event.waf,fortios.category.waf-signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101248" level="4">
+        <!-- LOGID_WAF_CUSTOM_SIGNATURE_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030251$</field>
+        <description>Web application firewall blocked application by custom signature</description>
+        <group>fortios.event.waf,fortios.category.waf-custom-signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101249" level="4">
+        <!-- LOGID_WAF_CUSTOM_SIGNATURE_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030252$</field>
+        <description>Web application firewall allowed application by custom signature</description>
+        <group>fortios.event.waf,fortios.category.waf-custom-signature,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101250" level="4">
+        <!-- LOGID_WAF_METHOD_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030253$</field>
+        <description>Web application firewall blocked application by HTTP method</description>
+        <group>fortios.event.waf,fortios.category.waf-http-method,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101251" level="4">
+        <!-- LOGID_WAF_ADDRESS_LIST_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030255$</field>
+        <description>Web application firewall blocked application by address list</description>
+        <group>fortios.event.waf,fortios.category.waf-address-list,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101252" level="4">
+        <!-- LOGID_WAF_CONSTRAINTS_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030257$</field>
+        <description>Web application firewall blocked application by HTTP constraints</description>
+        <group>fortios.event.waf,fortios.category.waf-http-constraint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101253" level="4">
+        <!-- LOGID_WAF_CONSTRAINTS_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030258$</field>
+        <description>Web application firewall allowed application by HTTP constraints</description>
+        <group>fortios.event.waf,fortios.category.waf-http-constraint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101254" level="4">
+        <!-- LOGID_WAF_URL_ACCESS_PERMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030259$</field>
+        <description>Web application firewall allowed application by URL access permit</description>
+        <group>fortios.event.waf,fortios.category.waf-url-access,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101255" level="4">
+        <!-- LOGID_WAF_URL_ACCESS_BYPASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030260$</field>
+        <description>Web application firewall allowed application by URL access bypass</description>
+        <group>fortios.event.waf,fortios.category.waf-url-access,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101256" level="4">
+        <!-- LOGID_WAF_URL_ACCESS_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">030261$</field>
+        <description>Web application firewall blocked application by URL access</description>
+        <group>fortios.event.waf,fortios.category.waf-url-access,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101257" level="4">
+        <!-- LOG_ID_WEB_CONTENT_BANWORD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012288$</field>
+        <description>Web content banned word found</description>
+        <group>fortios.event.webfilter,fortios.category.content,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101258" level="4">
+        <!-- LOG_ID_WEB_CONTENT_EXEMPTWORD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012290$</field>
+        <description>Web content exempt word found</description>
+        <group>fortios.event.webfilter,fortios.category.content,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101259" level="4">
+        <!-- LOG_ID_WEB_CONTENT_KEYWORD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012292$</field>
+        <description>Message contained a key word in the profile list</description>
+        <group>fortios.event.webfilter,fortios.category.content,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101260" level="4">
+        <!-- LOG_ID_WEB_CONTENT_SEARCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012293$</field>
+        <description>Search phrase detected</description>
+        <group>fortios.event.webfilter,fortios.category.content,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101261" level="4">
+        <!-- LOG_ID_URL_FILTER_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012544$</field>
+        <description>URL address was blocked because it was found in the URL filter list</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101262" level="4">
+        <!-- LOG_ID_URL_FILTER_EXEMPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012545$</field>
+        <description>URL address was exempted because it was found in the URL filter list</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101263" level="4">
+        <!-- LOG_ID_URL_FILTER_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012546$</field>
+        <description>URL address was allowed because it was found in the URL filter list</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101264" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_HOSTNAME_HTTP_BLK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012547$</field>
+        <description>The request contained an invalid domain name</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101265" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_HOSTNAME_HTTPS_BLK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012548$</field>
+        <description>HTTP certificate request contained an invalid domain name</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101266" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_HOSTNAME_HTTP_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012549$</field>
