Fortinet black logo

Administration Guide

Adding pre-filters to event handlers

Adding pre-filters to event handlers

Pre-filters can be configured for all the available log fields in event handlers. Each event handler can have multiple pre-filters.

The pre-filters are applied before every regular filter in the event handler. This means the pre-filter criteria does not need to be added individually within each regular filter.

To create a pre-filter:
  1. Go to FortiSoC > Handlers > Event Handler List.
  2. Select the checkbox for an existing event handler, and click Edit.

    You can also add pre-filters when creating a new event handler.

  3. In the Pre-filters area, click Add Pre-Filter.

    The Pre-filter dialog opens.

  4. Configure the pre-filter.

    Name

    Enter a name for the pre-filter.

    Log Device Type

    Select the device type from the dropdown.

    Log Type

    Select a log type from the dropdown. The log types will vary depending on the device type.

    Log Subtype

    Select a log subtype from the dropdown. The log subtype is not available for all devices types.

    Logs Match

    Select All or Any of the following conditions.

    Log Field

    Select a log field from the dropdown.

    Match Criteria

    Select an operator from the dropdown.

    Value

    Select the event type from the dropdown.

  5. To insert another pre-filter condition in the list, click the add icon (+).

    If you need to delete a pre-filter condition, click the delete icon next to the condition.

  6. (Optional) In the Generic Text Filter field enter the filter string.

    For more information, see Using the Generic Text Filter in an event handler.

  7. To save the pre-filter, click OK.

    The Pre-filter dialog closes.

  8. To insert another pre-filter, click the add icon (+) in the Pre-filters area.

Adding pre-filters to event handlers

Pre-filters can be configured for all the available log fields in event handlers. Each event handler can have multiple pre-filters.

The pre-filters are applied before every regular filter in the event handler. This means the pre-filter criteria does not need to be added individually within each regular filter.

To create a pre-filter:
  1. Go to FortiSoC > Handlers > Event Handler List.
  2. Select the checkbox for an existing event handler, and click Edit.

    You can also add pre-filters when creating a new event handler.

  3. In the Pre-filters area, click Add Pre-Filter.

    The Pre-filter dialog opens.

  4. Configure the pre-filter.

    Name

    Enter a name for the pre-filter.

    Log Device Type

    Select the device type from the dropdown.

    Log Type

    Select a log type from the dropdown. The log types will vary depending on the device type.

    Log Subtype

    Select a log subtype from the dropdown. The log subtype is not available for all devices types.

    Logs Match

    Select All or Any of the following conditions.

    Log Field

    Select a log field from the dropdown.

    Match Criteria

    Select an operator from the dropdown.

    Value

    Select the event type from the dropdown.

  5. To insert another pre-filter condition in the list, click the add icon (+).

    If you need to delete a pre-filter condition, click the delete icon next to the condition.

  6. (Optional) In the Generic Text Filter field enter the filter string.

    For more information, see Using the Generic Text Filter in an event handler.

  7. To save the pre-filter, click OK.

    The Pre-filter dialog closes.

  8. To insert another pre-filter, click the add icon (+) in the Pre-filters area.