Fortinet black logo

Administration Guide

FortiOS event log trigger

FortiOS event log trigger

You can configure a FortiOS event log trigger for when a specific event log ID occurs. You can select multiple event log IDs, and apply log field filters.

To configure a FortiOS event log trigger in the GUI:
  1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
  2. In the Miscellaneous section, click FortiOS Event Log.

  3. Enter a name and description.
  4. In the Event field, click the + to select multiple event log IDs.

    The Event options correspond to the Message Meaning listed in the FortiOS Log Message Reference. Hover over an entry to view the tooltip that includes the event ID and log name. In this example, the Admin login successful event in the GUI corresponds to log ID 32001, which is LOG_ID_ADMIN_LOGIN_SUCC.

  5. In the Field filter(s) field, click the + to add multiple field filters. The configured filters much match in order for the stitch to be triggered.
    1. To view the list of available fields for a log, refer to the FortiOS Log Message Reference by appending the log ID to the document URL (https://docs.fortinet.com/document/fortigate/7.0.1/fortios-log-message-reference/<log_ID>).

  6. Click OK.
To configure a FortiOS event log trigger in the CLI:
config system automation-trigger
    edit "event_login_logout"
        set description "trigger for login logout event"
        set event-type event-log
        set logid 32001 32003
        config fields
            edit 1
                set name "user"
                set value "csf"
            next
            edit 2
                set name "srcip"
                set value "10.6.30.254"
            next
        end
    next
end

FortiOS event log trigger

You can configure a FortiOS event log trigger for when a specific event log ID occurs. You can select multiple event log IDs, and apply log field filters.

To configure a FortiOS event log trigger in the GUI:
  1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
  2. In the Miscellaneous section, click FortiOS Event Log.

  3. Enter a name and description.
  4. In the Event field, click the + to select multiple event log IDs.

    The Event options correspond to the Message Meaning listed in the FortiOS Log Message Reference. Hover over an entry to view the tooltip that includes the event ID and log name. In this example, the Admin login successful event in the GUI corresponds to log ID 32001, which is LOG_ID_ADMIN_LOGIN_SUCC.

  5. In the Field filter(s) field, click the + to add multiple field filters. The configured filters much match in order for the stitch to be triggered.
    1. To view the list of available fields for a log, refer to the FortiOS Log Message Reference by appending the log ID to the document URL (https://docs.fortinet.com/document/fortigate/7.0.1/fortios-log-message-reference/<log_ID>).

  6. Click OK.
To configure a FortiOS event log trigger in the CLI:
config system automation-trigger
    edit "event_login_logout"
        set description "trigger for login logout event"
        set event-type event-log
        set logid 32001 32003
        config fields
            edit 1
                set name "user"
                set value "csf"
            next
            edit 2
                set name "srcip"
                set value "10.6.30.254"
            next
        end
    next
end