+        <description>HTTP request contained an invalid name so the session has been filtered by IP only</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101267" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_HOSTNAME_HTTPS_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012550$</field>
+        <description>HTTPS request contained an invalid name so the session has been filtered by IP only</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101268" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_HOSTNAME_SNI_BLK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012551$</field>
+        <description>Insufficient resources</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101269" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_HOSTNAME_SNI_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012552$</field>
+        <description>Getting the host name failed</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101270" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_CERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012553$</field>
+        <description>Server certificate validation failed</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101271" level="4">
+        <!-- LOG_ID_URL_FILTER_INVALID_SESSION -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012554$</field>
+        <description>SSL session blocked because its identification number was unknown</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101272" level="4">
+        <!-- LOG_ID_URL_FILTER_SRV_CERT_ERR_BLK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012555$</field>
+        <description>SSL session blocked</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101273" level="4">
+        <!-- LOG_ID_URL_FILTER_SRV_CERT_ERR_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012556$</field>
+        <description>SSL session ignored</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101274" level="4">
+        <!-- LOG_ID_URL_FILTER_FAMS_NOT_ACTIVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012557$</field>
+        <description>The FortiGuard Analysis and Management Service is not active. You must enable this service</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101275" level="4">
+        <!-- LOG_ID_URL_FILTER_RATING_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012558$</field>
+        <description>Rating error occurred</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101276" level="4">
+        <!-- LOG_ID_URL_FILTER_PASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012559$</field>
+        <description>URL passed because it was in the URL filter list</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101277" level="4">
+        <!-- LOG_ID_URL_WISP_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012560$</field>
+        <description>URL blocked by Websense service</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101278" level="4">
+        <!-- LOG_ID_URL_WISP_REDIR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012561$</field>
+        <description>URL blocked with redirect message by Websense service</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101279" level="4">
+        <!-- LOG_ID_URL_WISP_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012562$</field>
+        <description>URL allowed by Websense service</description>
+        <group>fortios.event.webfilter,fortios.category.urlfilter,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101280" level="4">
+        <!-- LOG_ID_WEB_SSL_EXEMPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012688$</field>
+        <description>URL address was exempted because it was found in the ssl-exempt</description>
+        <group>fortios.event.webfilter,fortios.category.ssl-exempt,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101281" level="4">
+        <!-- LOG_ID_WEB_FTGD_ERR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012800$</field>
+        <description>Rating error occurred (error)</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_err,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101282" level="4">
+        <!-- LOG_ID_WEB_FTGD_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012801$</field>
+        <description>Rating error occurred (warning)</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_err,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101283" level="4">
+        <!-- LOG_ID_WEB_FTGD_QUOTA -->
+        <if_sid>100010</if_sid>
+        <field name="logid">012802$</field>
+        <description>Daily FortiGuard quota status</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_quota,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101284" level="4">
+        <!-- LOG_ID_WEB_FTGD_CAT_BLK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013056$</field>
+        <description>URL belongs to an blocked category within the firewall policy</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_blk,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101285" level="4">
+        <!-- LOG_ID_WEB_FTGD_CAT_WARN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013057$</field>
+        <description>URL belongs to a category with warnings enabled</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_blk,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101286" level="4">
+        <!-- LOG_ID_WEB_FTGD_CAT_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013312$</field>
+        <description>URL belongs to an allowed category within the firewall policy</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_allow,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101287" level="4">
+        <!-- LOG_ID_WEB_FTGD_QUOTA_COUNTING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013315$</field>
+        <description>FortiGuard web filter category quota counting log message</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_quota_counting,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101288" level="4">
+        <!-- LOG_ID_WEB_FTGD_QUOTA_EXPIRED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013316$</field>
+        <description>FortiGuard web filter category quota expired log message</description>
