Description
This article describes how to create a FortiOS event log trigger for when a specific event log ID occurs, specially how to select multiple event log IDs and apply log field filters.
Scope
FortiGate.
Solution
FortiGate 6.0, 6.2 and 6.4 :
GUI:
1) Under FortiGate -> Security Fabric -> Automation, select 'Create New'.
2) Name: Give a name for the reference.
3) FortiOS Event Log: Select the Event.
4) Action: Enable 'Email'.
5) Under the 'To', enter the recipient email ID.
6) Provide a subject for the email.
7) Select Ok to save the changes.
Above is an example for 'Interface status change'. This event will be triggered if there is any change to interface status.
date=2019-10-31 time=17:24:19 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1572539059696936762 tz="+0100" logdesc="Automation stitch triggered" stitch="Test" trigger="Test" action="Test_email" from="log" msg="stitch:Test is triggered."
The debug log sample above states that the stitch triggered successfully.
Note: Make sure to configure an Email server in FortiGate (under System -> Advanced -> Email Service).
FortiGate 7.0 and above:
There are multiple critical events and logs for which automated alerts can be created. It is possible to configure FortiGate to send an alert email when a specific event log ID occurs with an automation stitch.
1) Navigate to Security Fabric -> Automation and select Create New.
2) Enter the stitch name and description.
3) Select Add Trigger.
4) Select Create and select FortiOS Event Log.
5) Enter a name and description.
6) In the Event field, select the + to select multiple event log IDs.
The event options refer to the message meanings listed in the FortiOS Log Message Reference. The event ID and log name are displayed in the tooltip upon hovering the cursor over an entry.
7) In the Field filter(s) field, select the + to add multiple field filters. All the configured filters must match for the stitch to be triggered. Verify the logs and then select the fields from the log details. In this example, ‘srcip’ is used as a filter. If an IP address x.x.x.x attempts to log in to FortiGate and fails, it will trigger the stitch.
8) Select OK.
9) Select the trigger in the list and select Apply.
10) Select Add Action. Select the pencil icon to edit the Default Email entry.
11) Configure the fields as needed:
From now on, when a user with IP address x.x.x.x attempts to log in to FortiGate, the automation stitch will trigger and an email alert will be sent to the intended recipient.
An automation stitch can be configured using a specific event log ID from the Logs on FortiGate. Search the event using log ID as follows:
date=2023-04-29 time=13:42:08 eventtime=1682790128981194164 tz="-0400" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="Wan2Failover" interface="port1" probeproto="ping" msg="Link Monitor changed state from die to alive, protocol: ping." utmref=0:1682790128
Related article:
For assistance, contact Fortinet support.
