Fortinet Community

ycho · ‎06-23-2022

Description

This article describes the difference in Asterisk behavior in automation-trigger settings depending on the version.

Scope

FortiOS 6.2, 6.4, 7.0.

Solution

Event log:

logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="xxxxx" user="admin" ui="ssh(x.x.x.x)" method="ssh" srcip=x.x.x.x dstip=x.x.x.x action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(x.x.x.x)"

Message ID: 32001

Message Description: LOG_ID_ADMIN_LOGIN_SUCC

Message Meaning: Admin login successful

Type: Event

Category: SYSTEM

Severity: Information

When required to set automation-trigger using specific message value in logs, it is possible to configure the automation-trigger settings as below:

# config system automation-trigger
edit "EVENTLOG"
set event-type event-log
set logid 32001
# config fields
edit 1
set name "msg"
set value "Administrator *"

The difference in Asterisk behavior in FortiOS:

In FortiOS 6.4, 7.0 and higher version:

set value "*admin*" <----- Triggered.

set value "Administrator*" <----- Triggered.

set value "logged" <----- Not triggered.

In FortiOS 6.2 version:

set value "*admin*" <----- Not triggered.

set value "Administrator*" <----- Not triggered.

set value "logged" <----- Not triggered.

Conclusion.

In FortiOS 6.2, it should match the overall value, but in version 6.4 and later versions, it is possible to trigger using Asterisk even if only a few words in the message value are known

Fortinet Community

Technical Tip: Difference in Asterisk behavior in automation-trigger settings

News & Articles

Security Research

Company

Contact Us