Automation stitch trigger can be configured with FortiOS Event Log and can be narrowed down with a field filter. To use the field name, the value can be found within the log file downloaded from FortiGate.

The 'field name' value can be found in a log file. Navigate under Log&Report -> System events. An example log entries look like this:

date=2024-09-18 time=09:50:44 eventtime=1726609844353314943 logid="0100022813" type="event" subtype="system" level="notice" vd="root" logdesc="Scanunit reloaded AV Database" action="update" msg="scanunit=manager pid=2673 cause='signal' AV database reload requested 1 times by updated (pid 2675) successful"

Any value before the '=' symbol can be used as a field name, for example, date, msg, or logdesc.

 For the full reference of values that can be used in 'field name', refer to the 'Log Messages' reference document (ensure to select the applicable FortiOS version): Log Messages

The Field Filter(s) function in the Event Handler does not directly support logical negation operators in FortiGate.
In FortiGate, the filter section is basic; the CLI also does not support the '!=' operator in field filters (as in FortiAnalyzer); it is not possible to place a negation filter directly on field filters.

If a negation is required, place a capture of the event without a filter and manually filter it in the destination server (FortiAnalyzer), or, if using FortiAnalyzer, apply an advanced filter: Technical Tip: Use of Operators in Event Handler General Filter (syntax)