Description
This article describes how to send an alert message to Slack application from FortiAnalyzer.
Scope
FortiAnalyzer, Slack.
Solution
Slack:
- Login to the Slack account, or create a new account and create a workspace:
- Create a new channel where to receive the alerts:
- Create a new application from Slack:
- Enable Incoming Webhooks:
- Copy webhook URL to be used in FortiAnalyzer configuration:
FortiAnalyzer:
- Create Slack Connector under Fabric View -> Fabric -> Fabric Connectors -> Create New -> ITSM -> Slack Connector.
Note:
Paste the URL copied from the webhook URL into the configuration.
- Create a Notification Profile from FortiSoC -> Handlers -> Notification Profile List -> Create New.
Note:
Enable Send Alert through Fabric Connectors and select Slack Connector created earlier.
- Create an event handler with any rule that can trigger the alert under FortiSoC -> Handlres -> Event Handler List -> Create New.
Note:
In this documentation, the rules used to trigger the event are Level = "Critical" and Message = "Virtual cluster detected member join".
- Trigger the event and check on Event Monitor -> Correlated Logs, the time will be slightly different than sent to the webhook alert.
To debug and check for troubleshooting, use the below CLI commands:
diag debug application faznotify 8
diag debug timestamp enable
diag debug enable
Sample output:
2024-02-20 13:51:06 faznotify_handle_active_channel:138: [faznotify][DEBUG]worker[7998] start to handle chan[root:FAZ Slack]
2024-02-20 13:51:06 faznotify_conn_send_channel:963: [faznotify][DEBUG]adom[root] webhook[FAZ Slack] act[send] obj:
{ "fortianalyzer_notification": { "type": "event alert", "adom": "root", "from": "FAZ-VM0000000000", "timestamp": 1708465865, "apiver": 1, "data": [ { "ackflag": "no", "alertid": "202402211000000011", "logcount": "1", "logtype": "event", "devtype": "FortiGate", "subtype": "ha", "alerttime": "1708465865", "firstlogtime": "1708465843", "lastlogtime": "1708465843", "devid": "FGVM010000000000", "devname": "Juara-kvm52", "eventtype": "ha", "groupby1": "Juara-kvm52", "groupby2": "", "groupby3": "", "indicator": "", "readflag": "no", "severity": "high", "subject": "", "tag": "", "triggername": "HA Event - Cluster member joined", "vdom": "root", "epid": "3", "euid": "3", "epip": "", "epname": "no enough info", "euname": "N\/A", "extrainfo": "{ }", "ephostname": "", "epmac": "", "eposname": "", "eposversion": "", "fctuid": "", "log-length": 376, "log-detail": "logver=0700140601 idseq=152431368901492737 itime=1708465843 devid=\"FGVM010000000000\" devname=\"Tiara-kvm37\" vd=\"root\" date=2024-02-21 time=05:50:42 eventtime=1708465843170822718 tz=\"+0800\" logid=\"0108037894\" type=\"event\" subtype=\"ha\" level=\"critical\" logdesc=\"Virtual cluster member joined\" msg=\"Virtual cluster detected member join\" vcluster=1 ha_group=0 sn=\"FGVM010000108292\"" } ] } }
2024-02-20 13:51:06 faznotify_conn_send_channel:972: [faznotify][DEBUG]wrapping message for SLACK type connector
2024-02-20 13:51:06 faznotify_conn_prepare_sender:783: [faznotify][INFO] connection stat normal
2024-02-20 13:51:07 faznotify_conn_send_channel:980: [faznotify][DEBUG]adom[root] webhook[FAZ Slack] RESPONSE:
ok
2024-02-20 13:51:07 faznotify_conn_send_channel:959: [faznotify][DEBUG]adom[root] webhook[FAZ Slack] no more message in channel
2024-02-20 13:51:07 faznotify_handle_active_channel:162: [faznotify][INFO] worker[7998] job done for [root:FAZ Slack] duration[1]seconds sent-count[0]
Related articles:
