Under some circumstances, a FortiGate may stop logging to FortiAnalyzer, such as when connectivity is interrupted.
This article describes how to configure FortiAnalyzer to provide alerts when this occurs.
# config system locallog setting(setting)# set log-interval-dev-no-logging X(setting)# end
It is important to consider that lowering this value, and thereby increasing the frequency, may hinder FortiAnalyzer performance.2) Create an event handler which is triggered based on the above log.Below is a sample log in raw format which would trigger the event handler:itime=2019-08-06 13:56:22 dstepid=1 devid=FL3K5XXXXXXXX msg=Did not receive any log from device DEVICE_NAME[DEVICE_SN] in last 17289 minutes.idseq=245935346703925353 type=event dtime=2019-08-06 13:56:22 devname=FL3K5XXXXXXXX dsteuid=1 itime_t=1565124982 user=system date=2019-08-06desc=Device offline level=warning log_id=0029038009 epid=1 userfrom=system subtype=logdev time=13:56:22 euid=1
Based upon this log, one method is to use "desc=Device offline" in the event handler to match this type of log.Create a handler for this particular log. It is only possible to handle local log events (events generated by FortiAnalyzer) from the root ADOM.1) Go to the root ADOM and select Incidents & Events -> Handlers -> Event Handler List and select Create New2) Give the handler a name and optionally a description3) Select "Local Device" for Devices. If "Local Device" is not displayed, then it is not in the root ADOM.4) Delete the pre-defined filter entry by selecting the trash icon5) Configure the Generic Text Filter as desc=="Device offline"6) Adjust the "Generate alert when at least 1 matches occurred over a period of 1 minutes.7) Check "Send Alert Email" under Notifications and fill out To, From, Subject. Select the pre-configured mail server using the drop down, or create the mail server settings by selecting the +.8) Select OK