Technical Tip: Configure an automation stitch to get an email alert for admin login failures

Mrinmoy · ‎11-23-2023

Description

This article describes how to configure an automation stitch to provide email alerts when admin login failures appear in the logs.

Scope

FortiOS 6.4 or above.

Solution

Create an Automation stitch under Security Fabric -> Automation -> Stitch -> Create New.

Give it a name and configure a trigger as per the screenshot below:

Configure an action as per the screenshot below:

Now test the stitch by entering a wrong user ID or password. Check the status from the firewall and check for an email.

The CLI part after configuration is as follows:

Stitch:

config system automation-stitch

edit "Login-Failure"

set trigger "Admin-Login"

config actions

edit 1

set action "Login-Failed"
set required enable

Trigger:

config system automation-trigger

edit "Admin-Login"

set event-type event-log
set logid 32002

Action:

config system automation-action

edit "Login-Failed"

set action-type email
set email-to "abc@xyz.com"
set email-subject "Admin Login-Failed"

Log: The email will contain the following log:

date=2023-11-23 time=08:34:40 devid="FGT61FTKXXXXXXX" devname="FGT" eventtime=1700757280632505080 tz="-0800" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(209.87.240.230)" method="https" srcip=209.87.240.230 dstip=10.0.0.30 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(209.87.240.230) because of invalid password"