Manage event handlers

You can create traffic, event, and extended log handlers to monitor network traffic and events based on specific log filters. These log handlers can then be edited, deleted, cloned, and enabled or disabled as needed.

To create a new event handler:

1. Go to Event Management > Event Handler.
2. Select Create New in the toolbar, or right-click on an the entry and select Create New in the right-click menu.

The Create New Event Handler dialog box is displayed.

Figure 115:Create new event handler dialog box

3. Enter a name for the new event handler and select OK.

The Event Handler page opens with the Definition tab displayed.

Figure 116:Create event handler definition page

4. Configure the following settings:

Status	Enable or disable the event handler. •       Enabled •       Disabled
Name	Edit the name if required.
Description	Enter a description for the event handler.
Devices	Select All Devices, select Specify and use the add icon, , to add devices. Select Local FortiAnalyzer if the event handler is for local FortiAnalyzer event logs. Local FortiAnalyzer is available in the root ADOM only and is used to query FortiAnalyzer event logs.
Severity	Select the severity from the drop-down list. Select one of the following: •        Critical •        High •        Medium •        Low
Filters
Log Type	Select the log type from the drop-down list. The available options are: Traffic Log, Event Log, Application Control, DLP, IPS, Virus, and Web Filter. The Log Type is Event Log when Devices is Local FortiAnalyzer.
Event Category	Select the category of event that this handler will monitor from the drop-down list. •       AntiVirus •       Application Control •       DLP •       IPS •       WebFilter •       Others This option is only available when Log Type is set to Traffic Log and Devices is set to All Devices or Specify.
Group by	Select the criterium by which the information will be grouped. This option is not available when Log Type is set to Traffic Log.
Log message that match	Select either All or Any of the Following Conditions. When Devices is Local FortiAnalyzer, this option is not available.
Add Filter	Select the add icon to add log filters. When Devices is Local FortiAnalyzer, this option is not available. You can only set one log field filter.
Log Field	Select a log field to filter from the drop-down list. The available options will vary depending on the selected log type.
Match Criteria	Select a match criteria from the drop-down list. The available options will vary depending on the selected log field.
Value	Either select a value from the drop-down list, or enter a value in the text box. The available options will vary depending on the selected log field.
Delete	Select the delete icon, to delete the filter. A minimum of one filter is required.
Generic Text Filter	Enter a generic text filter. For more information on creating a text filter, hover the cursor over the help icon.

5. Select Apply to save the Definition
6. Select the Notification

Figure 117:Notification tab

7. Configure the following settings:

Generate alert when at least	Enter threshold values to generate alerts. Enter the number, in the first text box, of each type of event that can occur in the number of minutes entered in the second text box.
Send Alert Email	Select the checkbox to enable. Enter an email address in the To and From text fields, enter a subject in the Subject field, and select the email server from the drop-down list. Select the add icon, , to add an email server.For information on creating a new mail server, see “Mail server” on page 108.
Send SNMP Trap to	Select the checkbox to enable this feature. Select an SNMP community from the drop-down list. Select the add icon,           , to add a SNMP community. For information on creating a new SNMP community, see “To create a new SNMP community:” on page 106.

Send Alert to Syslog Select the checkbox to enable this feature. Select a syslog server

Server                        from the drop-down list. Select the add icon, , to add a syslog server. For information on creating a new syslog server, see “Syslog server” on page 108.

8. Select Apply to create the new event handler.
9. Select Return to return to the Event Handler

To edit an event handler:

1. Go to Event Management > Event Handler.
2. Select an event handler entry and either select Edit in the toolbar, or right-click on the entry and select Edit in the pop-up menu. The Edit Event Handler page opens.
3. Edit the settings as required.
4. Select Apply to save the configuration.
5. Select Return to return to the Event Handler

To clone an event handler:

1. Go to Event Management > Event Handler.
2. Select an event handler entry and either select Clone in the toolbar, or right-click on the entry and select Clone in the pop-up menu. The Clone Event Handler window opens.
3. Edit the settings as required.
4. Select Apply to save the configuration.
5. Select Return to return to the Event Handler

To delete an event handler:

1. Go to Event Management > Event Handler.
2. Select an event handler entry and either select Delete in the toolbar, or right-click on the entry and select Delete in the pop-up menu.
3. Select OK in the confirmation dialog box to delete the event handler.
4. Go to Event Management > Event Handler.
5. Select an event handler entry, right-click and select Enable in the pop-up menu. The status field will display a enabled icon, .

To disable an event handler:

1. Go to Event Management > Event Handler.
2. Select an event handler entry, right-click and select Disable in the pop-up menu. The status field will display a disabled icon, .