+        <group>fortios.event.webfilter,fortios.category.ftgd_quota_expired,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101289" level="4">
+        <!-- LOG_ID_WEB_URL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013317$</field>
+        <description>URL has been visited</description>
+        <group>fortios.event.webfilter,fortios.category.urlmonitor,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101290" level="4">
+        <!-- LOG_ID_WEB_SCRIPTFILTER_ACTIVEX -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013568$</field>
+        <description>ActiveX script removed</description>
+        <group>fortios.event.webfilter,fortios.category.activexfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101291" level="4">
+        <!-- LOG_ID_WEB_SCRIPTFILTER_COOKIE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013573$</field>
+        <description>Cookie removed</description>
+        <group>fortios.event.webfilter,fortios.category.cookiefilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101292" level="4">
+        <!-- LOG_ID_WEB_SCRIPTFILTER_APPLET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013584$</field>
+        <description>Java applet removed</description>
+        <group>fortios.event.webfilter,fortios.category.appletfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101293" level="4">
+        <!-- LOG_ID_WEB_SCRIPTFILTER_OTHER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013600$</field>
+        <description>Script entity removed</description>
+        <group>fortios.event.webfilter,fortios.category.scriptfilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101294" level="4">
+        <!-- LOG_ID_WEB_WF_COOKIE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013601$</field>
+        <description>Cookie removed entirely</description>
+        <group>fortios.event.webfilter,fortios.category.cookiefilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101295" level="4">
+        <!-- LOG_ID_WEB_WF_REFERER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013602$</field>
+        <description>Referrer removed from request</description>
+        <group>fortios.event.webfilter,fortios.category.cookiefilter,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101296" level="4">
+        <!-- LOG_ID_WEB_WF_COMMAND_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013603$</field>
+        <description>Command blocked</description>
+        <group>fortios.event.webfilter,fortios.category.webfilter_command_block,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101297" level="4">
+        <!-- LOG_ID_CONTENT_TYPE_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013616$</field>
+        <description>Blocked by HTTP header content type</description>
+        <group>fortios.event.webfilter,fortios.category.content,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101298" level="4">
+        <!-- LOGID_HTTP_HDR_CHG_REQ -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013632$</field>
+        <description>Depends on info in msg field</description>
+        <group>fortios.event.webfilter,fortios.category.http_header_change,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101299" level="4">
+        <!-- LOGID_HTTP_HDR_CHG_RESP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013633$</field>
+        <description>Depends on info in msg field</description>
+        <group>fortios.event.webfilter,fortios.category.http_header_change,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101300" level="4">
+        <!-- LOG_ID_WEB_WF_ANTIPHISH_MATCH_URL_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013648$</field>
+        <description>Antiphishing matched a URL filter rule without blocking the request.</description>
+        <group>fortios.event.webfilter,fortios.category.antiphishing,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101301" level="4">
+        <!-- LOG_ID_WEB_WF_ANTIPHISH_MATCH_FTGD_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013649$</field>
+        <description>Antiphishing matched a Fortiguard category rule without blocking the request.</description>
+        <group>fortios.event.webfilter,fortios.category.antiphishing,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101302" level="4">
+        <!-- LOG_ID_WEB_WF_ANTIPHISH_MATCH_DEFAULT_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013650$</field>
+        <description>Antiphishing reached default action without blocking the request.</description>
+        <group>fortios.event.webfilter,fortios.category.antiphishing,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101303" level="4">
+        <!-- LOG_ID_WEB_WF_ANTIPHISH_MATCH_URL_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013651$</field>
+        <description>Antiphishing matched a URL filter rule and blocked the request.</description>
+        <group>fortios.event.webfilter,fortios.category.antiphishing,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101304" level="4">
+        <!-- LOG_ID_WEB_WF_ANTIPHISH_MATCH_FTGD_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013652$</field>
+        <description>Antiphishing matched a Fortiguard category rule and blocked the request.</description>
+        <group>fortios.event.webfilter,fortios.category.antiphishing,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101305" level="4">
+        <!-- LOG_ID_WEB_WF_ANTIPHISH_MATCH_DEFAULT_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013653$</field>
+        <description>Antiphishing reached default action and blocked the request.</description>
+        <group>fortios.event.webfilter,fortios.category.antiphishing,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101306" level="4">
+        <!-- LOG_ID_VIDEOFILTER_CATEGORY_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013664$</field>
+        <description>Video category is blocked.</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-category,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101307" level="4">
