Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.4.10 Administration Guide
    7.4.10
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    FortiAnalyzer event handler trigger

    FortiAnalyzer event handler trigger

    You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.

    To set up a FortiAnalyzer event handler trigger:

    1. Configure a FortiGate event handler on the FortiAnalyzer

    2. Configure FortiAnalyzer logging on the FortiGate

    3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    Configure a FortiGate event handler on the FortiAnalyzer

    On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered by two or more invalid log in attempts to the FortiGate in less than one minute. See Creating a custom event handler in the FortiAnalyzer Administration Guide for more information.

    To configure an event handler on the FortiAnalyzer:

    1. Go to Incidents & Events > Handlers, select the Basic Handlers tab, and click Create New.

    2. Set Name to log-handler.

    3. Enable Automation Stitch.

    4. Click Add New Rule and configure a rule with two conditions:

      Field

      Value

      Name

      login

      Event Severity

      Medium

      Log Device Type

      FortiGate

      Log Type

      Event Log (event)

      Log Subtype

      System (system)

      Log Field

      Log ID (logid)

      Log Filters

      All Filters

      Log Field

      Level (pri)

      Match Criteria

      Equal To

      Value

      Alert

      Log Field

      Action (action)

      Match Criteria

      Equal To

      Value

      login

      Trigger an event when

      A group contains 2 or more log occurrences

      All logs were generated within 1 minute

      Tags

      (Optional) InvalidLogin

    5. Configure the other settings as needed then click OK.

    6. Click OK.

    Configure FortiAnalyzer logging on the FortiGate

    See Configuring FortiAnalyzer for more information.

    To configure FortiAnalyzer logging:

    1. On the FortiGate, go to Security Fabric > Fabric Connectors, double-click the Logging & Analytics card, and go to the FortiAnalyzer tab.

    2. Check that the Status is Enabled.

    3. Set Server to the IP address of the FortiAnalyzer.

    4. Set Upload option as needed.

    5. Click OK and accept the FortiAnalyzer certificate.

    6. On the FortiAnalyzer, authorize the FortiGate. See Unauthorized devices in the FortiAnalyzer Administration Guide

    Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.

    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name, auto-faz-1.

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Click Create and select FortiAnalyzer Event Handler.

      3. Enter the following:

        Name

        auto-faz-1

        Event handler name

        log-handler

        Event severity

        Medium

        Event tag

        Optional. Enter only if you have specified a custom tag for the event handler.

        In this case, set to InvalidLogin.

      4. Click OK.

      5. Select the trigger in the list and click Apply.

    4. Configure the Email notification action:

      1. Click Add Action.

      2. Click Create and select Email.

      3. Enter the following:

        Name

        auto-faz-1_email

        To

        Enter an email address

        Subject

        CSF stitch alert

        Body

        User login FortiGate failed attempts %%log%%

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Click OK.

    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:

    1. Create an automation trigger:

      config system automation-trigger
    edit "auto-faz-1"
        set event-type faz-event
        set faz-event-name "log-handler"
        set faz-event-severity "medium"
        set faz-event-tags "InvalidLogin"
    next
end

    2. Create an automation action:

      config system automation-action
    edit "auto-faz-1_email"
        set action-type email
        set email-to "tsmith@ztnademo.com"
        set email-subject "CSF stitch alert"
        set message "User login FortiGate failed attempts %%log%%"
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "auto-faz-1"
        set trigger "auto-faz-1"
        config actions
            edit 1
                set action "auto-faz-1_email"
                set required enable
            next
        end
    next
end

    View the trigger event log

    To view the trigger event log:

    1. Attempt to log in to the FortiGate with the wrong password twice in a row.

    2. Check that two system logs with severity Alert are generated on the FortiGate:

      # execute log filter field subtype system
# execute log filter category event
# execute log display
    ...
11: date=2025-06-06 time=11:59:14 eventtime=1749236354989858133 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(172.16.7.254)" method="https" srcip=172.16.7.254 dstip=172.16.7.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(172.16.7.254) because of invalid password"
12: date=2025-06-06 time=11:59:12 eventtime=1749236352450280347 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(172.16.7.254)" method="https" srcip=172.16.7.254 dstip=172.16.7.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(172.16.7.254) because of invalid password"

