Correlation handler event Fortimanager/Fortianalyzer account login

Forum|Forum|2 months ago
March 31, 2026
1 reply
241 views

Hello,

I'm running FortiManager-VM64-KVM v7.4.10 build2278.

I was wondering how to create an correlation handler event to trigger for when a specific account logs into FortiManager.

I've tried getting it to work from this log entry (FortiManager > System Settings > Event Logs), but it's not triggering the event even though the account successfully logs in.

2026-03-31 08:18:00 tz="+0100" log_id=0001010018 type=event subtype=system pri=information desc="User login/logout successful" user="myuser@domain.com" userfrom="SSO(IP_address)" msg="User 'myuser@domain.com' (myuser@domain.com) with profile 'Super_User' login accepted from SSO(IP_address)." adom="root" adom_oid=0 session_id=62498 operation="login" performed_on="SSO(IP_address)" changes="'myuser@domain.com' login accepted from SSO(IP_address)" adminprof="Super_User"

Does anyone have a template for this to work?

farhanahmed

Staff

Are you sending FMG Event logs to a separate FAZ ? or the FMG has the FAZ features enabled ?

- Instead of correlation handler, use the regular event handler with log type set to FortiManager event logs (if sending FMG local logs to external FAZ) or local logs (if FMG has FAZ features enabled).

Set filter for operation=login and user = <desired user>.

- Check the screenshot attached.

kajohansson-klippanAuthor

New Member

Hello,

FMG has FAZ features enabled.

Okay so I've tried with the "Basic Event Handler" and in the log filter used both (separately)"Equals To" and "Contains" for the admin name but the event won't trigger even though the account can login.

See attachment.