Description
This article describes how to filter automation stitch triggers for FortiGate events based on log parameters.
Solution
As some of the events that trigger an automation stitch can cause excessive or unwanted messages/actions, the CLI filtering option can help mitigate this issue.
Create an automation stitch that will trigger an email to be send, based on a FortiOS event:
- Go to Security Fabric -> Automation and select 'Create New'.
- Enter Name, choose Triggering event – in this case FortiOS Event Log.
- Choose action Email and configure the email details – Recipients (TO), subject and body.
This article describes how to filter automation stitch triggers for FortiGate events based on log parameters.
Solution
As some of the events that trigger an automation stitch can cause excessive or unwanted messages/actions, the CLI filtering option can help mitigate this issue.
Create an automation stitch that will trigger an email to be send, based on a FortiOS event:
- Go to Security Fabric -> Automation and select 'Create New'.
- Enter Name, choose Triggering event – in this case FortiOS Event Log.
- Choose action Email and configure the email details – Recipients (TO), subject and body.
In this case, 'Virtual WAN Link status' log event has been chosen as a triggering even.
Event ID is mentioned by hovering the mouse over the selected event – in this case 22923.
As event parameters can be easily seen in the generated log, go to Log&Report -> Events and filter logs based on Log ID (in our case 22923).
This type of event can be triggered by multiple factors, as seen in the Message column:
This type of event can be triggered by multiple factors, as seen in the Message column:
Use filters to only trigger the stitch for the important logs – example - level is warning.
This will trigger the stitch only when the level IS warning (will not trigger if level is lower than warning or higher than warning – it is necessary to configure a separate stitch for each level).
# config system automation-triggerImportant!!!
edit "SDWAN"
set event-type event-log
set logid 22923
# config fields
edit 1
set name "level"
set value "warning"
next
end
This will trigger the stitch only when the level IS warning (will not trigger if level is lower than warning or higher than warning – it is necessary to configure a separate stitch for each level).
Also if you configure multiple filter 'fields', the stitch will only be triggered if ALL filters are matched.
Starting from 7.0 you can configure automation stitch filters also on the GUI as mentioned in the following doc:
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/950487/fortios-event-log-tri...
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/950487/fortios-event-log-tri...