    3. This triggers an event on the FortiAnalyzer that sends a notification to the FortiGate automation framework:

      # diagnose debug application autod -1
# diagnose debug enable
__handle_req_body()-109: subscriber update: name subscr-node msg_type 0 msg_len 309:
{"format":0,"category_filter":2,"free_style":[{"category":"event","filter":"(logid 0100022040 0100065304 0100022041 0100065305 0100022042 0100065306 0100022043 0100022044 0100022045 0100022901 0100022902 0100022903 0100022808 0100022809 0100053400 0100053401 0100026004 0100065311)","filter_type":"include"}]}

pid:2086-__handle_msg()-414: Subscriber:4 received package. pubid:0 pkgid:97 pkg_index:0
pid:2086-__handle_pkg_logs()-356: Subscriber:4 processing package size:1512 logs:1 pickup:1
pid:2086-__subscr_close_cur_pkg()-140: close package size:1512 logs:1
__action_email_hdl()-190: email action (auto-faz-1_email) is called. 
from: 
to:tsmith@ztnademo.com; 
subject:CSF stitch alert

      An alert email is sent out and an automation stitch log is generated. The email sent by the action will look similar to the following:

    4. To view the log in the GUI, go to Log & Report > System Events, select General System Events, and from the log location dropdown select FortiAnalyzer.

    5. To view the trigger event log in the CLI:

      # execute log display
    ...
9: date=2025-06-06 time=11:59:37 eventtime=1749236376747950301 tz="-0700" logid="0100046600" type="event" subtype="system" level="notice" vd="root" logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" stitchaction="auto-faz-1_email" from="log" msg="stitch:auto-faz-1 is triggered.
    Previous
    Next

    FortiAnalyzer event handler trigger

    FortiAnalyzer event handler trigger

    You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.

    To set up a FortiAnalyzer event handler trigger:

    1. Configure a FortiGate event handler on the FortiAnalyzer

    2. Configure FortiAnalyzer logging on the FortiGate

    3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    Configure a FortiGate event handler on the FortiAnalyzer

    On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered by two or more invalid log in attempts to the FortiGate in less than one minute. See Creating a custom event handler in the FortiAnalyzer Administration Guide for more information.

    To configure an event handler on the FortiAnalyzer:

    1. Go to Incidents & Events > Handlers, select the Basic Handlers tab, and click Create New.

    2. Set Name to log-handler.

    3. Enable Automation Stitch.

    4. Click Add New Rule and configure a rule with two conditions:

      Field

      Value

      Name

      login

      Event Severity

      Medium

      Log Device Type

      FortiGate

      Log Type

      Event Log (event)

      Log Subtype

      System (system)

      Log Field

      Log ID (logid)

      Log Filters

      All Filters

      Log Field

      Level (pri)

      Match Criteria

      Equal To

      Value

      Alert

      Log Field

      Action (action)

      Match Criteria

      Equal To

      Value

      login

      Trigger an event when

      A group contains 2 or more log occurrences

      All logs were generated within 1 minute

      Tags

      (Optional) InvalidLogin

    5. Configure the other settings as needed then click OK.

    6. Click OK.

    Configure FortiAnalyzer logging on the FortiGate

    See Configuring FortiAnalyzer for more information.

    To configure FortiAnalyzer logging:

    1. On the FortiGate, go to Security Fabric > Fabric Connectors, double-click the Logging & Analytics card, and go to the FortiAnalyzer tab.

    2. Check that the Status is Enabled.

    3. Set Server to the IP address of the FortiAnalyzer.

    4. Set Upload option as needed.

    5. Click OK and accept the FortiAnalyzer certificate.

    6. On the FortiAnalyzer, authorize the FortiGate. See Unauthorized devices in the FortiAnalyzer Administration Guide

    Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.

