Technical Tip: How to create Event Handler in FortiAnalyzer when admin login failed in FortiGate
| Description | This article describes how to create an event handler in FortiAnalyzer to detect failed admin login from FortiGate. |
| Scope | FortiAnalyzer. |
| Solution | In FortiAnalyzer, go to Incidents & Events -> Event Handlers -> Event Handlers, and select Create New and enter a new name for the handler:
Under the Rules section, select Add New Rule and set as the following configurations: Log Device Type: FortiGate. Log Type: Event Log (event). Log Subtype: System (system). Log Field: Device ID (devid). This is only used for categorizing the events and can be changed as per requirements Log Filters: Log Description Equal To Admin login failed.
The following is an example of the rule configuration:
The event generated can be seen from Incidents & Events -> All Events. An example is shown below:
|
