Fortinet black logo

CLI Reference

log trigger-policy

log trigger-policy

Use this command to configure a trigger policy for use in the notification process.

You apply trigger policies to individual conditions that have an associated action and severity, such as attacks and rule violations. A trigger policy has the following components:

  • An email policy (contains the details associated with the recipient email account)
  • A Syslog policy (contains details required to communicate with the Syslog server)
  • A FortiAnalyzer policy (contains the IP address of the remote FortiAnalyzer appliance)

The trigger policy determines whether an email is sent to administrators when a certain condition occurs and whether the log messages associated with the condition are stored on a Syslog server or FortiAnalyzer.

You define the email, Syslog, and FortiAnalyzer policies before you apply the trigger policy to an individual condition. For details, see log email-policy, log syslog-policy, and log fortianalyzer-policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log trigger-policy

edit "<trigger-policy_name>"

set email-policy "<email-policy_name>"

set syslog-policy "<syslog-policy_name>"

set analyzer-policy "<fortianalyzer-policy_name>"

set siem-policy "<siem-policy_name>"

next

end

Variable Description Default

"<trigger-policy_name>"

Enter the name of a new or existing trigger policy. The maximum length is 63 characters. No default.

email-policy "<email-policy_name>"

Enter the name of the email policy to be used with the trigger policy. The maximum length is 63 characters.

If the conditions associated with the trigger policy occur, the email policy determines the recipients of the notification email messages associated with the condition.

For details, see log email-policy.

No default.

syslog-policy "<syslog-policy_name>"

Enter the name of the Syslog policy to be used with the trigger policy. The maximum length is 63 characters.

If the conditions associated with the trigger policy occur, the Syslog policy determines which Syslog server the messages are sent to.

For details, see log syslog-policy.

No default.

analyzer-policy "<fortianalyzer-policy_name>"

Enter the name of an existing FortiAnalyzer policy to be used with the trigger policy. The maximum length is 63 characters.

For details, see log fortianalyzer-policy.

No default.

siem-policy "<siem-policy_name>"

Enter the name of an existing SIEM policy to be used with the trigger policy. The maximum length is 63 characters.

For details, see log siem-policy.

No default.

Example

This example creates Trigger_policy1, which uses emailpolicy1 to send email notifications about the condition to specific recipients, and Syslog_Policy1 to submit the log messages to a specific Syslog server.

config log trigger-policy

edit "Trigger_policy1"

set syslog-policy "Syslog_Policy1"

set email-policy "emailpolicy1"

next

end

Related topics

log trigger-policy

Use this command to configure a trigger policy for use in the notification process.

You apply trigger policies to individual conditions that have an associated action and severity, such as attacks and rule violations. A trigger policy has the following components:

  • An email policy (contains the details associated with the recipient email account)
  • A Syslog policy (contains details required to communicate with the Syslog server)
  • A FortiAnalyzer policy (contains the IP address of the remote FortiAnalyzer appliance)

The trigger policy determines whether an email is sent to administrators when a certain condition occurs and whether the log messages associated with the condition are stored on a Syslog server or FortiAnalyzer.

You define the email, Syslog, and FortiAnalyzer policies before you apply the trigger policy to an individual condition. For details, see log email-policy, log syslog-policy, and log fortianalyzer-policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log trigger-policy

edit "<trigger-policy_name>"

set email-policy "<email-policy_name>"

set syslog-policy "<syslog-policy_name>"

set analyzer-policy "<fortianalyzer-policy_name>"

set siem-policy "<siem-policy_name>"

next

end

Variable Description Default

"<trigger-policy_name>"

Enter the name of a new or existing trigger policy. The maximum length is 63 characters. No default.

email-policy "<email-policy_name>"

Enter the name of the email policy to be used with the trigger policy. The maximum length is 63 characters.

If the conditions associated with the trigger policy occur, the email policy determines the recipients of the notification email messages associated with the condition.

For details, see log email-policy.

No default.

syslog-policy "<syslog-policy_name>"

Enter the name of the Syslog policy to be used with the trigger policy. The maximum length is 63 characters.

If the conditions associated with the trigger policy occur, the Syslog policy determines which Syslog server the messages are sent to.

For details, see log syslog-policy.

No default.

analyzer-policy "<fortianalyzer-policy_name>"

Enter the name of an existing FortiAnalyzer policy to be used with the trigger policy. The maximum length is 63 characters.

For details, see log fortianalyzer-policy.

No default.

siem-policy "<siem-policy_name>"

Enter the name of an existing SIEM policy to be used with the trigger policy. The maximum length is 63 characters.

For details, see log siem-policy.

No default.

Example

This example creates Trigger_policy1, which uses emailpolicy1 to send email notifications about the condition to specific recipients, and Syslog_Policy1 to submit the log messages to a specific Syslog server.

config log trigger-policy

edit "Trigger_policy1"

set syslog-policy "Syslog_Policy1"

set email-policy "emailpolicy1"

next

end

Related topics