Technical Tip: How create an Event Handler in FortiAnalyzer when a SSL VPN login fail event is detected on FortiGate side

Login to FortiAnalyzer and under FortiSoc -> Handlers  -> FortiGate Event Handlers, select 'Create New'.
Enter the details shown below:

On Devices tab, specify the device name or apply the handler to all FortiGates
For the 'Match Criteria', it is necessary to use the action = "ssl-login-fail”.

Define when the alert will be generated. In this case, when at least two exact events occur over a period of 1 minute, the alert will be generated.  Additionally, it is possible to set a severity for the event and some Tags.

Email, SNMP and/or syslog alerts can be sent when the event is triggered.
See the Related KB articles section to review how an email server is configured to send alerts.

Test:
Assuming that Fortigate is already sending logs to the FortiAnalyzer and it has the correct configuration for the VPN SSL users, execute two failed SSL VPN connections throughout 1 minute to trigger the FortiAnalyzer Event.

On Fortiview logs, it is possible to see those failure events:

 To see how the event handler is executed, run the debug before testing the SSL VPN connection:

diagnose debug application oftpd 8
diagnose debug enable

If there are many managed devices on the FortiAnalyzer, set a filter on the debug:

FAZVM64 # diagnose debug application oftpd 8
<IP/deviceSerial/deviceName>    <----- Only show (IP/deviceSerial/deviceName) related messages. "" to reset.

After trigger the ssl-login-fail events, the FortiAnalyzer debug will show the Event handler information:

Under FortiSoc -> Handlers  -> FortiGate Event Handlers list, it is possible to see in the 'Events' column how the count is increasing every time the handler is triggered.