This article describes how to trigger an automation-stitch by matching a partial string in a log field using wildcard.

- Use Wildcard (*) to match sub-string in field’s value.

- It can be used to match a string of field of any log.

- Example: This example shows how to catch the 'Down BGP Notification' string in field "msg" when log of BGP is generated.

Log:

Field: msg

Value: "BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 192.168.10.2 Down BGP Notification FSM-ERR

date=2022-01-22 time=14:14:06 eventtime=1642889646347816623 tz="-0800" logid="0103020300" type="event" subtype="router" level="warning" vd="root" logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 192.168.10.2 Down BGP Notification FSM-ERR

Syntax:

# config systemautomation-trigger
    edit "trigger name>
        set event-type event-log
         set logid <log id>  <----- Select the event ID.
# config field
    edit 1
        set name "msg"    <----- Fields of the log message.
        set value "*Down BGP Notification*"    <----- String of the 'msg' field with * to match the sub-string.
    next

end
next
end

Configuration:

# config system automation-stitc
    edit "bgp down neighbor"
        set trigger "bgP_neighbor_down"

# config action
    edit 1
        set action "fortigate_email"
        set required enable
    next
end
next
end

# config systemautomation-trigger
    edit "bgP_neighbor_down"
        set event-type event-log
        set logid 20300 <----- Select the event id which is for BGP neighbor status changed.

# config field
    edit 1
        set name "msg" <----- Fields of the log message.
        set value "*Down BGP Notification*" <----- String of the msg fields along with * to match the string.
next
end
next
end

HQ # show system automation-action fortigate_email
# config system automation-actio
    edit "fortigate_email"
        set action-type email
        set email-to "xyz@yahoo.com"
        set email-subject "login_failed"
    next
end