Technical Tip: How to Validate Event Handler in FortiManager and FortiAnalyzer

mdeparisse_FTNT · ‎07-16-2018

Description

This article describes how to configure the own events and test it.

Event Handler is a convenient way to have external events sent and triggered by specific messages (either internal events from FortiManager or FortiAnalyzer) or received from external devices.

Solution

Here is a step by step guide on how to validate event handlers in FortiManager and FortiAnalyzer:

Verifying that the logs are being received on the FortiAnalyzer.

First, run this command on the FortiGate and see if the logs are sent correctly:

diag log test

Repeat multiple times if needed.

The output of the command on the FortiGate CLI:

FG60EPTK12345678# diagnose log test

generating a system event message with level - warning

generating an infected virus message with level - warning

generating a blocked virus message with level - warning

generating a URL block message with level - warning

generating a DLP message with level - warning

generating an IPS log message

generating an anomaly log message

generating an application control IM message with level - information

generating an IPv6 application control IM message with level - information

generating deep application control logs with level - information

generating an antispam message with level - notification

generating an allowed traffic message with level - notice

generating a multicast traffic message with level - notice

generating a ipv6 traffic message with level - notice

generating a wanopt traffic log message with level - notification

generating a HA event message with level - warning

generating a VOIP event message with level - information

generating authentication event messages

generating a Forticlient message with level - information

generating a URL block message with level - warning

generating a DNS message with level - warning

generating an ssh-command pass log with level - notification

generating an ssh-channel block with level - warning

Check the log browser if the logs are being received.

For example, go to the Antivirus section under Security in Log View:

If the Logs are not received, refer to the related article at the end of this KB article (Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity) for step-by-step troubleshooting and verification:

Configuring the SMTP server and testing it.

Configure the SMTP server. For this go to System Setting -> Advanced -> Mail Server:

Note: Avoid using spaces in the name: for example 'Fmg_Gmail' instead of 'Fmg Gmail'.

Then validate the SMTP setting using the Test Mail Server option:

A success message should pop up:
Creating an event detection and alert.

First, select the event which will trigger the alert. The below test shows the virus threat:

It is also possible to edit the corresponding event in a raw format to have advanced filter possibilities:

Once the corresponding event is known, it is possible to configure the alert. The more information there is, the smaller the chance of false positive events. In this case, the only virus detected is the one with the name 'virus_test'.

If the chosen event does not have any pre-programmed field, the Generic Text Filter can be used for the proper trigger.
Testing the generated event.

In order to test if the event is generated, the below test command should be entered in the FortiGate CLI:

diagnose log test

Output:

FG60EPTK1-----78# diagnose log test

generating a system event message with level - warning

generating an infected virus message with level - warning

generating a blocked virus message with level - warning

generating a URL block message with level - warning

generating a DLP message with level - warning

generating an IPS log message

generating an anomaly log message

generating an application control IM message with level - information

generating an IPv6 application control IM message with level - information

generating deep application control logs with level - information

generating an antispam message with level - notification

generating an allowed traffic message with level - notice

generating a multicast traffic message with level - notice

generating a ipv6 traffic message with level - notice

generating a wanopt traffic log message with level - notification

generating a HA event message with level - warning

generating a VOIP event message with level - information

generating authentication event messages

generating a Forticlient message with level - information

generating a URL block message with level - warning

generating a DNS message with level - warning

generating an ssh-command pass log with level - notification

generating an ssh-channel block with level - warning

The message will be sent to the FortiAnalyzer and the event will be triggered. The Event log of the system can be checked in System Setting -> Event Log:

The mail will then be received as shown below:
Troubleshooting Event Generation Failure.

If the test is not successful, indicate where the problem is detected:

Mail server configuration and test validation.

The expected log is not being received.
Event configured but no mail generated based on the system event.

Send the corresponding information:

Config of the FortiManager and FortiAnalyzer.
Raw log of the FortiManager and FortiAnalyzer.
Exe tac report:

diag test connection mailserver <mailserver> <source SMTP address> <destination SMTP address>

In the FortiAnalyzer enter the below commands while doing a 'diag log test' action from the FortiGate CLI:

diag test application sqllogd 200

diag test application sqllogd 200 status

diag test application sqllogd 200 config

diag debug application sqllogd 8

diag debug enable

diagnose debug application fazmaild 255

diagnose debug disable

diag debug reset

For deeper troubleshooting refers to the related article at the end of this KB article (Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity).

Related articles: