Fortinet black logo

Administration Guide

Event management

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:249512
Download PDF

Event management

Event management allows you to specify which events to generate and whether to log the event records on another server in addition to the local appliance. You can limit the number of events generated by selecting a group for each event. Event messages are only created when the event occurs within the specified group.

Specify threshold values for the self-monitoring events by clicking Event Thresholds. These thresholds affect the Performance Summary Panel on the dashboard. They can be edited here or from the Performance Summary Panel. See Performance for additional information.

Some events are generated frequently and may not be necessary for day to day operations. Review the list of events and determine which ones to enable to provide you with the most useful feedback. You may choose to enable an event for a short period of time, such as to find a particular host when it connects to the network. See the example below for a scenario in which enabling a particular event might be useful.

Example: Finding a stolen device

This is a scenario for locating a stolen or missing host:

  1. Create a group that contains only the information for that host (including all wired and wireless sibling records).
  2. Enable the host connected event for the new group. When the stolen host connects to the network through the wired or wireless connection, a host connected event is generated.
  3. Map the host connected event to an alarm to receive a notification that the host has connected. You may also take an action against that host if you specified one in the mapping.
  4. When you are notified that the stolen host has connected to the network, use the Host View to determine the device and port to which this host is connected.

Events are generated for all components, such as devices, hosts or ports, unless you reduce the output by selecting a specific group . See Events and alarms list for event definitions.

Events can be sent to an external log host. See Log events to an external log host.

Settings

Fields used in filters are also defined in this table.

Field

Definition

Event Thresholds

Opens the Event Thresholds dialog to set thresholds to monitor license usage, memory usage, process thread counts, and disk space. Exceeding these thresholds generates specific events. See Event thresholds.

Events

Log

Indicates the state of the selected event and where it will be logged if it is generated.

  • Disabled: Event is disabled and will not be generated or logged anywhere.
  • Internal: Logs only to an internal events database.
  • External: Logs only to an external host.
  • Internal & External: Logs both to an internal events database and an external host.

Event Name

Name of the event.

Group

Group name of a group of elements, such as, port group, device group or user group used to limit generation of the selected event to the items in the group.

If set to All Groups, then the event is generated for all items, such as ports, devices, hosts or users.

If no group is displayed, an event is generated for the system, and not a specific item.

Group Type

Indicates whether this event applies to a group of ports, devices, hosts, users or administrators.

Last Modified By

User name of the last user to modify the event.

Last Modified Date

Date and time of the last modification to this event.

Right click options

Modify Group

Opens the Modify Group window.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Disable Logging

Disables the event is disabled. The event will not be generated or logged anywhere.

Log Internal

Logs the event only to an internal events database.

Log External

Logs the event only to an external host.

Log Internal & External

Logs the event to both an internal events database and an external host.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Options

Allows you to change the log or group setting for one or more selected events.

Modify Group

Change the group setting for one or more selected events.

Event management

Event management allows you to specify which events to generate and whether to log the event records on another server in addition to the local appliance. You can limit the number of events generated by selecting a group for each event. Event messages are only created when the event occurs within the specified group.

Specify threshold values for the self-monitoring events by clicking Event Thresholds. These thresholds affect the Performance Summary Panel on the dashboard. They can be edited here or from the Performance Summary Panel. See Performance for additional information.

Some events are generated frequently and may not be necessary for day to day operations. Review the list of events and determine which ones to enable to provide you with the most useful feedback. You may choose to enable an event for a short period of time, such as to find a particular host when it connects to the network. See the example below for a scenario in which enabling a particular event might be useful.

Example: Finding a stolen device

This is a scenario for locating a stolen or missing host:

  1. Create a group that contains only the information for that host (including all wired and wireless sibling records).
  2. Enable the host connected event for the new group. When the stolen host connects to the network through the wired or wireless connection, a host connected event is generated.
  3. Map the host connected event to an alarm to receive a notification that the host has connected. You may also take an action against that host if you specified one in the mapping.
  4. When you are notified that the stolen host has connected to the network, use the Host View to determine the device and port to which this host is connected.

Events are generated for all components, such as devices, hosts or ports, unless you reduce the output by selecting a specific group . See Events and alarms list for event definitions.

Events can be sent to an external log host. See Log events to an external log host.

Settings

Fields used in filters are also defined in this table.

Field

Definition

Event Thresholds

Opens the Event Thresholds dialog to set thresholds to monitor license usage, memory usage, process thread counts, and disk space. Exceeding these thresholds generates specific events. See Event thresholds.

Events

Log

Indicates the state of the selected event and where it will be logged if it is generated.

  • Disabled: Event is disabled and will not be generated or logged anywhere.
  • Internal: Logs only to an internal events database.
  • External: Logs only to an external host.
  • Internal & External: Logs both to an internal events database and an external host.

Event Name

Name of the event.

Group

Group name of a group of elements, such as, port group, device group or user group used to limit generation of the selected event to the items in the group.

If set to All Groups, then the event is generated for all items, such as ports, devices, hosts or users.

If no group is displayed, an event is generated for the system, and not a specific item.

Group Type

Indicates whether this event applies to a group of ports, devices, hosts, users or administrators.

Last Modified By

User name of the last user to modify the event.

Last Modified Date

Date and time of the last modification to this event.

Right click options

Modify Group

Opens the Modify Group window.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Disable Logging

Disables the event is disabled. The event will not be generated or logged anywhere.

Log Internal

Logs the event only to an internal events database.

Log External

Logs the event only to an external host.

Log Internal & External

Logs the event to both an internal events database and an external host.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Options

Allows you to change the log or group setting for one or more selected events.

Modify Group

Change the group setting for one or more selected events.