+        <!-- LOG_ID_VIDEOFILTER_CATEGORY_MONITOR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013665$</field>
+        <description>Video category is monitored</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-category,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101308" level="4">
+        <!-- LOG_ID_VIDEOFILTER_CATEGORY_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013666$</field>
+        <description>Video category is allowed</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-category,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101309" level="4">
+        <!-- LOG_ID_VIDEOFILTER_CHANNEL_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013680$</field>
+        <description>Video channel is blocked.</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-channel,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101310" level="4">
+        <!-- LOG_ID_VIDEOFILTER_CHANNEL_MONITOR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013681$</field>
+        <description>Video channel is monitored</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-channel,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101311" level="4">
+        <!-- LOG_ID_VIDEOFILTER_CHANNEL_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013682$</field>
+        <description>Video channel is allowed</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-channel,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101312" level="4">
+        <!-- LOG_ID_UNKNOWN_CE_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013696$</field>
+        <description>Unknown content-encoding detected and blocked.</description>
+        <group>fortios.event.webfilter,fortios.category.unknown-ce,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101313" level="4">
+        <!-- LOG_ID_UNKNOWN_CE_BYPASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013697$</field>
+        <description>Scan is bypassed due to unknown content-encoding.</description>
+        <group>fortios.event.webfilter,fortios.category.unknown-ce,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101314" level="4">
+        <!-- LOG_ID_ENTER_EXTREME_LOW_MEM_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022022$</field>
+        <description>Extreme low memory mode entered</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101315" level="4">
+        <!-- LOG_ID_LEAVE_EXTREME_LOW_MEM_MODE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022023$</field>
+        <description>Extreme low memory mode exited</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101316" level="4">
+        <!-- LOG_ID_CASB_ACCESS_BLOCKED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">010000$</field>
+        <description>Web content banned activity found</description>
+        <group>fortios.event.casb,fortios.category.casb,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101317" level="4">
+        <!-- LOG_ID_CASB_ACCESS_BYPASS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">010001$</field>
+        <description>Web content activity found</description>
+        <group>fortios.event.casb,fortios.category.casb,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101318" level="4">
+        <!-- LOG_ID_CASB_ACCESS_MONITOR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">010002$</field>
+        <description>Web content activity found</description>
+        <group>fortios.event.casb,fortios.category.casb,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101319" level="4">
+        <!-- LOG_ID_DLP_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020136$</field>
+        <description>FortiGuard Data leak server prevention license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101320" level="4">
+        <!-- LOG_ID_FGSA_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020137$</field>
+        <description>Attack Surface Security Rating Service license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101321" level="4">
+        <!-- LOG_ID_SWOS_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020138$</field>
+        <description>FortiGuard SD-WAN Overlay as a Service license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101322" level="4">
+        <!-- LOG_ID_FGCS_ACC_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020139$</field>
+        <description>FortiGSLB Cloud Account Level license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101323" level="4">
+        <!-- LOG_ID_FSPA_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020140$</field>
+        <description>FortiSASE Secure Private Access license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101324" level="4">
+        <!-- LOG_ID_FSFG_LIC_EXPIRE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020141$</field>
+        <description>FortiSASE LAN Extension license expiring</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101325" level="4">
+        <!-- LOG_ID_DEV_VUNL_FTGD_LOOKUP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020150$</field>
+        <description>Device vulnerability lookup on FortiGuard</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101326" level="4">
+        <!-- LOG_ID_SCANUNIT_DLP_SIGNATURE_REMOVE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022817$</field>
+        <description>Scanunit DLP signature update error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101327" level="4">
+        <!-- LOG_ID_FLTUND_NEW_CONN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022874$</field>
+        <description>Switch-controller FortilinkLite new connection</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101328" level="4">
+        <!-- LOG_ID_FLTUND_CONN_DOWN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022875$</field>
+        <description>Switch-controller FortilinkLite connection down</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101329" level="4">
+        <!-- LOG_ID_FLTUND_RCV_BOOTSTRAP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022876$</field>
