Description |
This article describes that when configuring Action Parameters, such as %%log%%, for a custom CLI action, attention must be paid to the following aspects:
The value of %%log%% will be substituted with fields from the log or FortiAnalyzer event that triggers this action. For instance, in configuring auto-configuration backup on firmware v7.2 following a configuration change, as illustrated in the guide at: Action parameters like '%%log.devid%%', '%%log.devname%%', and '%%date%%' are set in commands:
execute backup config ftp /Backup/ backup-%%date%%-%%log.devid%%-%%log.devname%%.conf 192.168.55.4 testuser testpassword
In this case, the file name becomes 'backup-2023-12-06%%log.devid%%-%%log.devname%%.conf'. This discrepancy arises because log fields in older firmware versions differ from newer ones, with some fields not available or altered.
For example, in the system event log (configuration change log), fields 'devid' and 'devname' are absent in the v7.2 or higher branches, and only the 'date' field is present, leading to its sole replacement by FortiGate.
An event log sample is:
date=2023-12-06 time=15:13:10 eventtime=1701904390549380633 tz="-0800" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(172.17.97.116)" action="Edit" cfgtid=10616838 uuid="73cf512e-200a-51ee-8887-5b9ad900b806" cfgpath="firewall.policy" cfgobj="21" cfgattr="status[enable->disable]status[disable->enable]" msg="Edit firewall.policy 21" |
Scope | FortiGate. |
Solution |
For inclusion of specific fields, use %%log.<desired field in the logs>%%. This prompts FortiGate to replace the data with relevant information, such as the specific timestamp or the user who made the configuration change, by employing %%log.time%%, %%log.user%%. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.