Description
Solution
This article describes how to create an event handler based on FortiAnalyzer’s Local Event Logs to alert the network admin. In this example, the event handler will send an alert email to the network admin if FortiAnalyzer do not receive logs from FortiGate devices.
Solution
1) Configure SMTP server under System Settings -> Advanced -> SMTP Server and test validity
2) Go to System Settings -> Event Log and search for ‘Warning’ Level log, with description “Device Offline”
Search for the keywords “Did not receive any log from device” from Message field (msg) in Event Log.
3) Go to ‘root’ Adom, create Event Handler and alert
Under Filters, select Level (Priority) Equal To ‘Warning’
and use Generic Text Filter (msg~"Did not receive any log from
device"), as illustrated bellow:
NOTE: If FortiAnalyzer has ADOM enabled, the ‘Local Device’ option under Event Handler -> Devices will only be available in ‘root’ ADOM.
Configure Notifications -> Send Alert Email to receive the
alert email:
4) Test the result
Example of an alert email received by the network admin when FortiGate stops sending logs to FortiAnalyzer:
Related Articles
Technical Note: How to configure an Event Handler with a generic text filter
Technical Note: Use of Operators in Event Handler General Filter (syntax)
