FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 288993

This article describes that when configuring Action Parameters, such as %%log%%, for a custom CLI action, attention must be paid to the following aspects:


The value of %%log%% will be substituted with fields from the log or FortiAnalyzer event that triggers this action.

For instance, in configuring auto-configuration backup on firmware v7.2 following a configuration change, as illustrated in the guide at:

Technical Tip: How to send automated backups of the configuration from a FortiGate with an automatio...

Action parameters like '%%log.devid%%', '%%log.devname%%', and '%%date%%' are set in commands:


execute backup config ftp /Backup/ backup-%%date%%-%%log.devid%%-%%log.devname%%.conf testuser testpassword


In this case, the file name becomes 'backup-2023-12-06%%log.devid%%-%%log.devname%%.conf'. This discrepancy arises because log fields in older firmware versions differ from newer ones, with some fields not available or altered.


For example, in the system event log (configuration change log), fields 'devid' and 'devname' are absent in the v7.2 or higher branches, and only the 'date' field is present, leading to its sole replacement by FortiGate.


An event log sample is:


date=2023-12-06 time=15:13:10 eventtime=1701904390549380633 tz="-0800" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(" action="Edit" cfgtid=10616838 uuid="73cf512e-200a-51ee-8887-5b9ad900b806" cfgpath="firewall.policy" cfgobj="21" cfgattr="status[enable->disable]status[disable->enable]" msg="Edit firewall.policy 21"

Scope FortiGate.

For inclusion of specific fields, use %%log.<desired field in the logs>%%. This prompts FortiGate to replace the data with relevant information, such as the specific timestamp or the user who made the configuration change, by employing %%log.time%%, %%log.user%%.