FortiAnalyzer event handler trigger
You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.
To set up a FortiAnalyzer event handler trigger:
- Configure a FortiGate event handler on the FortiAnalyzer
- Configure FortiAnalyzer logging on the FortiGate
- Configure an automation stitch that is triggered by a FortiAnalyzer event handler
On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered when an administrator logs in to the FortiGate.
To configure an event handler on the FortiAnalyzer:
- Go to Incidents & Events > Handlers > FortiGate Event Handlers.
- Configure an event handler for the automation stitch.
- Click OK.
See Configuring FortiAnalyzer for more information.
To configure FortiAnalyzer logging in the GUI:
- Go to Security Fabric > Settings.
- Enable and configure FortiAnalyzer Logging.
- Click Apply.
To configure FortiAnalyzer logging in the CLI:
config log fortianalyzer setting set status enable set server "10.6.30.250" set serial "FL-4HET318900407" set upload-option realtime set reliable enable end
When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.
To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:
- Go to Security Fabric > Automation.
- Click Create New.
- In the Trigger section, select FortiAnalyzer Event Handler.
- Set Event handler name to the event that was created on the FortiAnalyzer.
- Set the Event severity, and select or create an Event tag.
- In the Action section, select Email and configure the email recipient and message.
- Click OK.
To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:
- Create an automation action:
config system automation-action edit "auto-faz-1_email" set action-type email set email-to "email@example.com" set email-subject "CSF stitch alert" set email-body "User login FortiGate successfully." next end
- Create an automation trigger:
config system automation-trigger edit "auto-faz-1" set event-type faz-event set faz-event-name "system-log-handler2" set faz-event-severity "medium" set faz-event-tags "User login successfully" next end
- Create the automation stitch:
config system automation-stitch edit "auto-faz-1" set trigger "auto-faz-1" set action "auto-faz-1_email" next end
View the trigger event log
To see the trigger event log in the GUI:
- Log in to the FortiGate.
The FortiAnalyzer sends notification to the FortiGate automation framework, generates an event log on the FortiGate, and triggers the automation stitch.
- Go to Log & Report > Events and select System Events.
To see event logs in the CLI:
execute log display ... date=2019-02-05 time=14:16:17 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1549404977 logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" from="log" msg="stitch:auto-faz-1 is triggered." ...
The email sent by the action will look similar to the following: