Description
This article describes how to configure FortiAnalyzer to provide alerts when it stops receiving logs from FortiGate, such as when the connection is interrupted.
Scope
FortiAnalyzer.
Solution
1) Configure the time threshold at which FortiAnalyzer generates a 'no logs received' message.
In FortiAnalyzer 5.4 and 5.6, the default value is 5 minutes. Starting in 6.0, the value is 1440 minutes (or 24 hours).
Adjust the value with the following CLI command:
# config system locallog setting
(setting)# set log-interval-dev-no-logging X
(setting)# end
It is important to consider that lowering this value, thereby increasing the frequency of "no logs received" messages, may hinder FortiAnalyzer performance.
2) Create an event handler that triggers when a 'no logs received' message is logged.
Below is a raw text sample log of the error:
itime=2019-08-06 13:56:22 dstepid=1 devid=FL3K5XXXXXXXX msg=Did not receive any log from device DEVICE_NAME[DEVICE_SN] in last 17289 minutes.
idseq=245935346703925353 type=event dtime=2019-08-06 13:56:22 devname=FL3K5XXXXXXXX dsteuid=1 itime_t=1565124982 user=system date=2019-08-06
desc=Device offline level=warning log_id=0029038009 epid=1 userfrom=system subtype=logdev time=13:56:22 euid=1
Choose identifying text or a variable to use in the event handler to match this type of error. This article will use the variable desc, which is equal to 'Device offline' in this type of error.
Next, create an event handler for the variable or text chosen from this particular log. It is only possible to handle local log events (events generated by FortiAnalyzer) from the root ADOM.
1) Go to the root ADOM, navigate to Incidents & Events -> Handlers -> Event Handler List and select Create New. Under some versions of FortiAnalyzer, this is FortiSoC -> Handlers -> Event Handler List instead.
2) Give the handler a name and, optionally, a description.
3) Under Devices, select 'Local Device'. If 'Local Device' is not available, it is not in the root ADOM.
4) Delete the pre-defined filter entry by selecting the trash icon.
5) Add 'desc=="Device offline"' to the Generic Text Filter. This filter will match any logs where the variable desc's value is 'Device offline'.
6) Fill in 'Generate alert when at least 1 matches occurred over a period of 1 minutes'.
7) Check Send Alert Email under Notifications and fill in To, From, and Subject with the preferred settings. Select the pre-configured mail server using the drop-down, or create new mail server settings by selecting the + button.
Select OK to confirm changes. FortiAnalyzer will now provide an alert when it stops receiving logs from FortiGate.
As mentioned, the Event Handler List is accessible under either FortiSoC or Incidents & Events, depending on the version of FortiAnalyzer, or whether FortiSoC is disabled.
How the alerts function:
1) FortiAnalyzer will generate a local log message when no logs have been received from a device in the configured time period.
2) The Event Handler will perform the configured action to send an email when the log is detected.
Related Articles:
Administration Guide: Event handlers
Technical Tip: How to create Event Handler for FortiAnalyzer Local Events
Technical Note: Use of Operators in Event Handler General Filter (syntax)
