Description
This article describes how to configure the own events and test it.
Event Handler is a convenient way to have external events sent and triggered by specific messages (either internal events from FortiManager or FortiAnalyzer) or received from external devices.
Solution
Here is a step by step guide on how to validate event handlers in FortiManager and FortiAnalyzer:
1) Verifying that the logs are being received on the FortiAnalyzer.
First run this command on the FortiGate and see if the logs are sent correctly:
# diag log test
Repeat multiple times if needed.
The output of the command on the FortiGate CLI:
FG60EPTK12345678# diagnose log test
generating a system event message with level - warning
generating an infected virus message with level - warning
generating a blocked virus message with level - warning
generating a URL block message with level - warning
generating a DLP message with level - warning
generating an IPS log message
generating an anomaly log message
generating an application control IM message with level - information
generating an IPv6 application control IM message with level - information
generating deep application control logs with level - information
generating an antispam message with level - notification
generating an allowed traffic message with level - notice
generating a multicast traffic message with level - notice
generating a ipv6 traffic message with level - notice
generating a wanopt traffic log message with level - notification
generating a HA event message with level - warning
generating a VOIP event message with level - information
generating authentication event messages
generating a Forticlient message with level - information
generating a URL block message with level - warning
generating a DNS message with level - warning
generating an ssh-command pass log with level - notification
generating an ssh-channel block with level - warning
Check the log browser if the logs are being received.
For example, go in the Antivirus section under Security in Log View:
If the Logs are not received, refer to the related article at the end of this KB article (Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity) for step-by-step troubleshooting and verification:
2) Configuring the SMTP server and testing it.
Configure the SMTP server. For this go to System Setting -> Advanced -> Mail Server:
Note: Avoid using spaces in the name, ie 'Fmg_Gmail' instead of 'Fmg Gmail'.
Then validate the SMTP setting using the Test Mail Server option:
A success message should pop up:
3) Creating an event detection and alert.
First, select the event which will trigger the alert. The below test shows the virus threat:
It is also possible to edit the corresponding event in a raw format to have advanced filter possibilities:
Once the corresponding event is known, it is possible to configure the alert. The more information there is, the smaller the chance of false positive events. In this case, the only virus detected is the one with the name 'virus_test'.
If the chosen event does not have any pre-programmed field, the Generic Text Filter can be used for the proper trigger.
4) Testing the generated event.
In order to test if the event is generated, the bellow test command should be entered in the FortiGate CLI:
# diagnose log test
Output:
FG60EPTK1-----78# diagnose log test
generating a system event message with level - warning
generating an infected virus message with level - warning
generating a blocked virus message with level - warning
generating a URL block message with level - warning
generating a DLP message with level - warning
generating an IPS log message
generating an anomaly log message
generating an application control IM message with level - information
generating an IPv6 application control IM message with level - information
generating deep application control logs with level - information
generating an antispam message with level - notification
generating an allowed traffic message with level - notice
generating a multicast traffic message with level - notice
generating a ipv6 traffic message with level - notice
generating a wanopt traffic log message with level - notification
generating a HA event message with level - warning
generating a VOIP event message with level - information
generating authentication event messages
generating a Forticlient message with level - information
generating a URL block message with level - warning
generating a DNS message with level - warning
generating an ssh-command pass log with level - notification
generating an ssh-channel block with level - warning
The message will be sent to the FortiAnalyzer and the event will be triggered. The Event log of the system can be checked in System Setting -> Event Log:
The mail will then be received as shown below:
5) Troubleshooting Event Generation Failure.
If the test is not successful, indicate where the problem is detected:
- Mail server configuration and test validation.
- Expected log not being received.
- Event configured but no mail generated based on the system event.
Send the corresponding information:
- Config of the FortiManager and FortiAnalyzer.
- Raw log of the FortiManager and FortiAnalyzer.
- Exe tac report:
diag test connection mailserver <mailserver> <source SMTP address> <destination SMTP address>
In the FortiAnalyzer enter the below commands while doing a 'diag log test' action from the FortiGate CLI:
diag test application sqllogd 200
diag test application sqllogd 200 status
diag test application sqllogd 200 config
diag debug application sqllogd 8
diag debug enable
diagnose debug application fazmaild 255
diagnose debug disable
diag debug reset
For deeper troubleshooting refers to the related article at the end of this KB article (Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity).
Related Articles:
Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity
Troubleshooting Tip: How to troubleshoot for event handler related issues
Technical Note: How to configure an Event Handler with a generic text filter
Technical Tip: Configuring FortiManager and FortiAnalyzer to use GMAIL
Technical Tip: How to set up Email Notifications with notification.fortinet.net
