Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 6.2.12 Administration Guide
    6.2.12
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Creating a custom event handler

    Creating a custom event handler

    You can create a custom event handler from scratch or clone a predefined event handler and customize its settings. See Cloning event handlers.

    Configuring an event handler includes defining the following main sections:

    Option

    Description

    Event handler attributes

    Event handler attributes such as name, description, and devices.

    Filters

    Filters are rules for event generation.

    • Select the log filters to limit the logs that trigger an event.
    • Group the logs by primary and secondary (optional) values to separate the events that are generated for different Group By values.
    • Set the number of occurrences within a time frame that triggers an event.
    • Configure event fields such as event status and severity.

    Additional Info

    Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.

    Notifications

    Configure notifications to be sent on event generation.

    You can send alert notifications to a fabric connector, email address, SNMP community, or syslog server.

    Screenshot of the creation of Event Handlers

    To create a new event handler:
    1. Go to Incidents & Events > Event Monitor > Event Handler List.
    2. In the toolbar, click Create New.
    3. Configure the settings as required and click OK.

      Field

      Description

      Status

      Enable or disable the event handler.

      Enabled event handlers have a Status of ON and show the icon in the Event Handler List. Disabled event handlers have a a Status of OFF and show the icon in the Event Handler List.

      Name

      Add a name for the handler.

      Description

      Type a description of the event handler.

      Devices

      Select the devices to include.

      • All Devices.
      • Specify: To add devices, click the Add icon.
      • Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

        For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

      Subnets

      Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events.

      Filters

      Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings. You can enable or disable specific filters in an event handler.

      Log Device Type

      If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.

      Log Type

      Select the log type from the dropdown list.

      When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

      Log Subtype

      Select the category of event that this handler monitors. The available options depends on the platform type.

      This option is only available when Log Type is set to Event Log or Traffic Log.

      Group By

      Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.

      Logs match

      Select All or Any of the following conditions.

      Log Field

      Select a log field to filter from the dropdown list. The available options depends on the selected log type.

      Match Criteria

      Select a match criteria from the dropdown list. The available options depends on the selected log field.

      Value

      Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.

      Add

      Add Log Field to the filter.

      Remove

      Delete the filter.

      Generic Text Filter

      Enter a generic text filter.

      For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

      For more information on creating a generic text filter, see Using the Generic Text Filter in an event handler.

      Generate alert when at least n matches occurred over a period of n minutes

      Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.

      Event Message

      If you wish, enter a custom event message. The default message is the Group By value. You can use variables in the event message.

      Event Status

      Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or Blank.

      Event Severity

      Select the severity from the dropdown list: Critical, High, Medium, or Low.

      Tags

      If you wish, enter custom tags. Tags can be used as a filter when using default or custom views.

      Additional Info

      Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.

      Use system default

      Select to use the system default message in the Additional Info column.

      Use custom message

      Type a custom message for the Additional Info column. A custom message can include variables and log field names. For more information, click the question mark icon.

      Notifications

      Configure alerts for the handler.

      Send Alert through Fabric Connectors

      Send an alert through one or more fabric connectors. Click the + button to add fabric connectors. For more information, see Fabric Connectors.

      Send Alert Email

      Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server.

      Send SNMP(...) Trap

      Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP.

      Send Alert to Syslog Server

      Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server.

      Send Each Alert Separately

      Select to send each alert individually instead of in a group.

      The maximum number of alerts that can be sent for the same event is 50.

    Previous
    Next

    Creating a custom event handler

    Creating a custom event handler

    You can create a custom event handler from scratch or clone a predefined event handler and customize its settings. See Cloning event handlers.

    Configuring an event handler includes defining the following main sections:

    Option

    Description

    Event handler attributes

    Event handler attributes such as name, description, and devices.

    Filters

    Filters are rules for event generation.

    • Select the log filters to limit the logs that trigger an event.
    • Group the logs by primary and secondary (optional) values to separate the events that are generated for different Group By values.
    • Set the number of occurrences within a time frame that triggers an event.
    • Configure event fields such as event status and severity.

    Additional Info

    Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.

    Notifications

    Configure notifications to be sent on event generation.

    You can send alert notifications to a fabric connector, email address, SNMP community, or syslog server.

    Screenshot of the creation of Event Handlers

    To create a new event handler:
    1. Go to Incidents & Events > Event Monitor > Event Handler List.
    2. In the toolbar, click Create New.
    3. Configure the settings as required and click OK.

      Field

      Description

      Status

      Enable or disable the event handler.

      Enabled event handlers have a Status of ON and show the icon in the Event Handler List. Disabled event handlers have a a Status of OFF and show the icon in the Event Handler List.

      Name

      Add a name for the handler.

      Description

      Type a description of the event handler.

      Devices

      Select the devices to include.

      • All Devices.
      • Specify: To add devices, click the Add icon.
      • Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

        For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

      Subnets

      Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events.

      Filters

      Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings. You can enable or disable specific filters in an event handler.

      Log Device Type

      If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.

      Log Type

      Select the log type from the dropdown list.

      When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

      Log Subtype

      Select the category of event that this handler monitors. The available options depends on the platform type.

      This option is only available when Log Type is set to Event Log or Traffic Log.

      Group By

      Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.

      Logs match

      Select All or Any of the following conditions.

      Log Field

      Select a log field to filter from the dropdown list. The available options depends on the selected log type.

      Match Criteria

      Select a match criteria from the dropdown list. The available options depends on the selected log field.

      Value

      Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.

      Add

      Add Log Field to the filter.

      Remove

      Delete the filter.

      Generic Text Filter

      Enter a generic text filter.

      For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

      For more information on creating a generic text filter, see Using the Generic Text Filter in an event handler.

      Generate alert when at least n matches occurred over a period of n minutes

      Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.

      Event Message

      If you wish, enter a custom event message. The default message is the Group By value. You can use variables in the event message.

      Event Status

      Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or Blank.

      Event Severity

      Select the severity from the dropdown list: Critical, High, Medium, or Low.

      Tags

      If you wish, enter custom tags. Tags can be used as a filter when using default or custom views.

      Additional Info

      Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.

      Use system default

      Select to use the system default message in the Additional Info column.

      Use custom message

      Type a custom message for the Additional Info column. A custom message can include variables and log field names. For more information, click the question mark icon.

      Notifications

      Configure alerts for the handler.

      Send Alert through Fabric Connectors

      Send an alert through one or more fabric connectors. Click the + button to add fabric connectors. For more information, see Fabric Connectors.

      Send Alert Email

      Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server.

      Send SNMP(...) Trap

      Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP.

      Send Alert to Syslog Server

      Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server.

      Send Each Alert Separately

      Select to send each alert individually instead of in a group.

      The maximum number of alerts that can be sent for the same event is 50.

    Previous
    Next