FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 190917
This article describes how to create Event handler in FortiAnalyzer/FortiManager for Policy delete in FortiGate.

When FortiGate sends logs to FortiManager, and when FortiManager enables with FortiAnalyzer feature then, it is possible to use same event handler.

1) Create mail server.

Login to Fortianalyzer and navigate to System setting -> Mail server and select 'Create new'.

Now enter the mail server details.

2) Test Email server working status.

Select 'Mail Server' and select the mail server create in 1). Now select 'Test'.
Notification message popup immediately on same page.

3) Login to Fortianalyzer and navigate to Incident and Event -> Event Handler list and select 'Create new'.
Enter the details as per below screenshot:
Now on same page enter the email notification details:

To: Destination Email address.
From: Source Email address which is present in the mail server.
Mail Server: Created in 1).
Generic text: cfgpath=firewall.policy.
Log Description: Object configured.
Action: Delete.


Try to delete any test policy in FortiGate an email notification wii be received  on the email address mentioned.

Test output:

Related Articles

Technical Tip: How create event handler in FortiAnalzyer for policy change in FortiGate