You can configure a FortiOS event log trigger for when a specific event log ID occurs. You can select multiple event log IDs, and apply log field filters.
- Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
In the Miscellaneous section, click FortiOS Event Log.
- Enter a name and description.
- In the Event field, click the + to select multiple event log IDs.
The Event options correspond to the Message Meaning listed in the FortiOS Log Message Reference. Hover over an entry to view the tooltip that includes the event ID and log name. In this example, the Admin login successful event in the GUI corresponds to log ID 32001, which is LOG_ID_ADMIN_LOGIN_SUCC.
- In the Field filter(s) field, click the + to add multiple field filters. The configured filters much match in order for the stitch to be triggered.
- To view the list of available fields for a log, refer to the FortiOS Log Message Reference by appending the log ID to the document URL (https://docs.fortinet.com/document/fortigate/7.0.1/fortios-log-message-reference/<log_ID>).
- Click OK.
config system automation-trigger edit "event_login_logout" set description "trigger for login logout event" set event-type event-log set logid 32001 32003 config fields edit 1 set name "user" set value "csf" next edit 2 set name "srcip" set value "10.6.30.254" next end next end