+        <description>Switch-controller FortilinkLite received bootstrap</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101330" level="4">
+        <!-- LOG_ID_FLTUND_CONN_ONLINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022877$</field>
+        <description>Switch-controller FortilinkLite tunnel online</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101331" level="4">
+        <!-- LOG_ID_FLTUND_CONN_OFFLINE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022878$</field>
+        <description>Switch-controller FortilinkLite tunnel offline</description>
+        <group>fortios.event.event,fortios.category.switch-controller,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101332" level="4">
+        <!-- LOG_ID_EVENT_VWL_APP_PERF_METRICS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022937$</field>
+        <description>SDWAN application performance metrics via FortiMonitor</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101333" level="4">
+        <!-- LOG_ID_EVENT_VWL_WAN_SPEEDTEST_RESULT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022938$</field>
+        <description>SD-WAN Bandwidth monitoring result</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101334" level="4">
+        <!-- LOG_ID_EVENT_VWL_FAIL_DETECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022939$</field>
+        <description>SD-WAN fail detect</description>
+        <group>fortios.event.event,fortios.category.sdwan,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101335" level="4">
+        <!-- LOG_ID_EVENT_LINK_MONITOR_FAIL_DETECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022940$</field>
+        <description>Link monitor fail detect</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101336" level="4">
+        <!-- LOG_ID_CC_KAT_SUCCESS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032055$</field>
+        <description>KAT tests succeeded</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101337" level="4">
+        <!-- LOG_ID_NP6XLITE_HPE_PACKET_DROP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034420$</field>
+        <description>NP6XLITE HPE is dropping packets</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101338" level="4">
+        <!-- LOG_ID_NP6XLITE_HPE_PACKET_FLOOD -->
+        <if_sid>100010</if_sid>
+        <field name="logid">034421$</field>
+        <description>NP6XLITE HPE under a packets flood</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101339" level="4">
+        <!-- LOG_ID_PCP_MAPPING_CREATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035051$</field>
+        <description>Create PCP mapping</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101340" level="4">
+        <!-- LOG_ID_PCP_MAPPING_DELETE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035052$</field>
+        <description>Delete PCP mapping</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101341" level="4">
+        <!-- LOG_ID_PCP_MAPPING_RENEW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">035053$</field>
+        <description>Renew PCP mapping</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101342" level="4">
+        <!-- LOGID_EVENT_ICAP_REMOTE_SRV_STAT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">040961$</field>
+        <description>Icap remote server stat</description>
+        <group>fortios.event.event,fortios.category.webproxy,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101343" level="4">
+        <!-- LOG_ID_EC_REG_SUCCEED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045101$</field>
+        <description>FortiClient registered</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101344" level="4">
+        <!-- LOG_ID_EC_EMS_UPGRADE_FAIL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045132$</field>
+        <description>EMS entry could not be upgraded</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101345" level="4">
+        <!-- LOG_ID_EC_SHM_MISSING_QUERY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">045133$</field>
+        <description>FCEMS shared memory missing query statistics</description>
+        <group>fortios.event.event,fortios.category.endpoint,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101346" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_SIM_SWITCH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046518$</field>
+        <description>LTE modem active SIM card switch event</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101347" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_SIM_SWITCH_CONNECTION_STATE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046519$</field>
+        <description>LTE modem active SIM card switched: modem disconnection detected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101348" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_SIM_SWITCH_LINK_MONITOR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046520$</field>
+        <description>LTE modem active SIM card switched: link monitor probe failure detected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101349" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_SIM_FLIP -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046521$</field>
+        <description>LTE modem active SIM card slot flipped back and forth in short time</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101350" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLING_DATA_ALERT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046522$</field>
+        <description>LTE billing data usage reached configured threshold</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101351" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLING_TIME_REFRESH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046523$</field>
+        <description>LTE billing time passed, refresh billing date counter</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101352" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_SIM_SWITCH_DATA_PLAN -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046524$</field>
