Event log category triggers
There are six default automation triggers based on event log categories:
- Anomaly logs
- IPS logs
- SSH logs
- Traffic violations
- Virus logs
- Web filter violations
When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.
config system automation-trigger
edit "Anomaly Logs"
set trigger-type event-based
set event-type anomaly-logs
set vdom <name>
next
edit "IPS Logs"
set trigger-type event-based
set event-type ips-logs
set vdom <name>
next
edit "SSH Logs"
set trigger-type event-based
set event-type ssh-logs
set vdom <name>
next
edit "Traffic Violation"
set trigger-type event-based
set event-type traffic-violation
set vdom <name>
next
edit "Virus Logs"
set trigger-type event-based
set event-type virus-logs
set vdom <name>
next
edit "Webfilter Violation"
set trigger-type event-based
set event-type webfilter-violation
set vdom <name>
next
end
|
A maximum of 16 log IDs can be set as triggers for the event log. |
Example
In this example, an automation stitch is created that uses the anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.
To configure an automation stitch with the anomaly logs trigger in the GUI:
- Configure the trigger:
Go to Security Fabric > Automation, select the Trigger tab.
Edit the Anomaly Logs trigger.
Add the required VDOMs (root, vdom-nat, vdom-tp).
Click OK.
- Configure the action:
Go to Security Fabric > Automation, select the Action tab, and click Create New.
In the Notifications section, click Email and enter the following:
Name
email_default_rep_message
To
Enter an email address
Subject
CSF stitch alert
Replacement message
Enable
Click OK.
- Configure the stitch:
Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
Enter the name, anomaly-logs-stitch.
Click Add Trigger. Select Anomaly Logs and click Apply.
Click Add Action. Select email_default_rep_message and click Apply.
Click Add delay (between the trigger and action). Enter 3 and click OK.
Click OK.
To configure an automation stitch with the anomaly logs trigger in the CLI:
- Configure the trigger:
config system automation-trigger edit "Anomaly Logs" set event-type anomaly-logs set vdom "root" "vdom-nat" "vdom-tp" next end - Configure the action:
config system automation-action edit "email_default_rep_message" set action-type email set email-to "admin@fortinet.com" set email-subject "CSF stitch alert" set replacement-message enable next end - Configure the stitch:
config system automation-stitch edit "anomaly-logs-stitch" set description "anomaly-logs" set trigger "Anomaly Logs" config actions edit 1 set action "email_default_rep_message" set delay 3 set required enable next end next end
Verification
Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.
To confirm that the stitch was triggered in the GUI:
- Go to Security Fabric > Automation and select the Stitch tab.
- Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 2
...
stitch: anomaly-logs-stitch
destinations: all
trigger: Anomaly Logs
type:anomaly logs
field ids:
(id:6)vd=root,vdom-nat,vdom-tp
local hit: 1 relayed to: 0 relayed from: 0
actions:
email_default_rep_message type:email interval:0
delay:3 required:yes
subject: CSF stitch alert
body: %%log%%
sender:
mailto:admin@fortinet.com;