Technical Tip: Automation stitch for the admin login and logout

Fortigate creates a log when an Admin user login and logout the fortiGate.

Login event:

date=2023-05-22 time=13:17:26 eventtime=1684754246523091187 tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip=10.32.22.111 dstip=10.40.19.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.22.111)"

Logout event:

date=2023-05-22 time=13:18:34 eventtime=1684754314759921964 tz="+0200" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip=10.32.22.111

For monitoring and documentation, it is possible to create a automation in the FortiGate to send the alert mail when an admin user login and logout of the FortiGate.

To create an automation stitch, check the following steps:

1) Configure the email server in FortiGate.

From GUI:

Go to System -> Setting -> Email Service.

It is possible to use the default setting with notification.fortinet.net as an email server or Use custom settings.

From CLI:

config system email-server
    set reply-to "xxxx@test.com"
    set server "notification.fortinet.net"
    set port 465
    set security smtps
end

2) Configure automation:

Navigate to Security Fabric -> Automation -> Under Stitch tab Create New:

- Name the Stitch.
- Select Trigger as 'FortiOS Event Log' and Event as 'Admin login successful'.
- Action: Email and enter to mail to which to receive the mail.

Similarly, create the automation for the logout event.

From CLI:

Automation Stitch.

config system automation-stitch
    edit "Admin_login"
        set trigger "Admin_login"
        set action "Admin_login_email"
    next
        edit "Admin_logout"
            set trigger "Admin_logout"
            set action "Admin_logout_email"
        next
    end

Automation trigger.

config system automation-trigger
    edit "Admin_login"
        set event-type event-log
        set logid 32001
    next
        edit "Admin_logout"
             set event-type event-log
             set logid 32003
        next
    end

Automation action.

config system automation-action
    edit "Admin_login_email"
        set action-type email
        set email-to "xxxxx"
        set email-subject "Login"
        set minimum-interval 5
    next
        edit "Admin_logout_email"
            set action-type email
            set email-to "xxxxx"
            set email-subject "logout"
            set minimum-interval 5
        next
    end

Result :

When the user login and logout of the firewall,  the alert mail with the log will be get.

noreply@notification.fortinet.net
4:47 PM (0 minutes ago)
to me

FGT[FGVM010000017397] Automation Stitch:Admin_login is triggered.
date=2023-05-22 time=12:17:26 eventtime="1684754246523091187" tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip="10.32.22.111" dstip="10.40.19.15" action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.22.111)"

noreply@notification.fortinet.net
4:48 PM (0 minutes ago)
to me

FGT[FGVM010000017397] Automation Stitch:Admin_logout is triggered.
date=2023-05-22 time=12:18:35 eventtime="1684754314759921964" tz="+0200" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip="10.32.22.111" dstip="10.40.19.15" action="logout" status="success" duration="68" reason="exit" msg="Administrator admin logged out from https(10.32.22.111)"