Description
This article describes how to create a event handler with specific source IP or Interface-status changed and generate alert email when filter matched.
Solution
Configure Email Server on FortiAnalyzer:
1) System Settings -> Mail Server -> Create New
This article describes how to create a event handler with specific source IP or Interface-status changed and generate alert email when filter matched.
Solution
Configure Email Server on FortiAnalyzer:
1) System Settings -> Mail Server -> Create New
Configure the Event Handler:
2) Click on Event Manager -> Event Handler -> Create New
If the source IP 10.200.0.77 accesses any social networking site (such as facebook.com), it will generate an alert email, as illustrated bellow:
The Event Handler will send an alert if the physical port (in this example: Port6) goes down, any virtual interface's event handler, like the one of the IPsec Interface (in this example toRM), won't send any email. The Generic Text Filter has to be used for this event, as shown bellow:
When the tunnel interface (toRM) and the physical interface (Port6) are brought down on FortiGate, only the physical interface (Port6) alert email is received, for the tunnel interface (toR) no alert email is received, as illustrated bellow:
Debugs on the FortiAnalyzer:
# diagnose debug application fazmaild 8
# diagnose debug enable
sendmail_loop:1089: sending mail: 6debfcfc-e952-184a-a840-46cff93ad7b6
create_mail_info:433: mail server MailServer has not been marked as unreachable
create_mail_info:459: got mail by name MailServer
prepare_email_data:151: To: xxxx@mail.fortiems.local
prepare_email_data:157: From: xxxx@mail.fortiems.local
prepare_email_data:163: Subject: Interface status alert (medium system alert msg:Link monitor: Interface port6 was turned down MAIN_SITE)
prepare_email_data:172: Date: Wed, 26 Jun 2019 18:35:00 -0700(PDT)
prepare_email_data:196: MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="mixed_fazmaild_v1_1561599300"
--mixed_fazmaild_v1_1561599300
Content-Type: multipart/alternative; boundary="fazmaild_v1_1561599300"
--fazmaild_v1_1561599300
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Subject: msg:Link monitor: Interface port6 was turned down
Device: MAIN_SITE
Severity: medium
From: Skywalker-kvm09(FAZ-VM0000137091)
Trigger: Interface Status
Filter:
Log message:
logver=60 idseq=272907219786268678 itime=1561599276 devid=FGVM020000137959 devname=MAIN_SITE vd=root date=2019-06-27 time=11:34:34 logid="0100020099" type="event" subtype="system" level="warning" eventtime=1561599274 logdesc="Inrface status changed" action="interface-stat-change" status="DOWN" msg="Link monitor: Interface port6 was turned down"
prepare_email_data:207:
--fazmaild_v1_1561599300
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
