Fortinet black logo

Administration Guide

FortiOS event log trigger

FortiOS event log trigger

You can configure a FortiOS event log trigger for when a specific event log ID occurs. You can select multiple event log IDs, and apply log field filters. FortiOS event log triggers can be configured from the Security Fabric > Automation > Trigger page, or by using the shortcut on the Log & Report > System Events > Logs page.

Note

A maximum of 16 log IDs can be set as triggers for the event log.

To configure a FortiOS event log trigger in the GUI:
  1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
  2. In the Miscellaneous section, click FortiOS Event Log.

  3. Enter a name and description.
  4. In the Event field, click the + to select multiple event log IDs.

    The Event options correspond to the Message Meaning listed in the FortiOS Log Message Reference. Hover over an entry to view the tooltip that includes the event ID and log name. In this example, the Admin login successful event in the GUI corresponds to log ID 32001, which is LOG_ID_ADMIN_LOGIN_SUCC.

  5. In the Field filter(s) field, click the + to add multiple field filters. The configured filters must match in order for the stitch to be triggered.
    1. To view the list of available fields for a log, refer to the FortiOS Log Message Reference by appending the log ID to the document URL (https://docs.fortinet.com/document/fortigate/7.4.3/fortios-log-message-reference/<log_ID>).

  6. Click OK.
To configure a FortiOS event log trigger in the CLI:
config system automation-trigger
    edit "event_login_logout"
        set description "trigger for login logout event"
        set event-type event-log
        set logid 32001 32003
        config fields
            edit 1
                set name "user"
                set value "csf"
            next
            edit 2
                set name "srcip"
                set value "10.6.30.254"
            next
        end
    next
end

System Events page shortcut

A FortiOS Event Log trigger can be created using the shortcut on the System Events > Logs page. In this example, a trigger is created for a FortiGate update succeeded event log.

To configure a FortiOS Event Log trigger from the System Events page:
  1. Go to Log & Report > System Events and select the Logs tab.

  2. Select a log for a successful FortiGate update, then right-click and select Create Automation Trigger.

    The Create New Automation Trigger pane opens to configure the FortiOS Event Log settings.

  3. Enter a name (such as trigger-update). The Event field is already populated with FortiGate update succeeded.

  4. Optionally in the Field filter(s) field, click the + to add multiple field filters. The configured filters must match in order for the stitch to be triggered.

  5. Click OK. The trigger is now listed on the Security Fabric > Automation > Trigger page.

FortiOS event log trigger

You can configure a FortiOS event log trigger for when a specific event log ID occurs. You can select multiple event log IDs, and apply log field filters. FortiOS event log triggers can be configured from the Security Fabric > Automation > Trigger page, or by using the shortcut on the Log & Report > System Events > Logs page.

Note

A maximum of 16 log IDs can be set as triggers for the event log.

To configure a FortiOS event log trigger in the GUI:
  1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
  2. In the Miscellaneous section, click FortiOS Event Log.

  3. Enter a name and description.
  4. In the Event field, click the + to select multiple event log IDs.

    The Event options correspond to the Message Meaning listed in the FortiOS Log Message Reference. Hover over an entry to view the tooltip that includes the event ID and log name. In this example, the Admin login successful event in the GUI corresponds to log ID 32001, which is LOG_ID_ADMIN_LOGIN_SUCC.

  5. In the Field filter(s) field, click the + to add multiple field filters. The configured filters must match in order for the stitch to be triggered.
    1. To view the list of available fields for a log, refer to the FortiOS Log Message Reference by appending the log ID to the document URL (https://docs.fortinet.com/document/fortigate/7.4.3/fortios-log-message-reference/<log_ID>).

  6. Click OK.
To configure a FortiOS event log trigger in the CLI:
config system automation-trigger
    edit "event_login_logout"
        set description "trigger for login logout event"
        set event-type event-log
        set logid 32001 32003
        config fields
            edit 1
                set name "user"
                set value "csf"
            next
            edit 2
                set name "srcip"
                set value "10.6.30.254"
            next
        end
    next
end

System Events page shortcut

A FortiOS Event Log trigger can be created using the shortcut on the System Events > Logs page. In this example, a trigger is created for a FortiGate update succeeded event log.

To configure a FortiOS Event Log trigger from the System Events page:
  1. Go to Log & Report > System Events and select the Logs tab.

  2. Select a log for a successful FortiGate update, then right-click and select Create Automation Trigger.

    The Create New Automation Trigger pane opens to configure the FortiOS Event Log settings.

  3. Enter a name (such as trigger-update). The Event field is already populated with FortiGate update succeeded.

  4. Optionally in the Field filter(s) field, click the + to add multiple field filters. The configured filters must match in order for the stitch to be triggered.

  5. Click OK. The trigger is now listed on the Security Fabric > Automation > Trigger page.