    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name, auto-faz-1.

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Click Create and select FortiAnalyzer Event Handler.

      3. Enter the following:

        Name

        auto-faz-1

        Event handler name

        log-handler

        Event severity

        Medium

        Event tag

        Optional. Enter only if you have specified a custom tag for the event handler.

        In this case, set to InvalidLogin.

      4. Click OK.

      5. Select the trigger in the list and click Apply.

    4. Configure the Email notification action:

      1. Click Add Action.

      2. Click Create and select Email.

      3. Enter the following:

        Name

        auto-faz-1_email

        To

        Enter an email address

        Subject

        CSF stitch alert

        Body

        User login FortiGate failed attempts %%log%%

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Click OK.

    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:

    1. Create an automation trigger:

      config system automation-trigger
    edit "auto-faz-1"
        set event-type faz-event
        set faz-event-name "log-handler"
        set faz-event-severity "medium"
        set faz-event-tags "InvalidLogin"
    next
end

    2. Create an automation action:

      config system automation-action
    edit "auto-faz-1_email"
        set action-type email
        set email-to "tsmith@ztnademo.com"
        set email-subject "CSF stitch alert"
        set message "User login FortiGate failed attempts %%log%%"
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "auto-faz-1"
        set trigger "auto-faz-1"
        config actions
            edit 1
                set action "auto-faz-1_email"
                set required enable
            next
        end
    next
end

    View the trigger event log

    To view the trigger event log:

    1. Attempt to log in to the FortiGate with the wrong password twice in a row.

    2. Check that two system logs with severity Alert are generated on the FortiGate:

      # execute log filter field subtype system
# execute log filter category event
# execute log display
    ...
11: date=2025-06-06 time=11:59:14 eventtime=1749236354989858133 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(172.16.7.254)" method="https" srcip=172.16.7.254 dstip=172.16.7.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(172.16.7.254) because of invalid password"
12: date=2025-06-06 time=11:59:12 eventtime=1749236352450280347 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(172.16.7.254)" method="https" srcip=172.16.7.254 dstip=172.16.7.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(172.16.7.254) because of invalid password"

    3. This triggers an event on the FortiAnalyzer that sends a notification to the FortiGate automation framework:

      # diagnose debug application autod -1
# diagnose debug enable
__handle_req_body()-109: subscriber update: name subscr-node msg_type 0 msg_len 309:
{"format":0,"category_filter":2,"free_style":[{"category":"event","filter":"(logid 0100022040 0100065304 0100022041 0100065305 0100022042 0100065306 0100022043 0100022044 0100022045 0100022901 0100022902 0100022903 0100022808 0100022809 0100053400 0100053401 0100026004 0100065311)","filter_type":"include"}]}

pid:2086-__handle_msg()-414: Subscriber:4 received package. pubid:0 pkgid:97 pkg_index:0
pid:2086-__handle_pkg_logs()-356: Subscriber:4 processing package size:1512 logs:1 pickup:1
pid:2086-__subscr_close_cur_pkg()-140: close package size:1512 logs:1
__action_email_hdl()-190: email action (auto-faz-1_email) is called. 
from: 
to:tsmith@ztnademo.com; 
subject:CSF stitch alert

      An alert email is sent out and an automation stitch log is generated. The email sent by the action will look similar to the following:

    4. To view the log in the GUI, go to Log & Report > System Events, select General System Events, and from the log location dropdown select FortiAnalyzer.

    5. To view the trigger event log in the CLI:

      # execute log display
    ...
9: date=2025-06-06 time=11:59:37 eventtime=1749236376747950301 tz="-0700" logid="0100046600" type="event" subtype="system" level="notice" vd="root" logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" stitchaction="auto-faz-1_email" from="log" msg="stitch:auto-faz-1 is triggered.
    Previous
    Next