Technical Tip: How to configure email alerts for configuration changes on FortiGate using FortiAnalyzer event handler

Description

This article describes how to configure email alerts for configuration changes on FortiGate using FortiAnalyzer event handler.

Scope

FortiAnalyzer.

Solution

1. Set up a mail server under System Settings -> Advanced -> Mail Server.

Create a new event handler at Incidents & Events -> Handlers -> Event Handler List.

Note:

In the newer versions of FortiAnalyzer (v6.4.x), Incidents and Events have been replaced by FortiSOC.

In FortiAnalyzer (v7.x), Incidents and Events have not been replaced.

2. Set the 'Log Device Type' to 'FortiGate' and the 'Log Type' to 'Event Log'. Under 'Log Field', select 'Log ID'.
   Enter the values '0100044546' and '0100044547'.

3. Select 'Send Alert Email'.
   Enter the email address and select the 'Email Server' that was created earlier.

4. Log ID information can be checked from the received logs on 'Log View'.
   'Log ID' can be used to filter different logs, for example, admin login/logoff, and FortiAnalyzer disconnection.
   
   

Troubleshooting Event Generation Failure.

Send the corresponding information in the ticket:

• Config of FortiAnalyzer.

• Raw log of FortiAnalyzer.

• exe tac report

diagnose test connection mailserver <mailserver> <source SMTP address> <destination SMTP address>

The following commands on the FortiAnalyzer will provide more information regarding the SMTP client application.

For FortiManager / FortiAnalyzer v7.6 or above, perform a flow capture:

diagnose debug application fazmaild ?
<Integer> Debug level (0 - 8).
diagnose debug application fazmaild 8
diagnose debug timestamp enable
diagnose debug enable
diagnose debug disable <----- To stop it.
diagnose debug reset

In the FortiAnalyzer, enter the following commands while running a 'diagnose log test' action in the FortiGate CLI:

diagnose test application sqllogd 200
diagnose test application sqllogd 200 status
diagnose test application sqllogd 200 config
diagnose debug application sqllogd 8
diagnose debug enable
diagnose debug application fazmaild 255
diagnose debug disable
diagnose debug reset

Related documents:

• Technical Tip: How to create Event handler in FortiAnalyzer for Policy delete in FortiGate

• Technical Tip: How create event handler in FortiAnalzyer for policy change in FortiGate

• Technical Tip: Setting up a FortiAnalyzer event handler with a specific time schedule

• Technical Tip: How to set up Email Notifications with notification.fortinet.net

• Troubleshooting Tip: How to understand the email SMTP issues and its causes

• Troubleshooting Tip: FortiAnalyzer unable resolve DNS to mail server

• Technical Tip: How to configure email server on FortiAnalyzer to receive reports over email

• Mail Server