Technical Tip: Configure Event Handler for specific Source IP and Interface-status change
Description
This article describes creating an event handler with a specific source IP or Interface-status changed and generating alert email when filter matched.
Scope
FortiAnalyzer.
Solution
Configure Email Server on FortiAnalyzer:
- System Settings -> Mail Server -> Create New.
Configure the Event Handler:
- Select on Event Manager -> Event Handler -> Create New.
If the source IP 10.200.0.77 accesses any social networking site (such as facebook.com), it will generate an alert email, as illustrated below:
The Event Handler will send an alert if the physical port (in this example: Port6) goes down, any virtual interface's event handler, like the one of the IPsec Interface (in this example toRM), won't send any email. The Generic Text Filter has to be used for this event, as shown below:
When the tunnel interface (toRM) and the physical interface (Port6) are brought down on FortiGate, only the physical interface (Port6) alert email is received, for the tunnel interface (toR) no alert email is received, as illustrated below:
Debugs on the FortiAnalyzer:
The following commands on the FortiAnalyzer will provide more information regarding the SMTP client application.
For FortiAnalyzer 7.6 or above, perform a flow capture:
diagnose debug application fazmaild 8
diagnose debug timestamp enable
diagnose debug enable
sendmail_loop:1089: sending mail: 6debfcfc-e952-184a-a840-46cff93ad7b6
create_mail_info:433: mail server MailServer has not been marked as unreachable
create_mail_info:459: got mail by name MailServer
prepare_email_data:151: To: xxxx@mail.fortiems.local
prepare_email_data:157: From: xxxx@mail.fortiems.local
prepare_email_data:163: Subject: Interface status alert (medium system alert msg:Link monitor: Interface port6 was turned down MAIN_SITE)
prepare_email_data:172: Date: Wed, 26 Jun 2019 18:35:00 -0700(PDT)
prepare_email_data:196: MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="mixed_fazmaild_v1_1561599300"
--mixed_fazmaild_v1_1561599300
Content-Type: multipart/alternative; boundary="fazmaild_v1_1561599300"
--fazmaild_v1_1561599300
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Subject: msg:Link monitor: Interface port6 was turned down
Device: MAIN_SITE
Severity: medium
From: Skywalker-kvm09(FAZ-VM0000137091)
Trigger: Interface Status
Filter:
Log message:
logver=60 idseq=272907219786268678 itime=1561599276 devid=FGVM020000137959 devname=MAIN_SITE vd=root date=2019-06-27 time=11:34:34 logid="0100020099" type="event" subtype="system" level="warning" eventtime=1561599274 logdesc="Inrface status changed" action="interface-stat-change" status="DOWN" msg="Link monitor: Interface port6 was turned down"
prepare_email_data:207:
--fazmaild_v1_1561599300
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Related documents:
- Technical Tip: How to create Event handler in FortiAnalyzer for Policy delete in FortiGate
- Technical Tip: How create event handler in FortiAnalzyer for policy change in FortiGate
- Technical Tip: Setting up a FortiAnalyzer event handler with a specific time schedule