Description
This article explains how to setup an Automation Stitch in FortiOS that will generate a summary list of changes made by an Administrative User on the FortiGate, and send an email to the designated address that contains this list of changes (in the format of a Log entry, by default).
Note the following regarding this solution:
1) This guide is written using FortiOS 7.0 as a reference.
Refer to the Related Articles listed below for references to the older versions of FortiOS.
2) This Automation Stitch uses the following two Event Logs as Triggers:
- 44546 - LOGID_EVENT_CONFIG_ATTR ('Attribute configured').
- Used to track system-specific changes on the FortiGate, such as system DNS.
- 44547 - LOGID_EVENT_CONFIG_OBJATTR ('Object attribute configured')
- Used to track general object-based configuration changes, such as Network Interface or Firewall Policy settings.
3) A log entry is generated each time an Administrator modifies and commits changes to a given section of the configuration (for example, a Network Interface, Firewall Policy, Static Route, etc.).
4 )A side note regarding 32102 - LOG_ID_CHG_CONFIG ('Configuration changed'):
- This log ID only notes that an admin has made configuration changes to the FortiGate in general, and it triggers after the administrator logs out of the FortiGate. It does not produce a list of specific changes made by the admin.
Scope
FortiGate; FortiOS 6.2, 6.4, 7.0.
Solution
Configuring via the Web UI:
1) Go to Security Fabric => Automation, then under the Trigger sub-section select 'Create New'.
2) Select FortiOS Event Log as the new Trigger type, then select both the 'Attribute configured' and 'Object attribute configured' events before choosing 'OK'.
- FortiOS 7.0 allows Administrators to specify multiple Events in a single trigger.
Earlier FortiOS versions allow for only one Event log per Trigger and therefore require two separate Automation Stitches to be created.
- Field filters may be applied here to further specify how the Automation Stitch is triggered, though these are out-of-scope for this guide.
- Ensure that an appropriate Name is set, such as 'Administrator changed settings'.
1) Next, select the Action sub-section and select 'Create New'.
2) Select Email as the new Action type. From there, specify an appropriate Name for the Action, set the To email addresses, and set an appropriate Subject line before selecting 'OK' to confirm.
- Note that the Body is pre-populated with '%%log%%'. This outputs the entirety of the log entry in the email update.
- Further customization of the Body is possible, though this is out-of-scope for this guide.
1) Finally, go to the Stitch sub-section and select 'Create New'.
2) Apply the new Trigger and Action that was created in the previous steps, Name the Automation Stitch appropriately, then select 'OK' to commit the configuration.
- Note that the Action execution setting does not matter for a single Action (this setting only takes effect when using multiple Actions).
Configuring via the CLI:
- The following is an equivalent example CLI configuration:
# config system automation-trigger
edit "Administrator Changed Settings"
set event-type event-log
set logid 44546 44547
next
end
# config system automation-action
edit "Send Email to Administrator"
set action-type email
set email-to "administrator@test.domain"
set email-subject "Administrator made changes to the configuration"
next
end
# config system automation-stitch
edit "Email Configuration Change Summary"
set trigger "Administrator Changed Settings"
# config action
edit 1
set action "Send Email to Administrator"
set required enable
next
end
next
end
Related Articles:
Technical Tip: Creating automation stitches
Technical Tip: How to check why automation stitch is not working as expected
Technical Tip: Use FortiGate automation stitches for alert emails
Troubleshooting Tip: How is the Automation Stitch 'Configuration Change' triggered
