FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
LennartElbers
Article Id 342211
Description

 

This article describes how to configure a FortiAnalyzer event handler to trigger only during a specified time schedule, such as from 09:00 AM to 05:00 PM, using a custom Generic Text filter for logs.

 

Scope

 

FortiAnalyzer.

 

Solution

 

Before starting, ensure that the FortiGate and FortiAnalyzer versions are compatible (refer to the compatibility matrix). Verify that the FortiGate device or security fabric is connected to FortiAnalyzer and authorized.

 

To configure an event handler, if using FortiAnalyzer up to version 7.2, navigate to FortiSoC -> Handlers -> Event Handler List -> Create New.

If using version 7.4 and higher, navigate to Incidents & Events -> Handlers -> Basic Handlers -> Create New.

 

This article focuses on limiting the event handler by time schedule and will not cover the full event handler configuration.

 

Configuring the Time Schedule for Event Handler:

  1. Once in the event handler creation page, select Add New Rule.
  2. Filter logs using the Log Field entry, with itime (log event received time) or dtime (log event generated time). However, filtering by time alone is not natively supported, as both fields include date information.
  3. To resolve the limitation of not being able to filter by time alone, use a Generic Text Filter (up to version 7.2) or Log Filter by Text (beginning from version 7.4) to apply regex-based time filtering.

    Raw log example:


date=2024-09-17 time=14:26:21 id=7415587376749084681 itime="2024-09-17 14:26:22" euid=1025 epid=104 dsteuid=3 dstepid=3 logver=700140601 logid=0101037138 type="event" subtype="vpn" level="notice" action="tunnel-up" msg="IPsec connection status change" logdesc="IPsec connection status changed" user="1.1.1.1" remip=2.2.2.2 locip=3.3.3.3 remport=500 locport=500 outintf="port1" cookies="91b2930a5103b558/f76c431487c1b9cc" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="IPSec" tunnelid=2923235845 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 eventtime=1726575981460154431 tz="+0200" useralt="N/A" devid="FGVM" vd="root" dtime="2024-09-17 14:26:21" itime_t=1726575982 devname="FortiGate"

Notice the itime and dtime fields, where:

  • itime represents the time the log event was received by FortiAnalyzer.
  • dtime is the time the log event was generated on the FortiGate device.
 

Unbenannt.png

 

Using Regex for Time-Based Filtering:

To filter logs by time (e.g., 09:00 to 09:59), use the following regex in the Generic Text Filter:

 

time ~ "9:[0-9][0-9]:[0-9][0-9]"

 

For a broader time range (e.g., 09:00 to 10:59), combine multiple time blocks with an 'OR' operator:

 

time ~ "9:[0-9][0-9]:[0-9][0-9]" or time ~ "10:[0-9][0-9]:[0-9][0-9]"

 

To match logs within the time window of 09:00 to 16:59, use the following regex:

 

time ~ "9:[0-9][0-9]:[0-9][0-9]" or time ~ "10:[0-9][0-9]:[0-9][0-9]" or time ~ "11:[0-9][0-9]:[0-9][0-9]" or time ~ "12:[0-9][0-9]:[0-9][0-9]" or time ~ "13:[0-9][0-9]:[0-9][0-9]" or time ~ "14:[0-9][0-9]:[0-9][0-9]" or time ~ "15:[0-9][0-9]:[0-9][0-9]" or time ~ "16:[0-9][0-9]:[0-9][0-9]"

 

Quick Troubleshooting:

To test the behavior of the Event handler, follow these steps:

 

  1. Create matching logs for the event handler on the FortiGate, either by running diag log test or by generating appropriate traffic.
  2. Wait until the logs are visible on the FortiAnalyzer under Log View.
  3. Check the Events column of the newly created event handler. If the event handler has triggered successfully, the number will become clickable, showing the corresponding logs that triggered it.
  4. Upon triggering, notifications will be sent out using the configured notification method, such as email or SNMP.

This method makes it possible to specify any custom time range for event handler triggering, even across non-contiguous periods.

Related articles: