Event handler page
The following information is displayed:
Status | The status of the event handler (enabled or disabled). |
Name | The name of the event handler. |
Filters | The filters that are configured for the event handler. |
Event Type | The event category of the event handler. The information displayed is dependent on the platform type. |
Devices | The devices that you have configured for the event handler. This field will either display All Devices or list each device. When you have configured an event handler for local logs, Local FortiManager will be displayed. Local FortiManager is available in the root ADOM only and is used to query FortiManager event logs. |
Severity | The severity that you configured for the event handler. This field will display Critical, High, Medium, or Low. |
Send Alert to | The email address, SNMP server, or syslog server that has been configured for the event handler. |
Right-click on an event handler in the list to open the right-click menu. The following options are available:
Create New | Select to create a new event handler. This option is available in the toolbar and right-click menu. See To create a new event handler:. |
Edit | Select an event handler and select edit to make changes to the entry. This option is available in the toolbar and right-click menu. See To edit an event handler:. |
Delete | Select one or all event handlers and select delete to remove the entry or entries. This option is available in the toolbar and right-click menu. The default event handlers cannot be deleted. See To delete an event handler:. |
Clone | Select an event handler in this page and click to clone the entry. A cloned entry will have Copy added to its name field. You can rename the cloned entry while editing the event handler. This option is available in the toolbar and right-click menu. See To clone an event handler:. |
Enable | Select to enable the event handler. |
Disable | Select to disable the event handler. |
Manage event handlers
You can create traffic, event, and extended log handlers to monitor network traffic and events based on specific log filters. These log handlers can then be edited, deleted, cloned, and enabled or disabled as needed.
To create a new event handler:
- Go to Event Management > Event Handler.
- Select Create New in the toolbar, or right-click on an the entry and select Create New in the right-click menu. The Create New Event Handler dialog box is displayed.
Create new event handler dialog box
- Enter a name for the new event handler and select OK. The Event Handler page opens with the Definition tab displayed.
Create event handler definition page
- Configure the following settings:
Status | l Enable or disable the event handler.
l Enabled l Disabled |
Name | Edit the name if required. |
Description | Enter a description for the event handler. | |
Devices | l Select All Devices, select Specify and use the add icon to add devices. Select Local FortiManager if the event handler is for local FortiManager event logs.
l Local FortiManager is available in the root ADOM only and is used to query FortiManager event logs. |
|
Severity | Select the severity from the drop-down list.
Select one of the following: l Critical l High l Medium l Low |
|
Filters | ||
Log Type | l Select the log type from the drop-down list. The available options are: Traffic Log, Event Log, Application Control, DLP, IPS, Virus, and Web Filter.
l The Log Type is Event Log when Devices is Local FortiManager. |
|
Event Category | Select the category of event that this handler will monitor from the drop-down list. The available options is dependent on the platform type.
This option is only available when Log Type is set to Traffic Log and Devices is set to All Devices or Specify. |
|
Group by | Select the criterium by which the information will be grouped.
This option is not available when Log Type is set to Traffic Log. |
|
Log message that match | Select either All or Any of the Following Conditions.
When Devices is Local FortiManager, this option is not available. |
|
Add Filter | Select the add icon to add log filters.
When Devices is Local FortiManager, this option is not available. You can only set one log field filter. |
|
Log Field | Select a log field to filter from the dropdown list. The available options will vary depending on the selected log type. | |
Match Criteria | Select a match criteria from the drop-down list. The available options will vary depending on the selected log field. | |
Value | Either select a value from the drop-down list, or enter a value in the text box. The available options will vary depending on the selected log field. | |
Delete | Select the delete icon, to delete the filter. A minimum of one filter is required. | |
Generic Text Filter | Enter a generic text filter. For more information on creating a text filter, hover the cursor over the help icon. | |
Event Details | Only available when you have one Security Event filter or the Log Type is Event Log. | |
Event Name | Select an event name from the drop-down list. The options in the list are dependent on the specific security event selected. | |
Additional Info | Select additional information from the drop-down list. The options in the list are dependent on the specific security event selected. |
- Select Apply to save the Definition
- Select the Notification
Notification tab
- Configure the following settings:
Event Details | Only available when you have one Security Event filter or the Log Type is Event Log. | |
Event Name | Select an event name from the drop-down list.
The options in the list are dependent on the specific security event selected. |
|
Additional Info | Select additional information from the drop-down list.
The options in the list are dependent on the specific security event selected. |
|
Generate alert when at least | Enter threshold values to generate alerts. Enter the number, in the first text box, of each type of event that can occur in the number of minutes entered in the second text box. | |
Send Alert Email | Select the checkbox to enable. Enter an email address in the To and From text fields, enter a subject in the Subject field, and select the email server from the drop-down list. Select the add icon to add an email server. | |
Send SNMP Trap
to |
Select the checkbox to enable this feature. Select an SNMP community from the drop-down list. Select the add icon to add a SNMP community. | |
Send Alert to Syslog Server | Select the checkbox to enable this feature. Select a syslog server from the drop-down list. Select the add icon to add a syslog server. |
- Select Apply to create the new event handler.
- Select Return to return to the Event Handler
What if FortiManager and Anaylzer functions are split into separate machines ?
On FAZ I can see only “Local FortiAnalyzer” as a source of such System events. FortiManager system events are not even displayed in FortiView->Event->System.
Is there a way to get system events from FortiManager on separate machine to trigger an event via EventManager on (separated) FortiAnalyzer ?
Plotr,
I am having a hard time understanding what you are trying to do. Are you trying to log your FortiManager to the FortiAnalyzer and view all system events etc there? Let me know and I will see if I can help!
Hello Mike,
I have FortiManager (FMG) and FortiAnalyzer (FAZ) fuctionality running on separate machines.
My goal is to have all EventLogs of type System available on FAZ ( where such System logs from remote enforcement modules like FortiGate are already stored).
Then I want to have an EventManager Handler on FAZ to react on different administrator activity events – so far it only works on logs collected from FortiGate-s ( or eventually local FAZ , as there is a radio button selecting this source ).
I have set up such a handler , which is sensitive for admin login, configuration changes etc.
When one of the admins changes something via FMG, such activity is not seen by the EventHandler because FMG system logs are not stored in FAZ. I do not know if there is a way to deliver FMG system logs to FAZ like FortGate-s do , so information stored in them can be used in FAZ to trigger events.
Otherwise this EventHandler (on FAZ) has incomplete information ( it has admin activity from FortiGate-s but not from FMG) – and I cannot treat it as 100% reliable source of information about all entry points where admins can enter the system and for example make change of configuration.
This is needed for supervisory upon administrators activity.
Sorry for bad language and hard-understandable explanation.
Thank you in advance for your effort.
The FMG can log to a syslog device. The FortiAnalyzer will have minimal understanding of this. I would setup logging and alerts on the FortiManager itself most likely if you want alerts of changes etc. Either that or just have it dump to a SIEM like Splunk or ArcSight (i prefer splunk for cost of deployment etc). I reached out to my Fortinet SE just to verify and outside of SYSLOG there is no real “direct logging” to a FAZ from a FMG. I am sure someone out there has found a way to hack something up but I have not personally ever tried.