Description
This article describes how to configure an automation stitch using message filters derived from event logs.
Scope
FortiGate.
Solution
In the following example, an automation stitch is configured to monitor a specific BGP neighbor going down or up. When such an event occurs, an email notification is sent by filtering for the particular neighbor from the router event logs.
Step 1: Create an automation stitch:
- Go under Security Fabric -> Automation -> Create New.
Step 2: Create an Automation-trigger:
- Assign a name to 'automation-stich'.
- Go under 'Trigger' -> Select 'Create new' -> Select 'FortiOS Event Log'.
- Assign a name to 'automation-trigger'.
- Select the EVENT -> 'BGP neighbor status changed, it monitors log ID: 20300/
- Specify Field Filter -> Field Name : 'msg" and Value : '*neighbor 10.10.10.3 Down*'
- Select 'OK' and select the respective entry.
Step 3: Create an Automation Action.
- Select 'Action' and select 'Create'.
- Select the 'Email' option under the Notification section.
- Specify the respective fields.
- Select 'OK' and select the respective action entry.
Once configured, select 'OK' and verify the automation stitch.
CLI Reference:
config system automation-trigger
edit "automation-trigger"
set event-type event-log
set logid 20300
config fields
edit 1
set name "msg"
set value "*neighbor 10.10.10.3 Down*"
next
end
next
end
config system automation-action
edit "Email"
set action-type email
set email-to "abc@gmail.com"
set email-from "abcdef@abc.com"
set email-subject "%%log.logdesc%%"
set message "%%log%%"
next
end
config system automation-stitch
edit "automation-stich"
set trigger "automation-trigger"
config actions
edit 1
set action "Email Notification"
set required enable
next
end
end
Verification :
When a BGP neighborship goes down, the router event logs record a BGP down event. Subsequently, automation is triggered successfully. Verification is done in the GUI by checking the 'Trigger Count' and 'Last Triggered' fields.
