FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pciurea
Staff
Staff
Description
This article describes how to filter automation stitch triggers for FortiGate events based on log parameters.

Solution
As some of the events that trigger an automation stitch can cause excessive or unwanted messages/actions, the CLI filtering option can help mitigate this issue.

Create an automation stitch that will trigger an email to be send, based on a FortiOS event:
- Go to Security Fabric -> Automation and select 'Create New'.
- Enter Name, choose Triggering event – in this case FortiOS Event Log.
- Choose action Email and configure the email details – Recipients (TO), subject and body.





In this case, 'Virtual WAN Link status' log event has been chosen  as a triggering even.

Event ID is mentioned by hovering the mouse over the selected event – in this case 22923.




As event parameters can be easily seen in the generated log, go to Log&Report -> Events and filter logs based on Log ID (in our case 22923).
This type of event can be triggered by multiple factors, as seen in the Message column:






Use filters to only trigger the stitch for the important logs – example - level is warning.
# config system automation-trigger
    edit "SDWAN"
        set event-type event-log
        set logid 22923
        # config fields
            edit 1
                set name "level"
                set value "warning"
            next
        end
Important!!!

This will trigger the stitch only when the level IS warning (will not trigger if level is lower than warning or higher than warning – it is necessary to configure a separate stitch for each level).
Also if you configure multiple filter 'fields', the stitch will only be triggered if ALL filters are matched.

Starting from 7.0 you can configure automation stitch filters also on the GUI as mentioned in the following doc:
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/950487/fortios-event-log-tri...


Contributors