Event details
Event details provides a summary of the event including the event name, severity, type, count, additional information, last occurrence, device, event handler, raw log entries, and review notes. You can also acknowledge and print events in this page.
Events
To view log messages associated with an event:
- In the events list, either double-click on an event or right-click on an event then select View Details in the rightclick menu. The Event Details page opens.
Event details page
The following information and options are available:
| Select the print icon to print the event details page. The log details pane is not printed. | |
| Return | Select the return icon to return to the All Events page. |
| Event Name | The name of the event, also displayed in the title bar. |
| Severity | The severity level configured for the event handler. |
| Type | The event category of the event handler. |
| Count | The number of logged events associated with the event. |
| Additional Info | This field either displays additional information for the event or a link to the FortiGuard Encyclopedia. A link will be displayed for AntiVirus, Application Control, and IPS event types. |
| Last Occurrence | The date and time of the last occurrence. |
| Device | The device hostname associated with the event. |
| Event Handler | The name of the event handler associated with the event. Select the link to edit the event handler. See Event handler. |
| Text box | Optionally, you can enter a 1023 character comment in the text field. Select the save icon to save the comment, or cancel to cancel your changes. |
| Logs | The logs associated with the log event are displayed. The columns and log fields are dependent on the event type. |
| Pagination | Adjust the number of logs that are listed per page and browse through the pages. |
| Log details | Log details are shown in the lower content pane for the selected log. The details will vary based on the log type. |
- Select the return icon to return to the All Events
Acknowledge events
You can select to acknowledge events to remove them from the event list. An option has been added to this page to allow you to show or hide these acknowledged events.
To acknowledge events:
- From the event list, select the event or events that you would like to acknowledge.
- Right-click and select Acknowledge in the right-click menu.
- Select the Show Acknowledge checkbox in the toolbar to view acknowledged events.
What if FortiManager and Anaylzer functions are split into separate machines ?
On FAZ I can see only “Local FortiAnalyzer” as a source of such System events. FortiManager system events are not even displayed in FortiView->Event->System.
Is there a way to get system events from FortiManager on separate machine to trigger an event via EventManager on (separated) FortiAnalyzer ?
Plotr,
I am having a hard time understanding what you are trying to do. Are you trying to log your FortiManager to the FortiAnalyzer and view all system events etc there? Let me know and I will see if I can help!
Hello Mike,
I have FortiManager (FMG) and FortiAnalyzer (FAZ) fuctionality running on separate machines.
My goal is to have all EventLogs of type System available on FAZ ( where such System logs from remote enforcement modules like FortiGate are already stored).
Then I want to have an EventManager Handler on FAZ to react on different administrator activity events – so far it only works on logs collected from FortiGate-s ( or eventually local FAZ , as there is a radio button selecting this source ).
I have set up such a handler , which is sensitive for admin login, configuration changes etc.
When one of the admins changes something via FMG, such activity is not seen by the EventHandler because FMG system logs are not stored in FAZ. I do not know if there is a way to deliver FMG system logs to FAZ like FortGate-s do , so information stored in them can be used in FAZ to trigger events.
Otherwise this EventHandler (on FAZ) has incomplete information ( it has admin activity from FortiGate-s but not from FMG) – and I cannot treat it as 100% reliable source of information about all entry points where admins can enter the system and for example make change of configuration.
This is needed for supervisory upon administrators activity.
Sorry for bad language and hard-understandable explanation.
Thank you in advance for your effort.
The FMG can log to a syslog device. The FortiAnalyzer will have minimal understanding of this. I would setup logging and alerts on the FortiManager itself most likely if you want alerts of changes etc. Either that or just have it dump to a SIEM like Splunk or ArcSight (i prefer splunk for cost of deployment etc). I reached out to my Fortinet SE just to verify and outside of SYSLOG there is no real “direct logging” to a FAZ from a FMG. I am sure someone out there has found a way to hack something up but I have not personally ever tried.