Fortinet white logo
Fortinet white logo

Administration Guide

Event log category triggers

Event log category triggers

There are six default automation triggers based on event log categories:

  • Anomaly logs
  • IPS logs
  • SSH logs
  • Traffic violations
  • Virus logs
  • Web filter violations

When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.

config system automation-trigger
    edit "Anomaly Logs"
        set trigger-type event-based
        set event-type anomaly-logs
        set vdom <name>
    next
    edit "IPS Logs"
        set trigger-type event-based
        set event-type ips-logs
        set vdom <name>
    next
    edit "SSH Logs"
        set trigger-type event-based
        set event-type ssh-logs
        set vdom <name>
    next
    edit "Traffic Violation"
        set trigger-type event-based
        set event-type traffic-violation
        set vdom <name>
    next
    edit "Virus Logs"
        set trigger-type event-based
        set event-type virus-logs
        set vdom <name>
    next
    edit "Webfilter Violation"
        set trigger-type event-based
        set event-type webfilter-violation
        set vdom <name>
    next
end
Note

A maximum of 16 log IDs can be set as triggers for the event log.

Example

In this example, an automation stitch is created that uses the anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.

To configure an automation stitch with the anomaly logs trigger in the GUI:
  1. Configure the trigger:
    1. Go to Security Fabric > Automation, select the Trigger tab.

    2. Edit the Anomaly Logs trigger.

    3. Add the required VDOMs (root, vdom-nat, vdom-tp).

    4. Click OK.

  2. Configure the action:
    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email and enter the following:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

    3. Click OK.

  3. Configure the stitch:
    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, anomaly-logs-stitch.

    3. Click Add Trigger. Select Anomaly Logs and click Apply.

    4. Click Add Action. Select email_default_rep_message and click Apply.

    5. Click Add delay (between the trigger and action). Enter 3 and click OK.

    6. Click OK.

To configure an automation stitch with the anomaly logs trigger in the CLI:
  1. Configure the trigger:
    config system automation-trigger
        edit "Anomaly Logs"
            set event-type anomaly-logs
            set vdom "root" "vdom-nat" "vdom-tp"
        next
    end
  2. Configure the action:
    config system automation-action
        edit "email_default_rep_message"
            set action-type email
            set email-to "admin@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the stitch:
    config system automation-stitch
        edit "anomaly-logs-stitch"
            set description "anomaly-logs"
            set trigger "Anomaly Logs"
            config actions
                edit 1
                    set action "email_default_rep_message"
                    set delay 3
                    set required enable
                next
            end
        next
    end

Verification

Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.

To confirm that the stitch was triggered in the GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
  2. Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 2
...
stitch: anomaly-logs-stitch
        destinations: all
        trigger: Anomaly Logs
                type:anomaly logs

                field ids:
                        (id:6)vd=root,vdom-nat,vdom-tp

        local hit: 1 relayed to: 0 relayed from: 0
        actions:
                email_default_rep_message type:email interval:0
                        delay:3 required:yes
                        subject: CSF stitch alert
                        body: %%log%%
                        sender:
                        mailto:admin@fortinet.com;

Event log category triggers

Event log category triggers

There are six default automation triggers based on event log categories:

  • Anomaly logs
  • IPS logs
  • SSH logs
  • Traffic violations
  • Virus logs
  • Web filter violations

When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.

config system automation-trigger
    edit "Anomaly Logs"
        set trigger-type event-based
        set event-type anomaly-logs
        set vdom <name>
    next
    edit "IPS Logs"
        set trigger-type event-based
        set event-type ips-logs
        set vdom <name>
    next
    edit "SSH Logs"
        set trigger-type event-based
        set event-type ssh-logs
        set vdom <name>
    next
    edit "Traffic Violation"
        set trigger-type event-based
        set event-type traffic-violation
        set vdom <name>
    next
    edit "Virus Logs"
        set trigger-type event-based
        set event-type virus-logs
        set vdom <name>
    next
    edit "Webfilter Violation"
        set trigger-type event-based
        set event-type webfilter-violation
        set vdom <name>
    next
end
Note

A maximum of 16 log IDs can be set as triggers for the event log.

Example

In this example, an automation stitch is created that uses the anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.

To configure an automation stitch with the anomaly logs trigger in the GUI:
  1. Configure the trigger:
    1. Go to Security Fabric > Automation, select the Trigger tab.

    2. Edit the Anomaly Logs trigger.

    3. Add the required VDOMs (root, vdom-nat, vdom-tp).

    4. Click OK.

  2. Configure the action:
    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email and enter the following:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

    3. Click OK.

  3. Configure the stitch:
    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, anomaly-logs-stitch.

    3. Click Add Trigger. Select Anomaly Logs and click Apply.

    4. Click Add Action. Select email_default_rep_message and click Apply.

    5. Click Add delay (between the trigger and action). Enter 3 and click OK.

    6. Click OK.

To configure an automation stitch with the anomaly logs trigger in the CLI:
  1. Configure the trigger:
    config system automation-trigger
        edit "Anomaly Logs"
            set event-type anomaly-logs
            set vdom "root" "vdom-nat" "vdom-tp"
        next
    end
  2. Configure the action:
    config system automation-action
        edit "email_default_rep_message"
            set action-type email
            set email-to "admin@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the stitch:
    config system automation-stitch
        edit "anomaly-logs-stitch"
            set description "anomaly-logs"
            set trigger "Anomaly Logs"
            config actions
                edit 1
                    set action "email_default_rep_message"
                    set delay 3
                    set required enable
                next
            end
        next
    end

Verification

Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.

To confirm that the stitch was triggered in the GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
  2. Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 2
...
stitch: anomaly-logs-stitch
        destinations: all
        trigger: Anomaly Logs
                type:anomaly logs

                field ids:
                        (id:6)vd=root,vdom-nat,vdom-tp

        local hit: 1 relayed to: 0 relayed from: 0
        actions:
                email_default_rep_message type:email interval:0
                        delay:3 required:yes
                        subject: CSF stitch alert
                        body: %%log%%
                        sender:
                        mailto:admin@fortinet.com;