Skip to main content
AnLi
AnLi
New Member
March 4, 2026
Question

Detect log outage for different application running on same server that sending log

  • March 4, 2026
  • 2 replies
  • 308 views

Is there any way I can create a rule to detect missing logs for an application/event type? Since I have two different applications running on the same server and both use CEF format to send logs to FortiSIEM, in this way, the "PH_DEV_MON_LOG_DEVICE_DELAY_HIGH" can't be used since it detects the log source device missing logs. How should I create the rule to detect such a scenario?

2 replies

Secusaurus
Secusaurus
Contributor III
March 6, 2026

Hi @AnLi,

 

My first idea would be to identify something all the logs from your application have in common (e.g. same event type). Then create a rule that matches against this and uses "Count (Matched Events) = 0" as aggregation. In the rule, you'd then choose a good value for "If this Pattern occurs within any X second time window".

I did not test that, but it would be my first way to try.

 

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner
AnLi
AnLiAuthor
New Member
March 9, 2026

Hi, @Secusaurus 

Thanks for the reply. Since I am still getting up to speed with FortiSIEM, I’d like to clarify my understanding of how rule triggers work.

From what I understand, a rule with an aggregation set to 'Count (Matched Events) = 0' generally won't fire because there is no incoming 'anchor' event to trigger the rule evaluation in the first place. Without a matching event to satisfy the initial condition, the rule engine has nothing to process.

Regarding the 'If this Pattern occurs within any X second time window' condition: if my first point is incorrect and the rule can fire on its own, I'm curious about the timing. Since phRuleMaster runs every 30 seconds to scan for matching conditions, wouldn't the rule trigger as soon as it detects no logs within a 30-second window, regardless of what I set 'X' to?

cdurkin_FTNT
Staff
cdurkin_FTNT
Staff
March 6, 2026

If your using ClickHouse as the event database, you can use Lookup Tables and Adv SQL Query/Rule to do this.

Lookup Table Definition

Define a Lookup Table exactly as below:

  • Name: eventTypeTracker
  • Description: Tracks Devices and Critical Event Types and Limits

Table Schema:

Key Name Type
YES reportingIP STRING
YES eventType STRING
NO limit LONG

 

Add your entries to the Lookup Table..

 

ie:

reportingIP  eventType limit
10.0.0.1 PH_MY_APP1_Login 0
10.0.0.1 PH_MY_APP2_Failure 0
10.0.0.2 PH_MY_OTHER 5

 

(Enter Limit of zero for a device to track no events at all received.)

 

Query

Test the Adv SQL query works...   (Last 1 Hour) .. and assumes Enterprise version in use.

WITH     now() AS current_time,     subtractHours(current_time, 1) AS start_time  SELECT     d.reportingIP,     d.eventType,     d.limit,     coalesce(e.received_count, 0) AS received_count FROM fsiem.eventTypeTracker_1 AS d LEFT JOIN (     SELECT         reptDevIpAddrV4 AS reportingIP,         eventType,         count() AS received_count     FROM fsiem.events     WHERE phRecvTime >= start_time AND phRecvTime < current_time     GROUP BY reptDevIpAddrV4, eventType ) AS e ON d.reportingIP = e.reportingIP AND d.eventType = e.eventType WHERE     (d.limit = 0 AND coalesce(e.received_count, 0) = 0)     OR     (d.limit > 0 AND coalesce(e.received_count, 0) < d.limit)

 

If this meets your objective, I can provide an Adv SQL Rule.

 

AnLi
AnLiAuthor
New Member
March 9, 2026

 

@cdurkin_FTNT Thank you for the reply.

We are currently using EventDB and have identified a potential solution using the PH_SYSTEM_DEVICE_NO_EVENTS system event type.


We are testing this as a workaround, but we have a question regarding its behavior. The FortiSIEM Log Reference states this event triggers when no logs are received for 1 hour, yet we are seeing it generated every 15 minutes.


Could you provide further clarification on how this system event functions and why the timing differs from the documentation? We would appreciate your insights.

Terms & ConditionsAccessibility statement