Event handler
The event handler allows you to view, create new, edit, delete, clone, and search event handlers. You can select these options in the toolbar. The right-click menu includes these options and also includes the ability to enable or disable configured event handlers. You can create event handlers for a specific device, multiple devices, or the local FortiManager. You can select to create event handlers for traffic logs or event logs.
FortiManager v5.2.0 or later includes default event handlers for FortiGate and FortiCarrier devices. Click on the event handler name to enable or disable the event handler and to assign devices to the event handler.
Default event handlers
| Event Handler | Description | |
| Antivirus Event | l Severity: High l Log Type: Traffic Log l Event Category: AntiVirus l Group by: Virus Name l Log messages that match all conditions:
l Level Greater Than or Equal To Information |
| Event Handler | Description |
| App Ctrl Event | l Severity: Medium l Log Type: Traffic Log l Event Category: Application Control l Group by: Application Name l Log messages that match any of the following conditions:
l Application Category Equal To Botnet l Application Category Equal To Proxy |
| Conserve Mode | l Severity: Critical
l Log Type: Event Log l Event Category: System l Group by: Message l Log messages that match all conditions: l Log Description Equal To System services entered conserve mode |
| DLP Event | l Severity: Medium l Log Type: Traffic Log l Event Category: DLP l Group by: DLP Rule Name l Log messages that match all conditions: l Security Action Equal To Blocked |
| HA Failover | l Severity: Medium l Log Type: Event Log l Event Category: HA l Group by: Log Description l Log messages that match all conditions:
l Log Description Equal To Virtual cluster move member |
| Interface Down | l Severity: High l Log Type: Event Log l Event Category: System l Group by: Message l Log messages that match all conditions:
l Action Equal To interface-stat-change Status Equal To DOWN |
| Event Handler | Description |
| Interface Up | l Severity: Medium l Log Type: Event Log l Event Category: System l Group by: Message l Log messages that match all conditions:
l Action Equal To interface-stat-change l Status Equal To UP |
| IPS – Critical Severity | l Severity: Critical l Log Type: IPS l Group by: Attack Name l Log messages that match all conditions:
l Severity Equal To Critical |
| IPS – High Severity | l Severity: High l Log Type: IPS l Group by: Attack Name l Log messages that match all conditions:
l Severity Equal To High |
| IPS – Medium Severity | l Severity: Medium l Log Type: IPS l Group by: Attack Name l Log messages that match all conditions: l Severity Equal To Medium |
| IPS – Low Severity | l Severity: Low l Log Type: IPS l Group by: Attack Name l Log messages that match all conditions:
l Severity Equal To Low |
| IPsec Phase2 Down | l Severity: Medium l Log Type: Event Log l Event Category: VPN l Group By: VPN Tunnel l Log messages that match all conditions: l Action Equal To phase2-down |
| Event Handler | Description |
| IPsec Phase2 Up | l Severity: Medium l Log Type: Event Log l Event Category: VPN l Group By: VPN Tunnel l Log messages that match all conditions: l Action Equal To phase2-up |
| Local Device Event | l Devices: Local FortiManager l Severity: Medium l Log Type: Event Log l Event Category: Endpoint l Log messages that match all conditions:
l Level Greater Than or Equal To Warning |
| Power Supply Failure | l Severity: Critical
l Log Type: Event Log l Event Category: System l Group by: Message l Log messages that match any of the following conditions: l Action Equal To power-supply-monitor l Status Equal To failure |
| UTM Antivirus Event | l Severity: High l Log Type: Virus l Group by: Virus Name l Log messages that match all conditions:
l Level Greater Than or Equal To Information |
| UTM App Ctrl Event | l Severity: Medium l Log Type: Application Control l Group by: Application Name l Log messages that match any of the following conditions:
l Application Category Equal To Botnet l Application Category Equal To Proxy |
| UTM DLP Event | l Severity: Medium l Log Type: DLP l Group by: DLP Rule Name l Log messages that match all conditions:
l Action Equal To Block |
| Event Handler | Description |
| UTM Web Filter Event | l Severity: Medium l Log Type: Web Filter l Group by: Category l Log messages that match any of the following conditions:
l Web Category Equal To Child Abuse, Discrimination, Drug Abuse, Explicit Violence, Extremist Groups, Hacking, Illegal orUnethical, Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam URLs |
| Web Filter Event | l Severity: Medium l Log Type: Traffic Log l Event Category: WebFilter l Group by: Category l Log messages that match any of the following conditions:
l Web Category Equal To Child Abuse, Discrimination, Drug Abuse, Explicit Violence, Extremist Groups, Hacking, Illegal orUnethical, Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam URLs |
Go to the Event Management tab and select Event Handler in the tree menu.
What if FortiManager and Anaylzer functions are split into separate machines ?
On FAZ I can see only “Local FortiAnalyzer” as a source of such System events. FortiManager system events are not even displayed in FortiView->Event->System.
Is there a way to get system events from FortiManager on separate machine to trigger an event via EventManager on (separated) FortiAnalyzer ?
Plotr,
I am having a hard time understanding what you are trying to do. Are you trying to log your FortiManager to the FortiAnalyzer and view all system events etc there? Let me know and I will see if I can help!
Hello Mike,
I have FortiManager (FMG) and FortiAnalyzer (FAZ) fuctionality running on separate machines.
My goal is to have all EventLogs of type System available on FAZ ( where such System logs from remote enforcement modules like FortiGate are already stored).
Then I want to have an EventManager Handler on FAZ to react on different administrator activity events – so far it only works on logs collected from FortiGate-s ( or eventually local FAZ , as there is a radio button selecting this source ).
I have set up such a handler , which is sensitive for admin login, configuration changes etc.
When one of the admins changes something via FMG, such activity is not seen by the EventHandler because FMG system logs are not stored in FAZ. I do not know if there is a way to deliver FMG system logs to FAZ like FortGate-s do , so information stored in them can be used in FAZ to trigger events.
Otherwise this EventHandler (on FAZ) has incomplete information ( it has admin activity from FortiGate-s but not from FMG) – and I cannot treat it as 100% reliable source of information about all entry points where admins can enter the system and for example make change of configuration.
This is needed for supervisory upon administrators activity.
Sorry for bad language and hard-understandable explanation.
Thank you in advance for your effort.
The FMG can log to a syslog device. The FortiAnalyzer will have minimal understanding of this. I would setup logging and alerts on the FortiManager itself most likely if you want alerts of changes etc. Either that or just have it dump to a SIEM like Splunk or ArcSight (i prefer splunk for cost of deployment etc). I reached out to my Fortinet SE just to verify and outside of SYSLOG there is no real “direct logging” to a FAZ from a FMG. I am sure someone out there has found a way to hack something up but I have not personally ever tried.