Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiAnalyzer 7.0.12 CLI Reference
    7.0.12
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.8
    5.6.7
    5.6.7
    5.6.6
    5.6.6
    5.6.5
    5.6.5
    5.6.4
    5.6.4
    5.6.3
    5.6.3
    5.6.2
    5.6.2
    5.6.1
    5.6.1
    5.6.0
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.5
    5.4.4
    5.4.4
    5.4.3
    5.4.3
    5.4.2
    5.4.2
    5.4.1
    5.4.1
    5.4.0
    5.4.0
    5.2.10
    5.2.9
    5.2.9
    5.2.7
    5.2.7
    5.2.6
    5.2.6
    5.2.5
    5.2.5
    5.2.4
    5.2.4
    5.2.3
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.13
    5.0.11
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    5.0.1
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    alert-event

    alert-event

    Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit.

    When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

    alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

    Syntax

    config system alert-event

    edit <name_string>

    set enable-generic-text {enable | disable}

    set enable-severity-filter {enable | disable}

    set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

    set generic-text <string>

    set num-events {1 | 5 | 10 | 50 | 100}

    set severity-filter {high | low | medium | medium-high | medium-low}

    set severity-level-comp {>= | = | <=}

    set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

    config alert-destination

    edit destination_id <integer>

    set type {mail | snmp | syslog}

    set from <email_address>

    set to <email_address>

    set smtp-name <server_name>

    set snmp-name <server_name>

    set syslog-name <server_name>

    end

    end

    Variable

    Description

    <name_string>

    Enter a name for the alert event (character limit = 63).

    enable-generic-text {enable | disable}

    Enable generic text match (default = disable).

    enable-severity-filter {enable | disable}

    Enable/disable alert severity filter (default = disable).

    event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

    The period of time in hours during which if the threshold number is exceeded, the event will be reported:

    • 0.5: 30 minutes (default)
    • 1: 1 hour
    • 3: 3 hours
    • 6: 6 hours
    • 12: 12 hours
    • 24: 1 day
    • 72: 3 days
    • 168: 1 week

    generic-text <string>

    Text that must be contained in a log to trigger alert (character limit = 255).

    num-events {1 | 5 | 10 | 50 | 100}

    Set the minimum number of events that must occur in the given interval before it is reported (default = 1).

    severity-filter {high | low | medium | medium-high | medium-low}

    Set the required log severity to trigger an alert (default = high).

    severity-level-comp {>= | = | <=}

    Set the log severity threshold comparison criterion (default = =). Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than or equal to (>=) the Warning log level.

    severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

    Set the log severity threshold level. That is, the log level the FortiManager looks for when monitoring for alert messages.

    • no-check: Do not check severity level for this log type (default).
    • emergency: The unit is unusable.
    • alert: Immediate action is required.
    • critical: Functionality is affected.
    • error: Functionality is probably affected.
    • warning: Functionality might be affected.
    • notification: Information about normal events.
    • information: General information about unit operations.

    Variables for config alert-destination subcommand:

    destination_id <integer>

    Enter the table sequence number, beginning at 1.

    type {mail | snmp | syslog}

    Select the alert event message method of delivery:

    • mail: Send email alert (default).
    • snmp: Send SNMP trap.
    • syslog: Send syslog message.

    from <email_address>

    Enter the sender email address to use in alert emails. This is available when type is set to mail.

    to <email_address>

    Enter the recipient email address to use in alert emails. This is available when type is set to mail.

    smtp-name <server_name>

    Enter the name of the mail server. This is available when type is set to mail.

    snmp-name <server_name>

    Enter the snmp server name. This is available when type is set to snmp.

    syslog-name <server_name>

    Enter the syslog server name or IPv4 address. This is available when type is set to syslog.

    Example

    In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

    config system alert-event

    edit warning

    config alert-destination

    edit 1

    set type mail

    set from fmgr@exmample.com

    set to admin@example.com

    set smtp-name mail.example.com

    end

    set enable-severity-filter enable

    set event-time-period 3

    set severity-level-log warning

    set severity-level-comp =

    set severity-filter medium

    end

    Previous
    Next

    alert-event

    alert-event

    Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit.

    When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

    alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

    Syntax

    config system alert-event

    edit <name_string>

    set enable-generic-text {enable | disable}

    set enable-severity-filter {enable | disable}

    set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

    set generic-text <string>

    set num-events {1 | 5 | 10 | 50 | 100}

    set severity-filter {high | low | medium | medium-high | medium-low}

    set severity-level-comp {>= | = | <=}

    set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

    config alert-destination

    edit destination_id <integer>

    set type {mail | snmp | syslog}

    set from <email_address>

    set to <email_address>

    set smtp-name <server_name>

    set snmp-name <server_name>

    set syslog-name <server_name>

    end

    end

    Variable

    Description

    <name_string>

    Enter a name for the alert event (character limit = 63).

    enable-generic-text {enable | disable}

    Enable generic text match (default = disable).

    enable-severity-filter {enable | disable}

    Enable/disable alert severity filter (default = disable).

    event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

    The period of time in hours during which if the threshold number is exceeded, the event will be reported:

    • 0.5: 30 minutes (default)
    • 1: 1 hour
    • 3: 3 hours
    • 6: 6 hours
    • 12: 12 hours
    • 24: 1 day
    • 72: 3 days
    • 168: 1 week

    generic-text <string>

    Text that must be contained in a log to trigger alert (character limit = 255).

    num-events {1 | 5 | 10 | 50 | 100}

    Set the minimum number of events that must occur in the given interval before it is reported (default = 1).

    severity-filter {high | low | medium | medium-high | medium-low}

    Set the required log severity to trigger an alert (default = high).

    severity-level-comp {>= | = | <=}

    Set the log severity threshold comparison criterion (default = =). Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than or equal to (>=) the Warning log level.

    severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

    Set the log severity threshold level. That is, the log level the FortiManager looks for when monitoring for alert messages.

    • no-check: Do not check severity level for this log type (default).
    • emergency: The unit is unusable.
    • alert: Immediate action is required.
    • critical: Functionality is affected.
    • error: Functionality is probably affected.
    • warning: Functionality might be affected.
    • notification: Information about normal events.
    • information: General information about unit operations.

    Variables for config alert-destination subcommand:

    destination_id <integer>

    Enter the table sequence number, beginning at 1.

    type {mail | snmp | syslog}

    Select the alert event message method of delivery:

    • mail: Send email alert (default).
    • snmp: Send SNMP trap.
    • syslog: Send syslog message.

    from <email_address>

    Enter the sender email address to use in alert emails. This is available when type is set to mail.

    to <email_address>

    Enter the recipient email address to use in alert emails. This is available when type is set to mail.

    smtp-name <server_name>

    Enter the name of the mail server. This is available when type is set to mail.

    snmp-name <server_name>

    Enter the snmp server name. This is available when type is set to snmp.

    syslog-name <server_name>

    Enter the syslog server name or IPv4 address. This is available when type is set to syslog.

    Example

    In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

    config system alert-event

    edit warning

    config alert-destination

    edit 1

    set type mail

    set from fmgr@exmample.com

    set to admin@example.com

    set smtp-name mail.example.com

    end

    set enable-severity-filter enable

    set event-time-period 3

    set severity-level-log warning

    set severity-level-comp =

    set severity-filter medium

    end

    Previous
    Next