+        <description>LTE modem active SIM card switched: data plan reached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101353" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLING_STOP_NETWORK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046525$</field>
+        <description>LTE modem stop network due to data plan reached</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101354" level="4">
+        <!-- LOG_ID_INTERNAL_LTE_MODEM_BILLING_DATA_PLAN_OVER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">046526$</field>
+        <description>LTE billing data usage reached data limit</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101355" level="4">
+        <!-- LOG_ID_FORTICONVERTER_RESULT_READY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053320$</field>
+        <description>FortiConverter ticket has a result file ready</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101356" level="4">
+        <!-- LOG_ID_FORTICONVERTER_CONFIG_UPLOADED -->
+        <if_sid>100010</if_sid>
+        <field name="logid">053321$</field>
+        <description>Uploaded local config to a FortiConverter ticket</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101357" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_HANDSHAKE_FAILURE -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062308$</field>
+        <description>Error occured during SSL handshake.</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101358" level="4">
+        <!-- LOG_ID_SSL_ANOMALY_CERT_INVALID -->
+        <if_sid>100010</if_sid>
+        <field name="logid">062309$</field>
+        <description>Server certificate has security problem</description>
+        <group>fortios.event.ssl,fortios.category.ssl-anomaly,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101359" level="4">
+        <!-- LOG_ID_OT_VPATCH_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">064600$</field>
+        <description>Traffic was blocked by OT virtual patch</description>
+        <group>fortios.event.virtual-patch,fortios.category.ot-vpatch,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101360" level="4">
+        <!-- LOG_ID_OT_VPATCH_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">064601$</field>
+        <description>Traffic was detected by OT virtual patch</description>
+        <group>fortios.event.virtual-patch,fortios.category.ot-vpatch,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101361" level="4">
+        <!-- LOG_ID_LOCALIN_VPATCH_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">064610$</field>
+        <description>Traffic was blocked by local-in virtual patch</description>
+        <group>fortios.event.virtual-patch,fortios.category.localin-vpatch,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101362" level="4">
+        <!-- LOG_ID_LOCALIN_VPATCH_LOG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">064611$</field>
+        <description>Traffic was detected by local-in virtual patch</description>
+        <group>fortios.event.virtual-patch,fortios.category.localin-vpatch,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101363" level="4">
+        <!-- MESGID_SCAN_AV_MAX_MEMORY_REACHED_ERROR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08982$</field>
+        <description>Exceeded max AV memory</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.error</group>
+    </rule>
+
+    <rule id="101364" level="4">
+        <!-- LOG_ID_CONTENT_TYPE_EXEMPT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013617$</field>
+        <description>Exempted by HTTP header content type</description>
+        <group>fortios.event.webfilter,fortios.category.content,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101365" level="4">
+        <!-- LOG_ID_VIDEOFILTER_TITLE_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013712$</field>
+        <description>Video title is blocked.</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-title,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101366" level="4">
+        <!-- LOG_ID_VIDEOFILTER_TITLE_MONITOR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013713$</field>
+        <description>Video title is monitored</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-title,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101367" level="4">
+        <!-- LOG_ID_VIDEOFILTER_TITLE_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013714$</field>
+        <description>Video title is allowed</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-title,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101368" level="4">
+        <!-- LOG_ID_VIDEOFILTER_DESCRIPTION_BLOCK -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013728$</field>
+        <description>Video description is blocked.</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-description,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101369" level="4">
+        <!-- LOG_ID_VIDEOFILTER_DESCRIPTION_MONITOR -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013729$</field>
+        <description>Video description is monitored</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-description,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101370" level="4">
+        <!-- LOG_ID_VIDEOFILTER_DESCRIPTION_ALLOW -->
+        <if_sid>100010</if_sid>
+        <field name="logid">013730$</field>
+        <description>Video description is allowed</description>
+        <group>fortios.event.webfilter,fortios.category.videofilter-description,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101371" level="4">
+        <!-- LOG_ID_RAD_FAIL_IPV6_SOCKET -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020047$</field>
+        <description>RADVD failed to create an IPv6 socket</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101372" level="4">
+        <!-- LOG_ID_RAD_FAIL_OPT_IPV6_PKTINFO -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020048$</field>
+        <description>RADVD failed to set IPv6 packet info</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101373" level="4">
