Event handler
The event handler allows you to view, create new, edit, delete, clone, and search event handlers. You can select these options in the toolbar. The right-click menu includes these options and also includes the ability to enable or disable configured event handlers. You can create event handlers for a specific device, multiple devices, or the local FortiAnalyzer. You can select to create event handlers for traffic logs or event logs.
FortiAnalyzer v5.2.0 or later includes nine default event handlers for FortiGate and FortiCarrier devices. Click on the event handler name to enable or disable the event handler and to assign devices to the event handler.
Table 7: Default event handlers
| Event Handler | Description |
| Antivirus Event | Definition
Severity: High Log Type: Traffic Log Event Category: AntiVirus Group by: Virus Name Log messages that match all conditions: • Level Greater Than or Equal To Information Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| App Ctrl (Application Control)
Event |
Definition
Severity: Medium Log Type: Traffic Log Event Category: Application Control Group by: Application Name Log messages that match any of the following conditions: • Application Category Equal To Botnet • Application Category Equal To Proxy Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| Event Handler | Description |
| DLP Event | Definition
Severity: Medium Log Type: Traffic Log Event Category: DLP Group by: DLP Rule Name Log messages that match all conditions: • Security Action Equal To Blocked Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| UTM Antivirus Event | Definition
Severity: High Log Type: Virus Group by: Virus Name Log messages that match all conditions: • Level Greater Than or Equal To Information Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| UTM App Ctrl (Application
Control) Event |
Definition
Severity: Medium Log Type: Application Control Group by: Application Name Log messages that match any of the following conditions: • Application Category Equal To Botnet • Application Category Equal To Proxy Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| Event Handler | Description |
| UTM DLP Event | Definition
Severity: Medium Log Type: DLP Group by: DLP Rule Name Log messages that match all conditions: • Action Equal To Blocked Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| UTM IPS Event | Definition
Severity: High Log Type: IPS Group by: Attack Name Log messages that match all conditions: • Severity Equal To Critical Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| Event Handler | Description |
| UTM Web Filter Event | Definition
Severity: Medium Log Type: Web Filter Group by: Category Log messages that match any of the following conditions: • Web Category Equal To Child Abuse, Discrimination, Drug Abuse, Explicit Violence, Extremist Groups, Hacking, Illegal or Unethical, Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam URLs Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
| Web Filter | Definition
Severity: Medium Log Type: Traffic Log Event Category: WebFilter Group by: Hostname URL Log messages that match any of the following conditions: • Web Category Equal To Child Abuse, Discrimination, Drug Abuse, Explicit Violence, Extremist Groups, Hacking, Illegal or Unethical, Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam URLs Notification Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server. |
Go to the Event Management tab and select Event Handler in the tree menu.
Figure 114:Event handler page
The following information is displayed:
| Status | The status of the event handler. This field will display when enabled and when disabled. |
| Name | The name of the event handler. |
| Filters | The filters that are configured for the event handler. |
| Event Type | The event category of the event handler. One of the following:
• AntiVirus • Application Control • DLP • IPS • WebFilter |
| Devices | The devices that you have configured for the event handler. This field will either display All Devices or list each device. When you have configured an event handler for local logs, Local FortiAnalyzer will be displayed.
Local FortiAnalyzer is available in the root ADOM only and is used to query FortiAnalyzer event logs. |
| Severity | The severity that you configured for the event handler. This field will display Critical, High, Medium, or Low. |
| Send Alert to | The email address, SNMP server, or syslog server that has been configured for the event handler. |
Right-click on an event handler in the list to open the right-click menu. The following options are available:
| Create New | Select to create a new event handler. This option is available in the toolbar and right-click menu. See “To create a new event handler:” on page 160. |
| Edit | Select an event handler and select edit to make changes to the entry. This option is available in the toolbar and right-click menu. See “To edit an event handler:” on page 163. |
| Delete | Select one or all event handlers and select delete to remove the entry or entries. This option is available in the toolbar and right-click menu. The default event handlers cannot be deleted. See “To delete an event handler:” on page 164. |
| Clone | Select an event handler in this page and click to clone the entry. A cloned entry will have Copy added to its name field. You can rename the cloned entry while editing the event handler. This option is available in the toolbar and right-click menu. See “To clone an event handler:” on page 164. |
| Enable | Select to enable the event handler. |
| Disable | Select to disable the event handler. |
Thanks for nice share. I have some confusion regarding SNMP community and syslog server. I want to know what is thus, which purpose you want to use this.Would you please simplify thus things.