FortiGate creates a log when an Admin user logs in and logs out the FortiGate.

Login event:

date=2023-05-22 time=13:17:26 eventtime=1684754246523091187 tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip=10.32.22.111 dstip=10.40.19.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.22.111)"

Logout event:

date=2023-05-22 time=13:18:34 eventtime=1684754314759921964 tz="+0200" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip=10.32.22.111

For monitoring and documentation, it is possible to create an automation in the FortiGate to send the alert mail when an admin user logs in and logs out of the FortiGate.

To create an automation stitch, check the following steps:

Configure the email server in FortiGate.

From GUI:

Go to System -> Settings -> Email Service.

It is possible to use the default setting with notification.fortinet.net as an email server or use custom settings.

From CLI:

config system email-server
    set reply-to "xxxx@test.com"
    set server "notification.fortinet.net"
    set port 465
    set security smtps
end

Configure automation:

Navigate to Security Fabric -> Automation -> Under Stitch tab, Create New:

• Name the Stitch.
• Select Trigger as 'FortiOS Event Log' and Event as 'Admin login successful'.
• Action: Email and enter to email to which to receive the mail.

Similarly, create the automation for the logout event.

For v7.4.x versions and above:

Navigate to Security Fabric -> Automation -> Trigger tab -> Create New:

• Select FortiOS Event Log under Miscellaneous.
• Name the automation trigger.
• On the Event option, select 'Admin login successful' and 'Admin logout successful'.

Then go to Security Fabric -> Automation -> Action tab -> Create New:

• Select Email under Notifications.
• Name the automation action.
• Enter the From and To emails, and also the Subject for the email.

Configure the stitch under Security Fabric -> Automation -> Stitch tab -> Create New:

• Name the automation stitch.
• Under Add Trigger, select the trigger.
• Under Action, select the action.

From CLI:

Automation Stitch.

config system automation-stitch
    edit "Admin_login"
        set trigger "Admin_login"
        set action "Admin_login_email"
    next
        edit "Admin_logout"
            set trigger "Admin_logout"
            set action "Admin_logout_email"
        next
end

Automation trigger.

config system automation-trigger
    edit "Admin_login"
        set event-type event-log
        set logid 32001
    next
        edit "Admin_logout"
             set event-type event-log
             set logid 32003
        next
end

Automation action.

config system automation-action
    edit "Admin_login_email"
        set action-type email
        set email-to "xxxxx"
        set email-subject "Login"
        set minimum-interval 5
    next
        edit "Admin_logout_email"
            set action-type email
            set email-to "xxxxx"
            set email-subject "logout"
            set minimum-interval 5
        next
end

Result :

When the user logs in and logs out of the firewall, an alert email with the log will be sent.

noreply@notification.fortinet.net
4:47 PM (0 minutes ago)
to me

FGT[FGVM010000017397] Automation Stitch:Admin_login is triggered.
date=2023-05-22 time=12:17:26 eventtime="1684754246523091187" tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip="10.32.22.111" dstip="10.40.19.15" action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.22.111)"

noreply@notification.fortinet.net
4:48 PM (0 minutes ago)
to me

FGT[FGVM010000017397] Automation Stitch:Admin_logout is triggered.
date=2023-05-22 time=12:18:35 eventtime="1684754314759921964" tz="+0200" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1684754246" user="admin" ui="https(10.32.22.111)" method="https" srcip="10.32.22.111" dstip="10.40.19.15" action="logout" status="success" duration="68" reason="exit" msg="Administrator admin logged out from https(10.32.22.111)"

Note: Starting with FortiOS v7.4.4, the default email server has been switched from notification.fortinet.net to fortinet-notifications.com. This default server is only available to registered devices with an active FortiCare support contract. The reply-to field in the source email is automatically updated to DoNotReply@fortinet-notifications.com for all servers, including custom ones.

Related documents:

Automation stitches

Technical Tip: How to enable the email alerts when the Interface is down and up

Troubleshooting Tip: Alert mail queries

Technical Tip: How to configure alert email settings