Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ck_FTNT
Staff
Staff

Created on ‎07-10-2019 04:45 PM Edited on ‎10-30-2024 08:55 AM By Moderator

Article Id 195250

Technical Tip: Creating alerts when FortiAnalyzer stops receiving logs from FortiGate

Description

 

This article describes how to configure FortiAnalyzer to provide alerts when it stops receiving logs from FortiGate, such as when the connection is interrupted.

 

Scope

 

FortiAnalyzer.

 

Solution

 

  1. Configure the time threshold at which FortiAnalyzer generates a 'no logs received' message.

 

In FortiAnalyzer 5.4 and 5.6, the default value is 5 minutes. Starting in 6.0, the value is 1440 minutes (or 24 hours).

 

Adjust the value with the following CLI command:

 

config system locallog setting

(setting)# set log-interval-dev-no-logging X

(setting)# end

 

It is important to consider that lowering this value, thereby increasing the frequency of 'no logs received' messages, may hinder FortiAnalyzer's performance.

 

Starting from versions  FortiAnalyzer 7.2.4 and 7.4.2 and above, the time threshold at which FortiAnalyzer generates a 'no logs received' message can be configured by using newly added parameter  'no-log-detection-threshold'  into  'config system locallog setting', and not previous one 'log-interval-dev-no-logging'.

 

config system locallog setting

(setting)# set no-log-detection-threshold X

(setting)# end

 

Clarification:

  • New configuration 'no-log-detection-threshold':  It is used to generate a 'Device Offline' Log when the threshold is reached.
  • Previous configuration 'log-interval-dev-no-logging': Now it is used as an interval to print local or appevent event messages indicating the device is offline if the device continues offline.

For example if  'no-log-detection-threshold' is set to 5 minutes and  'log-interval-dev-no-logging' to 10 minutes, then the first log indicating that device x is offline will be generated after 5 minutes. If the device continues offline then FortiAnalyzer will generate event 'Device Offline' logs every 10 minutes.

 

  1. Create an event handler that triggers when a 'no logs received' message is logged.

     

Below is a raw text sample log of the error:

 

itime=2019-08-06 13:56:22 dstepid=1 devid=FL3K5XXXXXXXX msg=Did not receive any log from device DEVICE_NAME[DEVICE_SN] in last 17289 minutes.

idseq=245935346703925353 type=event dtime=2019-08-06 13:56:22 devname=FL3K5XXXXXXXX dsteuid=1 itime_t=1565124982 user=system date=2019-08-06

desc=Device offline level=warning log_id=0029038009 epid=1 userfrom=system subtype=logdev time=13:56:22 euid=1

 

Choose an identifying text or a variable to use in the event handler to match this type of error. This article will use the variable desc, which is equal to 'Device offline' in this type of error.

 

Next, create an event handler for the variable or text chosen from this particular log. It is only possible to handle local log events (events generated by FortiAnalyzer) from the root ADOM.

 

  1. Go to the root ADOM, navigate to Incidents & Events -> Handlers -> Event Handler List, and select Create New. Under some versions of FortiAnalyzer, this is FortiSoC -> Handlers -> Event Handler List instead.

  2. Give the handler a name and, optionally, a description.

  3. Under Devices, select 'Local Device'. If 'Local Device' is not available, it is not in the root ADOM.

  4. Delete the pre-defined filter entry by selecting the trash icon.

  5. Add 'desc=="Device offline"' to the Generic Text Filter. This filter will match any logs where the variable desc's value is 'Device offline'.

  6. Fill in 'Generate alert when at least 1 matches occurred over a period of 1 minutes'.

  7. Check Send Alert Email under Notifications and fill in To, From, and Subject with the preferred settings. Select the pre-configured mail server using the drop-down, or create new mail server settings by selecting the + button.

 

Select OK to confirm changes. FortiAnalyzer will now provide an alert when it stops receiving logs from FortiGate.

 

Anthony_E_0-1665649553508.png

 

As mentioned, the Event Handler List is accessible under either FortiSoC or Incidents & Events, depending on the version of FortiAnalyzer, or whether FortiSoC is disabled.

 

Vito_0-1665650344790.png

 

How the alerts function:

 

  1. FortiAnalyzer will generate a local log message when no logs have been received from a device in the configured time.

  2. The Event Handler will perform the configured action to send an email when the log is detected.

 

Related document:

Administration Guide: Event handlers

Technical Tip: How to create Event Handler for FortiAnalyzer Local Events

Technical Note: Use of Operators in Event Handler General Filter (syntax)

Preview file
30 KB
Labels:
11918
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.