Using the Generic Text Filter in an event handler – FortiAnalyzer – FortiOS 6.2.3

Using the Generic Text Filter in an event handler

The Generic Text Filter uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, and both upper and lower case characters are supported (for example “and” is the same as “AND”). You must use an escape character when needed. For example, cfgpath=firewall.policy is the wrong syntax because it’s missing an escape character. The correct syntax is cfgpath=firewall\.policy.

To create an event handler using the Generic Text Filter to match raw log data:

  1. Go to Log View, and select a log type.
  2. In the toolbar, click Tools > Display Raw.

The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.

  1. Locate and copy the text in the raw log.
  2. Go to Incidents & Events > Event Monitor> Event HandlerList and click Create New.
  3. In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field names, for example, mem (not memory) and setuprate (not setup-rate).

For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

  1. If you want to be notified of events, configure the Notifications
  2. Configure other settings as required and click OK.
This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.