Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎05-22-2023 04:58 AM Edited on ‎02-24-2025 02:07 AM By Community Manager

Article Id 257405

Technical Tip: Automation stitch for the admin login and logout

Description This article describes how to create an automation stitch admin user login and logout.
Scope FortiGate v6.4 and above.
Solution

FortiGate creates a log when an Admin user login and logout the fortiGate.

 

Login event:

 

date=2023-05-22 time=13:17:26 eventtime=1684754246523091187 tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip=10.32.22.111 dstip=10.40.19.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.22.111)"

 

Logout event:

 

date=2023-05-22 time=13:18:34 eventtime=1684754314759921964 tz="+0200" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip=10.32.22.111

 

For monitoring and documentation, it is possible to create a automation in the FortiGate to send the alert mail when an admin user login and logout of the FortiGate.

 

To create an automation stitch, check the following steps:

 

Configure the email server in FortiGate.

 

From GUI:

 

Go to System -> Setting -> Email Service.

 

It is possible to use the default setting with notification.fortinet.net as an email server or Use custom settings.

 

screenshot.png

 

From CLI:

 

config system email-server
    set reply-to "xxxx@test.com"
    set server "notification.fortinet.net"
    set port 465
    set security smtps
end

 

Configure automation:

 

Navigate to Security Fabric -> Automation -> Under Stitch tab Create New:

  • Name the Stitch.
  • Select Trigger as 'FortiOS Event Log' and Event as 'Admin login successful'.
  • Action: Email and enter to mail to which to receive the mail.


Similarly, create the automation for the logout event.

 

screenshot1.PNG

 

For v7.4.x versions and above:

 

Navigate to Security Fabric -> Automation -> Trigger tab -> Create New:

  • Select FortiOS Event Log under Miscellaneous.
  • Name the automation trigger.
  • On the Event option, select 'Admin login successful' and 'Admin logout successful'.

 

automation_trigger.PNG

 

Then go to Security Fabric -> Automation -> Action tab -> Create New:

  • Select Email under Notifications.
  • Name the automation action.
  • Enter the From and To emails and also the Subject for the email.

 

automation_action.PNG

 

Configure the stitch under Security Fabric -> Automation -> Stitch tab -> Create New:

  • Name the automation stitch.
  • Under Add Trigger, select the trigger.
  • Under Action, select the action.

 

automation_stitch.PNG

 

From CLI:

Automation Stitch.

 

config system automation-stitch
    edit "Admin_login"
        set trigger "Admin_login"
        set action "Admin_login_email"
    next
        edit "Admin_logout"
            set trigger "Admin_logout"
            set action "Admin_logout_email"
        next
    end

 

Automation trigger.

 

config system automation-trigger
    edit "Admin_login"
        set event-type event-log
        set logid 32001
    next
        edit "Admin_logout"
             set event-type event-log
             set logid 32003
        next
    end

 

Automation action.

 

config system automation-action
    edit "Admin_login_email"
        set action-type email
        set email-to "xxxxx"
        set email-subject "Login"
        set minimum-interval 5
    next
        edit "Admin_logout_email"
            set action-type email
            set email-to "xxxxx"
            set email-subject "logout"
            set minimum-interval 5
        next
    end

 

Result :

When the user logs in and logs out of the firewall,  the alert mail with the log will be sent.

 

noreply@notification.fortinet.net
4:47 PM (0 minutes ago)
to me

FGT[FGVM010000017397] Automation Stitch:Admin_login is triggered.
date=2023-05-22 time=12:17:26 eventtime="1684754246523091187" tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip="10.32.22.111" dstip="10.40.19.15" action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.22.111)"


noreply@notification.fortinet.net
4:48 PM (0 minutes ago)
to me

FGT[FGVM010000017397] Automation Stitch:Admin_logout is triggered.
date=2023-05-22 time=12:18:35 eventtime="1684754314759921964" tz="+0200" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip="10.32.22.111" dstip="10.40.19.15" action="logout" status="success" duration="68" reason="exit" msg="Administrator admin logged out from https(10.32.22.111)"
2369
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.