Fortinet black logo

Administration Guide

FortiAnalyzer event handler trigger

FortiAnalyzer event handler trigger

You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.

To set up a FortiAnalyzer event handler trigger:

  1. Configure a FortiGate event handler on the FortiAnalyzer
  2. Configure FortiAnalyzer logging on the FortiGate
  3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler

Configure a FortiGate event handler on the FortiAnalyzer

On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered when an administrator logs in to the FortiGate. See Creating a custom event handler in the FortiAnalyzer Administration Guide for more information.

To configure an event handler on the FortiAnalyzer:
  1. Go to FortiSoC > Handlers > FortiGate Event Handlers, and click Create New.
  2. Configure an event handler with two conditions for the automation stitch:

    Log Type

    Event Log

    Log Subtype

    System

    Group By

    Device ID

    Logs match

    Any of the following conditions

    Log Field

    Level

    Match Criteria

    Equal To

    Value

    Information

    Log Field

    Action

    Match Criteria

    Equal To

    Value

    login

  3. Configure the other settings as needed.

  4. Click OK.

Configure FortiAnalyzer logging on the FortiGate

See Configuring FortiAnalyzer for more information.

To configure FortiAnalyzer logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
  2. In the Settings > FortiAnalyzer tab, ensure the Status is Enabled, and configure the settings as needed.

  3. Click OK.
To configure FortiAnalyzer logging in the CLI:
config log fortianalyzer setting
    set status enable
    set server "10.6.30.250"
    set serial "FL-4HET000000000"
    set upload-option realtime
    set reliable enable
end

Configure an automation stitch that is triggered by a FortiAnalyzer event handler

When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.

To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:
  1. Go to Security Fabric > Automation and click Create New.
  2. Enter the stitch name, auto-faz-1.
  3. Configure the trigger:
    1. Click Add Trigger.
    2. Click Create and select FortiAnalyzer Event Handler.
    3. Enter the following:

      Name

      auto-faz-1

      Event handler name

      system-log-handler2

      Event severity

      Medium

      Event tag

      User login successful

    4. Click OK.
    5. Select the trigger in the list and click Apply.
  4. Configure the Email notification action:
    1. Click Add Action.
    2. Click Create and select Email.
    3. Enter the following:

      Name

      auto-faz-1_email

      To

      Enter an email address

      Subject

      CSF stitch alert

      Body

      User login FortiGate successfully.

    4. Click OK.
    5. Select the action in the list and click Apply.
  5. Click OK.
To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:
  1. Create an automation trigger:
    config system automation-trigger
        edit "auto-faz-1"
            set event-type faz-event
            set faz-event-name "system-log-handler2"
            set faz-event-severity "medium"
            set faz-event-tags "User log in successful"
        next
    end
  2. Create an automation action:
    config system automation-action
        edit "auto-faz-1_email"
            set action-type email
            set email-to "admin@fortinet.com"
            set email-subject "CSF stitch alert"
            set message "User login FortiGate successfully."
        next
    end
  3. Create the automation stitch:
    config system automation-stitch
        edit "auto-faz-1"
            set trigger "auto-faz-1"
            config actions
                edit 1
                    set action "auto-faz-1_email"
                    set required enable
                next
            end
        next
    end

View the trigger event log

To view the trigger event log in the GUI:
  1. Log in to the FortiGate.

    The FortiAnalyzer sends a notification to the FortiGate automation framework, generates an event log on the FortiGate, and triggers the automation stitch.

  2. Go to Log & Report > System Events and select General System Events. From the log location dropdown, select FortiAnalyzer.
To view the trigger event log in the CLI:
# execute log display
    ...
    date=2019-02-05 time=14:16:17 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1549404977 logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" from="log" msg="stitch:auto-faz-1 is triggered."
    ...

Sample email

The email sent by the action will look similar to the following:

FortiAnalyzer event handler trigger

You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.

To set up a FortiAnalyzer event handler trigger:

  1. Configure a FortiGate event handler on the FortiAnalyzer
  2. Configure FortiAnalyzer logging on the FortiGate
  3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler

Configure a FortiGate event handler on the FortiAnalyzer

On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered when an administrator logs in to the FortiGate. See Creating a custom event handler in the FortiAnalyzer Administration Guide for more information.

To configure an event handler on the FortiAnalyzer:
  1. Go to FortiSoC > Handlers > FortiGate Event Handlers, and click Create New.
  2. Configure an event handler with two conditions for the automation stitch:

    Log Type

    Event Log

    Log Subtype

    System

    Group By

    Device ID

    Logs match

    Any of the following conditions

    Log Field

    Level

    Match Criteria

    Equal To

    Value

    Information

    Log Field

    Action

    Match Criteria

    Equal To

    Value

    login

  3. Configure the other settings as needed.

  4. Click OK.

Configure FortiAnalyzer logging on the FortiGate

See Configuring FortiAnalyzer for more information.

To configure FortiAnalyzer logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
  2. In the Settings > FortiAnalyzer tab, ensure the Status is Enabled, and configure the settings as needed.

  3. Click OK.
To configure FortiAnalyzer logging in the CLI:
config log fortianalyzer setting
    set status enable
    set server "10.6.30.250"
    set serial "FL-4HET000000000"
    set upload-option realtime
    set reliable enable
end

Configure an automation stitch that is triggered by a FortiAnalyzer event handler

When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.

To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:
  1. Go to Security Fabric > Automation and click Create New.
  2. Enter the stitch name, auto-faz-1.
  3. Configure the trigger:
    1. Click Add Trigger.
    2. Click Create and select FortiAnalyzer Event Handler.
    3. Enter the following:

      Name

      auto-faz-1

      Event handler name

      system-log-handler2

      Event severity

      Medium

      Event tag

      User login successful

    4. Click OK.
    5. Select the trigger in the list and click Apply.
  4. Configure the Email notification action:
    1. Click Add Action.
    2. Click Create and select Email.
    3. Enter the following:

      Name

      auto-faz-1_email

      To

      Enter an email address

      Subject

      CSF stitch alert

      Body

      User login FortiGate successfully.

    4. Click OK.
    5. Select the action in the list and click Apply.
  5. Click OK.
To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:
  1. Create an automation trigger:
    config system automation-trigger
        edit "auto-faz-1"
            set event-type faz-event
            set faz-event-name "system-log-handler2"
            set faz-event-severity "medium"
            set faz-event-tags "User log in successful"
        next
    end
  2. Create an automation action:
    config system automation-action
        edit "auto-faz-1_email"
            set action-type email
            set email-to "admin@fortinet.com"
            set email-subject "CSF stitch alert"
            set message "User login FortiGate successfully."
        next
    end
  3. Create the automation stitch:
    config system automation-stitch
        edit "auto-faz-1"
            set trigger "auto-faz-1"
            config actions
                edit 1
                    set action "auto-faz-1_email"
                    set required enable
                next
            end
        next
    end

View the trigger event log

To view the trigger event log in the GUI:
  1. Log in to the FortiGate.

    The FortiAnalyzer sends a notification to the FortiGate automation framework, generates an event log on the FortiGate, and triggers the automation stitch.

  2. Go to Log & Report > System Events and select General System Events. From the log location dropdown, select FortiAnalyzer.
To view the trigger event log in the CLI:
# execute log display
    ...
    date=2019-02-05 time=14:16:17 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1549404977 logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" from="log" msg="stitch:auto-faz-1 is triggered."
    ...

Sample email

The email sent by the action will look similar to the following: