Created on 09-18-2024 08:39 AM Edited on 10-30-2024 09:36 AM By Stephen_G
This article describes how to configure a FortiAnalyzer event handler to trigger only during a specified time schedule, such as from 09:00 AM to 05:00 PM, using a custom Generic Text filter for logs.
FortiAnalyzer.
Before starting, ensure that the FortiGate and FortiAnalyzer versions are compatible (refer to the compatibility matrix). Verify that the FortiGate device or security fabric is connected to FortiAnalyzer and authorized.
To configure an event handler, if using FortiAnalyzer up to version 7.2, navigate to FortiSoC -> Handlers -> Event Handler List -> Create New.
If using version 7.4 and higher, navigate to Incidents & Events -> Handlers -> Basic Handlers -> Create New.
This article focuses on limiting the event handler by time schedule and will not cover the full event handler configuration.
Configuring the Time Schedule for Event Handler:
date=2024-09-17 time=14:26:21 id=7415587376749084681 itime="2024-09-17 14:26:22" euid=1025 epid=104 dsteuid=3 dstepid=3 logver=700140601 logid=0101037138 type="event" subtype="vpn" level="notice" action="tunnel-up" msg="IPsec connection status change" logdesc="IPsec connection status changed" user="1.1.1.1" remip=2.2.2.2 locip=3.3.3.3 remport=500 locport=500 outintf="port1" cookies="91b2930a5103b558/f76c431487c1b9cc" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="IPSec" tunnelid=2923235845 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 eventtime=1726575981460154431 tz="+0200" useralt="N/A" devid="FGVM" vd="root" dtime="2024-09-17 14:26:21" itime_t=1726575982 devname="FortiGate"
Notice the itime and dtime fields, where:
Using Regex for Time-Based Filtering:
To filter logs by time (e.g., 09:00 to 09:59), use the following regex in the Generic Text Filter:
time ~ "9:[0-9][0-9]:[0-9][0-9]"
For a broader time range (e.g., 09:00 to 10:59), combine multiple time blocks with an 'OR' operator:
time ~ "9:[0-9][0-9]:[0-9][0-9]" or time ~ "10:[0-9][0-9]:[0-9][0-9]"
To match logs within the time window of 09:00 to 16:59, use the following regex:
time ~ "9:[0-9][0-9]:[0-9][0-9]" or time ~ "10:[0-9][0-9]:[0-9][0-9]" or time ~ "11:[0-9][0-9]:[0-9][0-9]" or time ~ "12:[0-9][0-9]:[0-9][0-9]" or time ~ "13:[0-9][0-9]:[0-9][0-9]" or time ~ "14:[0-9][0-9]:[0-9][0-9]" or time ~ "15:[0-9][0-9]:[0-9][0-9]" or time ~ "16:[0-9][0-9]:[0-9][0-9]"
Quick Troubleshooting:
To test the behavior of the Event handler, follow these steps:
This method makes it possible to specify any custom time range for event handler triggering, even across non-contiguous periods.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.