Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff

Created on ‎04-01-2022 07:23 AM Edited on ‎10-16-2024 06:52 AM By Moderator

Article Id 206913

Technical Tip: Using Automation Stitches to produce a summary of Configuration Changes

Description

 

This article explains how to setup an Automation Stitch in FortiOS that will generate a summary list of changes made by an Administrative User on the FortiGate, and send an email to the designated address that contains this list of changes (in the format of a Log entry, by default).

 

Note the following regarding this solution:

 

  1. This guide is written using FortiOS 7.0 as a reference.
    Refer to the Related Articles listed below for references to the older versions of FortiOS.

  2. This Automation Stitch uses the following two Event Logs as Triggers:

 

 

  1. A log entry is generated each time an Administrator modifies and commits changes to a given section of the configuration (for example, a Network Interface, Firewall Policy, Static Route, etc.).

  2. A side note regarding 32102 - LOG_ID_CHG_CONFIG ('Configuration changed'): This log ID only notes that an admin has made configuration changes to the FortiGate in general, and it triggers after the administrator logs out of the FortiGate. It does not produce a list of specific changes made by the admin.

 

Scope

 

FortiGate; FortiOS 6.2, 6.4, 7.0, 7.2,7.4.

 

Solution

 

Configuring via the Web UI:

 

  1. Go to Security Fabric -> Automation. Under the Trigger sub-section, select 'Create New'.

  2. Select FortiOS Event Log as the new Trigger type, then select both the 'Attribute configured' and 'Object attribute configured' events before choosing 'OK'.

 

  • FortiOS 7.0 allows Administrators to specify multiple Events in a single trigger. Earlier FortiOS versions allow for only one Event log per Trigger and therefore require two separate Automation Stitches to be created.
  • Field filters may be applied here to further specify how the Automation Stitch is triggered, though these are out-of-scope for this guide.
  • Ensure that an appropriate Name is set, such as 'Administrator changed settings'.


Trigger.png

 

  1. Next, select the Action sub-section and select 'Create New'.

  2. Select Email as the new Action type. From there, specify an appropriate Name for the Action, set the To email addresses, and set an appropriate Subject line before selecting 'OK' to confirm.

 

  • Note that the Body is pre-populated with '%%log%%'. This outputs the entirety of the log entry in the email update.
  • Further customization of the Body is possible, though this is out-of-scope for this guide.


action.png

 

  1. Finally, go to the Stitch sub-section and select 'Create New'.

  2. Apply the new Trigger and Action that was created in the previous steps, Name the Automation Stitch appropriately, then select 'OK' to commit the configuration.

 

  • Note that the Action execution setting does not matter for a single Action (this setting only takes effect when using multiple Actions).


automationstitch.png

 

Configuring via the CLI:

 

The following is an equivalent example CLI configuration:

 

config system automation-trigger
    edit "Administrator Changed Settings"
        set event-type event-log
        set logid 44546 44547
    next
end

 

config system automation-action
    edit "Send Email to Administrator"
        set action-type email
        set email-to "administrator@test.domain"
        set email-subject "Administrator made changes to the configuration"
    next
end

 

config system automation-stitch
    edit "Email Configuration Change Summary"
        set trigger "Administrator Changed Settings"
            config action
                edit 1
                    set action "Send Email to Administrator"
                    set required enable
                next
            end
        next
    end

 

 

The following logs should appear in the 'System Events' logs following creation, once the trigger is triggered:

The first example is for Attribute configured (44546) and second log is for Object attribute configured (44547):

 

log2.PNG

 

 log.PNG

 

 

Choose the log and select Details to see additional information about the record:

 

44546.PNG

 

44547.PNG

 

date=2024-10-12 time=14:39:34 eventtime=1728769174898798965 tz="-0700" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="GUI(172.30.184.52)" action="Edit" cfgtid=128123256 cfgpath="system.settings" cfgattr="gui-load-balance[disable->enable]" msg="Edit system.settings "

 

Related articles:

4324
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.