FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
enguyen3467
Staff
Staff
Article Id 240770
Description

 

This article describes that, when the body message of the email alert is modified in the notification, it is possible to see a well-formatted message showing only the information researched, instead of the raw format of the log. 

 

Scope

 

FortiOS from 7.0.x and onward.

 

Solution

 

The main syntax to extract the JSON value of the log is: 

 

  %%log.<log-field>%% 

 

To retrieve the right log field so that the right value will be extracted and shown in the email alert, it is possible to follow the following process: 

 

Identify the log ID needed: normally on the GUI, when checking Log & Reports, select the log entry to see in the email alert and identify the log ID, which is the last 5 digits. 

 

enguyen3467_0-1671820575081.png

 

- From there, it is possible to check the official documentation at https://docs.fortinet.com/.

Choose the right firmware of the FortiGate (from 7.0.x onward) and scroll down to open the document 'Log Message Reference'.

 

enguyen3467_1-1671820575085.png

 

- Expand the 'Log Messages' drop-down list to find the right log ID.

The log messages are categorized based on what it is visible on the GUI with the exception of the logs in the 'Security Events' having each dedicated section (Application Control, IPS, DLP, File Filter, SSL, WAF, Web Filter); DNS; Email and VoIP.  

 

enguyen3467_2-1671820575087.png

 

Alternatively, it is possible to simply type in the log ID in the 'Search Document' text box and see the search result.

 

enguyen3467_3-1671820575088.png

 

- Inside the log message, pay attention to the 'Log Field Name' column since it is necessary to complete the syntax %%log.<log-field>%% to extract the value in the email body.

 

enguyen3467_4-1671820575089.png

 

 

- Since the syntax can only extract one value at a time on one log field, it is necessary to specify multiple %%log.<log-field>%% to see more log value in the email alert message. 

 

Here is an example of the body message configured in the automation stitch for the status change of an IPsec tunnel: 

 

enguyen3467_5-1671820575090.png

 

When the tunnel is being triggered, an email alert will be sent to the recipient email with the content like this:

 

enguyen3467_6-1671820575091.png

 

Related article:

https://docs.fortinet.com/document/fortigate/7.2.3/fortios-log-message-reference/524940/introduction