FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ckarwei
Staff
Staff
Article Id 194727

Description


This article describes how to configure email alerts for configuration changes on FortiGate using FortiAnalyzer event handler.

 

Scope

 

FortiAnalyzer.

Solution

 

  1. Set up a mail server under System Settings -> Advanced -> Mail Server.

 

mail server.JPG

 

Create a new event handler at Incidents & Events -> Handlers -> Event Handler List.

Note:

In the newer versions of FortiAnalyzer (6.4.x), Incidents and Events have been replaced by FortiSOC.
In FortiAnalyzer (7.X), Incidents and Events have not been replaced.

  1. Set the 'Log Device Type' to 'FortiGate' and the 'Log Type' to 'Event Log'. Under 'Log Field', select 'Log ID'.
    Enter the values '0100044546' and '0100044547'.
 
  
  1. Select 'Send Alert Email'.
    Enter the email address and select the 'Email Server' that was created earlier.
 
  
  1. Log ID information can be checked from the received logs on 'Log View'.
    'Log ID' can be used to filter different logs, for example, admin login/logoff, and FortiAnalyzer disconnection.

Stephen_G_0-1730304728765.png

 

Troubleshooting Event Generation Failure.

 

Send the corresponding information in the ticket:

  • Config of FortiAnalyzer.
  • Raw log of FortiAnalyzer.
  • exe tac report

 

diagnose test connection mailserver <mailserver> <source SMTP address> <destination SMTP address>

 

The following commands on the FortiAnalyzer will provide more information regarding the SMTP client application.

For FortiManager / FortiAnalyzer 7.6 or above, perform a flow capture:

 

diagnose test application fazmaild ?

    <Integer> Debug level (08).

    diagnose debug application fazmaild 8
    diagnose debug timestamp enable
    diagnose debug enable

 

    diagnose debug disable <- To stop it.
    diagnose debug reset

 

In the FortiAnalyzer, enter the following commands while running a 'diag log test' action in the FortiGate CLI:

 

diagnose test application sqllogd 200

diagnose test application sqllogd 200 status

diagnose test application sqllogd 200 config

diagnose debug application sqllogd 8

diagnose debug enable

diagnose debug application fazmaild 255

diagnose debug disable

diagnose debug reset

 

Related documents:

Technical Tip: How to create Event handler in FortiAnalyzer for Policy delete in FortiGate

Technical Tip: How create event handler in FortiAnalzyer for policy change in FortiGate

Technical Tip: Setting up a FortiAnalyzer event handler with a specific time schedule

Technical Tip: How to set up Email Notifications with notification.fortinet.net

Troubleshooting Tip: How to understand the email SMTP issues and its causes

Troubleshoot: FortiAnalyzer unable resolve DNS to mail server

Technical Tip: How to configure email server on FortiAnalyzer to receive reports over email

Mail Server