+        <!-- LOG_ID_RAD_FAIL_OPT_IPV6_CHECKSUM -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020049$</field>
+        <description>RADVD failed to set IPv6 checksum</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101374" level="4">
+        <!-- LOG_ID_RAD_FAIL_OPT_IPV6_UNICAST_HOPS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020050$</field>
+        <description>RADVD failed to set IPv6 unicast hops</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101375" level="4">
+        <!-- LOG_ID_RAD_FAIL_OPT_IPV6_MULTICAST_HOPS -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020051$</field>
+        <description>RADVD failed to set IPv6 multicast hops</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101376" level="4">
+        <!-- LOG_ID_RAD_FAIL_OPT_IPV6_HOPLIMIT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020052$</field>
+        <description>RADVD failed to set IPv6 hop limit</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101377" level="4">
+        <!-- LOG_ID_RAD_FAIL_OPT_IPPROTO_ICMPV6 -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020053$</field>
+        <description>RADVD failed to set ICMPv6 filter</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101378" level="4">
+        <!-- LOG_ID_RAD_EXIT_BY_SIGNAL -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020054$</field>
+        <description>RADVD exited due to received signal</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101379" level="4">
+        <!-- LOG_ID_RAD_FAIL_CMDB_QUERY -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020055$</field>
+        <description>RADVD interface query creation failed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101380" level="4">
+        <!-- LOG_ID_RAD_FAIL_CMDB_FOR_EACH -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020056$</field>
+        <description>RADVD query error</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101381" level="4">
+        <!-- LOG_ID_RAD_FAIL_FIND_VIRT_INTF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020057$</field>
+        <description>RADVD virtual interface not found</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101382" level="4">
+        <!-- LOG_ID_RAD_UNLOAD_INTF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">020058$</field>
+        <description>RADVD unloaded interface</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.information</group>
+    </rule>
+
+    <rule id="101383" level="4">
+        <!-- LOG_ID_FDS_SRV_CHG -->
+        <if_sid>100010</if_sid>
+        <field name="logid">022914$</field>
+        <description>FortiGate Cloud server changed</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101384" level="4">
+        <!-- LOG_ID_ADMIN_MTNER_LOGIN_SUCC -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032053$</field>
+        <description>Admin monitor login successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101385" level="4">
+        <!-- LOG_ID_ADMIN_MTNER_LOGOUT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032054$</field>
+        <description>Admin monitor logout successful</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101386" level="4">
+        <!-- LOG_ID_RESTORE_IMG_USB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032199$</field>
+        <description>Image restored from USB</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101387" level="4">
+        <!-- LOG_ID_RESTORE_CONF_BY_USB -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032567$</field>
+        <description>Configuration restored by USB</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.critical</group>
+    </rule>
+
+    <rule id="101388" level="4">
+        <!-- LOG_ID_ADMIN_MTNER_LOGOUT_DISCONNECT -->
+        <if_sid>100010</if_sid>
+        <field name="logid">032570$</field>
+        <description>Admin monitor disconnected</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101389" level="4">
+        <!-- LOGID_EVENT_CONFIG_OBJATTR_MTNER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044549$</field>
+        <description>Object attribute configured by maintainer</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101390" level="4">
+        <!-- LOGID_EVENT_CONFIG_OBJ_MTNER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044550$</field>
+        <description>Object configured by maintainer</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101391" level="4">
+        <!-- LOGID_EVENT_CONFIG_ATTR_MTNER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044551$</field>
+        <description>Attribute configured by maintainer</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101392" level="4">
+        <!-- LOGID_EVENT_CONFIG_PATH_MTNER -->
+        <if_sid>100010</if_sid>
+        <field name="logid">044552$</field>
+        <description>Path configured by maintainer</description>
+        <group>fortios.event.event,fortios.category.system,fortios.severity.alert</group>
+    </rule>
+
+    <rule id="101393" level="4">
+        <!-- MESGID_FORTIAI_FAILURE_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08983$</field>
+        <description>FortiNDR submission failure (warning)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101394" level="4">
+        <!-- MESGID_FORTIAI_FAILURE_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08984$</field>
+        <description>FortiNDR submission failure (notice)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+
+    <rule id="101395" level="4">
+        <!-- MESGID_FORTIAI_TIMEOUT_WARNING -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08985$</field>
+        <description>FortiNDR scan timeout (warning)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.warning</group>
+    </rule>
+
+    <rule id="101396" level="4">
+        <!-- MESGID_FORTIAI_TIMEOUT_NOTIF -->
+        <if_sid>100010</if_sid>
+        <field name="logid">08986$</field>
+        <description>FortiNDR scan timeout (notice)</description>
+        <group>fortios.event.virus,fortios.category.scanerror,fortios.severity.notice</group>
+    </rule>
+</group>